Unable to create a user without a password (NextCloud 21.0.3)

Nextcloud version (eg, 20.0.5): 21.0.3
Operating system and version (eg, Ubuntu 20.04): Debian GNU/Linux 10 (buster)
Apache or nginx version (eg, Apache 2.4.25): Apache HTTP 2.4.38-3+deb10u5
PHP version (eg, 7.4): 7.3.29-1~deb10u1


First of all, thank you for this great tool that is NextCloud!

We wish to create new user accounts without defining passwords, so the mail sent to new users contains a link for them to set their password themselves.

According to this topic, it should be possible to do so if we create a user without a password:

But when we do it, the request is sent to the server and we get a bad request from the API because the password is empty.

Is this the first time you’ve seen this error? (Y/N): Yes (first time tried)

Steps to replicate it:

  1. Connect to the web Front-End of NextCloud
  2. Go to: Users > New user
  3. Try to create a user with a login, username and mail but no password

The output of the Nextcloud log in Admin > Logging:

[ocs_api] Error: InvalidArgumentException: Un mot de passe valide doit être saisi at <<closure>>

0. /var/www/nextcloud/lib/private/User/Manager.php line 396
   OC\User\Manager->createUserFromBackend("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***", OC\User\Database {})
1. /var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.php line 412
   OC\User\Manager->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
2. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 218
   OCA\Provisioning_API\Controller\UsersController->addUser("*** sensitive parameters replaced ***")
3. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 127
   OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisioning ... {}, "addUser")
4. /var/www/nextcloud/lib/private/AppFramework/App.php line 157
   OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisioning ... {}, "addUser")
5. /var/www/nextcloud/lib/private/Route/Router.php line 302
   OC\AppFramework\App::main("OCA\\Provisioni ... r", "addUser", OC\AppFramework\ ... {}, {_route: "ocs.pr ... "})
6. /var/www/nextcloud/ocs/v1.php line 63
7. /var/www/nextcloud/ocs/v2.php line 24

POST /ocs/v2.php/cloud/users
from by ncadmin at 2021-12-03T11:05:24+00:00

When I look in lib/private/User/Manager.php, it seems that a password is always required no matter what.

Is the answer in my linked topic obsolete?

Thank you in advance!

Creating accounts without password is a lack of security.

How to invite new users with a mail containing the initial password:

Hello Mornsgrans, thank you for your answer.

Are you referring to this part of the documentation:

Set the Send email to new user-checkbox allows you to leave the Password field empty. The user will get an activation-email to set their own password.

If that is the case, it is in this setup that I get the bad request error (with an empty password field), even though I checked Send email to new user.

By the way, I don’t have this message “When the password of a new user is left empty…” in the settings dialog. Am I missing a configuration variable?

I don’t see this message in the code either:

Is it an Enterprise feature?

Alright, found it.

At first, a password is generated with GenerateSecurePasswordEvent, as seen here:

If null, it will fallback to a 10 characters password generation.
But if in Settings > Security > Minimal password length we have 0 configured, the generated password is an empty string, which is then passed to UserManager which considers an empty string as “no password” and throws an exception.

To fix it, you have to set a minimal password length greater than 0.
I will open a GitHub issue for the test to see if it should include || $password === '' (link).

As to why we can no longer see the “When the password of a new user is left empty…” message, it is because the documentation page is based on NextCloud 13- (before the PHP → Vue switch).

1 Like