Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I can't modify the LDAP / Activedirectory password from Nextcloud #19445

Closed
stefanoklett opened this issue Feb 12, 2020 · 3 comments
Closed

I can't modify the LDAP / Activedirectory password from Nextcloud #19445

stefanoklett opened this issue Feb 12, 2020 · 3 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@stefanoklett
Copy link

Steps to reproduce

  1. login
  2. goes to settings
  3. security
  4. try to change the password
    5 result: Password errata

Expected behaviour

The password will be changed!

Actual behaviour

Error, and the password has not been modified

On the LDAP config I enabled the possibility to modify the password:
Abilita le modifiche per utente della password LDAP (La nuova password è inviata in chiaro a LDAP)

Server configuration

Operating system:
DMS 6.2.2-24922 Update 5

Web server:
Apache HTTP Server 2.4

Database:
MariaDB 10

PHP version:
PHP 7.3

Nextcloud version: (see Nextcloud admin page)
18.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install

Where did you install Nextcloud from:
https://nextcloud.com/install/#instructions-server

Signing status:

Signing status 
Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

Accessibility 1.4.0 In evidenza Activity 2.11.0 In evidenza Brute-force settings 1.5.0 In evidenza Collaborative tags 1.8.0 In evidenza Comments 1.8.0 In evidenza Deleted files 1.8.0 In evidenza External sites 3.5.0 In evidenza External storage support 1.9.0 In evidenza Federation 1.8.0 In evidenza File sharing 1.10.1 In evidenza First run wizard 2.7.0 In evidenza LDAP user and group backend 1.8.0 In evidenza Log Reader 2.3.0 In evidenza Monitoring 1.8.0 In evidenza Nextcloud announcements 1.7.0 In evidenza Notifications 2.6.0 In evidenza Password policy 1.8.0 In evidenza PDF viewer 1.7.0 In evidenza Photos 1.0.0 In evidenza Privacy 1.2.0 In evidenza Recommendations 0.6.0 In evidenza Right click 0.15.2 In evidenza Share by mail 1.8.0 In evidenza Support 1.1.0 In evidenza Text 2.0.0 In evidenza Theming 1.9.0 In evidenza Two-Factor TOTP Provider 4.1.2 In evidenza Update notification 1.8.0 In evidenza Usage survey 1.6.0 In evidenza Versions 1.11.0 In evidenza Video player 1.7.0 In evidenza 
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
`Enabled:
  - accessibility: 1.4.0
  - activity: 2.11.0
  - bruteforcesettings: 1.5.0
  - cloud_federation_api: 1.1.0
  - comments: 1.8.0
  - dav: 1.14.0
  - external: 3.5.0
  - federatedfilesharing: 1.8.0
  - federation: 1.8.0
  - files: 1.13.1
  - files_external: 1.9.0
  - files_pdfviewer: 1.7.0
  - files_rightclick: 0.15.2
  - files_sharing: 1.10.1
  - files_trashbin: 1.8.0
  - files_versions: 1.11.0
  - files_videoplayer: 1.7.0
  - firstrunwizard: 2.7.0
  - logreader: 2.3.0
  - lookup_server_connector: 1.6.0
  - nextcloud_announcements: 1.7.0
  - notifications: 2.6.0
  - oauth2: 1.6.0
  - password_policy: 1.8.0
  - photos: 1.0.0
  - privacy: 1.2.0
  - provisioning_api: 1.8.0
  - recommendations: 0.6.0
  - serverinfo: 1.8.0
  - settings: 1.0.0
  - sharebymail: 1.8.0
  - support: 1.1.0
  - survey_client: 1.6.0
  - systemtags: 1.8.0
  - text: 2.0.0
  - theming: 1.9.0
  - twofactor_backupcodes: 1.7.0
  - twofactor_totp: 4.1.2
  - updatenotification: 1.8.0
  - user_ldap: 1.8.0
  - viewer: 1.2.0
  - workflowengine: 2.0.0
Disabled:
  - admin_audit
  - encryption``

</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>

`Avvisi di sicurezza e di configurazione
È importante per la sicurezza e le prestazioni della tua istanza che tutto sia configurato correttamente. Per aiutarti in questo senso, stiamo eseguendo alcuni controlli automatici. Vedi la documentazione collegata per ulteriori informazioni.

Sono presenti degli avvisi relativi alla tua configurazione.
Non è stata configurata alcuna cache di memoria. Per migliorare le prestazioni configura una memcache, se disponibile. Ulteriori informazioni sono disponibili nella documentazione.
Su questa istanza mancano alcuni moduli PHP consigliati. Per prestazioni migliorate e migliore compatibilità, è vivamente consigliato di installarli.
imagick
Leggi attentamente le guide d'installazione ↗, e controlla gli errori o gli avvisi nel log.

Controlla la sicurezza del tuo Nextcloud con la nostra scansione di sicurezza ↗

Versione
Nextcloud 18.0.0

La tua versione è aggiornata.Canale di aggiornamento: Stabile 
Puoi aggiornare sempre a una nuova versione. Ma non puoi mai tornare a una versione precedente.
Nota che, dopo una nuova versione, potrebbe essere necessario del tempo prima che sia mostrato qui. Rilasciamo nel tempo nuove versioni ai nostri utenti e, a volte, saltiamo una versione, se troviamo dei problemi.

Notifica i membri dei seguenti gruppi sugli aggiornamenti disponibili: 
admin
Select option
``
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
`{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "connect.stek.ch"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "18.0.0.10",
        "overwrite.cli.url": "https\/\/connect.stek.ch",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_sendmailmode": "smtp",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": []
    ``
</details>

**Are you using external storage, if yes which one:** local/smb/sftp/...
SMB

**Are you using encryption:** yes/no
NO

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
LDAP/ActiveDirectory

#### LDAP configuration (delete this part if not used)
<details>
<summary>LDAP config</summary>

`+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                                                                                                                            |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                                                                              |
| homeFolderNamingRule          |                                                                                                                                                                                                |
| lastJpegPhotoLookup           | 0                                                                                                                                                                                              |
| ldapAgentName                