Upgrade from v15 to v16 causes failure to login

Hi Guys,

I originally posted this on GitHub, but was told to post here instead. I would really appreciate any light anyone can shine on this issue. :slight_smile:
Thanks!

Steps to reproduce

1.Upgrade to v16 from v15 (using LDAP auth, nginx webserver, php7.2)

Expected behaviour

Login page will display error for invalid passwords, and for correct passwords, will allow you to login.

Actual behaviour

The page simply refreshes when credentials are added. No logs are printed in nextcloud.log, and no webserver/php logs are printed either. However, notifications seem to still be working.

Server configuration

Operating system:
CentOS 7.6
Web server:
Nginx:

nginx version: nginx/1.16.0 (packages.exove.com: SSE2, openssl-1.1.1b, PCRE JIT, TCP Fast Open)
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) 
built with OpenSSL 1.1.1b  26 Feb 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-pcre=../pcre-8.43 --with-pcre-jit --with-pcre-opt=-fPIC --with-openssl=../openssl-1.1.1b --with-libatomic --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --build='packages.exove.com: SSE2, openssl-1.1.1b, PCRE JIT, TCP Fast Open' --with-openssl-opt=no-dtls --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC -mmmx -msse -msse2 -DTCP_FASTOPEN=23' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Database:
MariaDB 10.1.38-1.el7

PHP version:
PHP 7.2.17 (cli) (built: Apr 3 2019 10:02:16) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.17, Copyright © 1999-2018, by Zend Technologies

Nextcloud version: (see Nextcloud admin page)
16.0.0.9

Updated from an older Nextcloud/ownCloud or fresh install:
Upgrade from Nextcloud v15(latest stable build, can’t remember which version)

Where did you install Nextcloud from:
Using built-in updater via php command line. Also attempted to install using bz2 archive, with same results.

Signing status:
Cannot access signing status, as login fails. I have repaired using occ, with no change.

Signing status
Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list Enabled: - accessibility: 1.2.0 - activity: 2.9.1 - admin_audit: 1.6.0 - bruteforcesettings: 1.3.0 - camerarawpreviews: 0.6.5 - cloud_federation_api: 0.2.0 - comments: 1.6.0 - contacts: 3.1.1 - dav: 1.9.2 - deck: 0.6.0 - federatedfilesharing: 1.6.0 - federation: 1.6.0 - files: 1.11.0 - files_external: 1.7.0 - files_frommail: 0.2.0 - files_pdfviewer: 1.5.0 - files_rightclick: 0.13.0 - files_sharing: 1.8.0 - files_texteditor: 2.8.0 - files_trashbin: 1.6.0 - files_versions: 1.9.0 - files_videoplayer: 1.5.0 - firstrunwizard: 2.5.0 - gallery: 18.3.0 - groupfolders: 3.0.0 - logreader: 2.1.0 - lookup_server_connector: 1.4.0 - nextcloud_announcements: 1.5.0 - notifications: 2.4.1 - oauth2: 1.4.2 - password_policy: 1.6.0 - privacy: 1.0.0 - provisioning_api: 1.6.0 - recommendations: 0.4.0 - serverinfo: 1.6.0 - sharebymail: 1.6.0 - social: 0.1.4 - socialsharing_email: 1.0.5 - socialsharing_facebook: 1.0.4 - socialsharing_twitter: 1.0.4 - support: 1.0.0 - survey_client: 1.4.0 - systemtags: 1.6.0 - theming: 1.7.0 - twofactor_backupcodes: 1.5.0 - twofactor_totp: 2.1.2 - twofactor_u2f: 2.1.3 - unsplash: 1.1.3 - updatenotification: 1.6.0 - user_ldap: 1.6.0 - viewer: 1.0.0 - workflowengine: 1.6.0 Disabled: - calendar - dropit - encryption - files_downloadactivity - mail - ownbackup - spreed - tasks
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
[root@cloud nextcloud]# sudo -u nginx php occ config:list system
{
    "system": {
        "trusted_domains": [
            "blah.blah"
        ],
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/blah.blah",
        "dbtype": "mysql",
        "version": "16.0.0.9",
        "logtimezone": "America\/Toronto",
        "ldapIgnoreNamingRules": false,
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "loglevel": 2,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "appstore.experimental.enabled": true,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpauthtype": "LOGIN",
        "app.mail.accounts.default": {
            "email": "%EMAIL%",
            "imapHost": "mail.blah.blah",
            "imapPort": 143,
            "imapUser": "%EMAIL%",
            "imapSslMode": "tls",
            "smtpHost": "mail.blah.blah",
            "smtpPort": 587,
            "smtpUser": "%EMAIL%",
            "smtpSslMode": "tls"
        },
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "mysql.utf8mb4": true,
        "updater.release.channel": "daily"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/…
No
Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
LDAP (Active Directory)

LDAP configuration (delete this part if not used)

LDAP config
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

±------------------------------±------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=cloud,CN=Users,DC=adx,DC=blah,DC=net |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | prod-dc2.adx.blah.net |
| ldapBackupPort | 389 |
| ldapBase | DC=adx,DC=blah,DC=net |
| ldapBaseGroups | DC=adx,DC=blah,DC=net |
| ldapBaseUsers | DC=adx,DC=blah,DC=net |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | samAccountName |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=Domain Admins)(cn=Domain Users))) |
| ldapGroupFilterGroups | Domain Admins;Domain Users |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | gidNumber |
| ldapHost | prod-dc1.adx.blah.net |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=user))(|(|(memberof=CN=Domain Users,CN=Users,DC=adx,DC=blah,DC=net)(primaryGroupID=513)))) |
| ldapUserFilterGroups | Domain Users |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±------------------------------------------------------------------------------------------------------------------+

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
Google Chrome 74.0.3729.108
Operating system:
Fedora 29

Logs

Web server error log

Web server error log
No logs written in error.log during test. Access log shows the following:
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4106 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4105 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - lizzy [29/Apr/2019:12:43:47 -0400] "PROPFIND /remote.php/dav/files/lizzy/ HTTP/2.0" 207 386 "-" "Mozilla/5.0 (Windows) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.16.21.1 - - [29/Apr/2019:12:43:48 -0400] "GET /api/v1/instance HTTP/1.1" 302 5 "-" "MastoPeek v0.7.2 - https://mastopeek.app-dist.eu" "-"
172.16.21.1 - - [29/Apr/2019:12:43:48 -0400] "GET /login HTTP/1.1" 200 2035 "-" "MastoPeek v0.7.2 - https://mastopeek.app-dist.eu" "-"
^C

My nginx config is as follows:

upstream php-handler {
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name blah.blah www.blah.blah cloud.blah.blah;
    root /var/www/html;
    location ~ /.well-known {
        allow all;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name blah.blah;

    ssl_certificate /etc/letsencrypt/live/blah.blah/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blah.blah/privkey.pem;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

    ssl_session_cache shared:TLS:2m;
    ssl_buffer_size 4k;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;

    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

#    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    client_max_body_size 8192M;
    fastcgi_buffers 64 4K;

    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }

#    location ^~ /data {
#	internal;
#	alias /var/www/data;
#    }
}

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` No logs written during test. ```

Browser log

Browser log
content.js:4 [Deprecation] chrome.loadTimes() is deprecated, instead use standardized API: nextHopProtocol in Navigation Timing 2. https://www.chromestatus.com/features/5637885046816768.
(anonymous) @ content.js:4
content.js:5 [Deprecation] chrome.loadTimes() is deprecated, instead use standardized API: nextHopProtocol in Navigation Timing 2. https://www.chromestatus.com/features/5637885046816768.
(anonymous) @ content.js:5
main.js?v=a2be8d33-41:278 JQMIGRATE: Migrate is installed, version 1.4.1
DevTools failed to parse SourceMap: https://blah.blah/core/js/dist/main.js.map
onloadwff.js:71 [Violation] 'setTimeout' handler took 58ms
DevTools failed to parse SourceMap: https://blah.blah/core/js/dist/share_backend.js.map
DevTools failed to parse SourceMap: https://blah.blah/apps/files_videoplayer/js/main.js.map

Hi and welcome to the Forum,

I haven’t used ldap myself yet, so I don’t have an idea directly if this might rather be an ldap issue or another configuration issue with other software.
Can you check your system logs (and maybe ldap log?) for any error messages?

Have you made any changes to your server right before? If so, can you check if everything works fine there?

In other reports here on the forum, there have been very different reasons so far. For example: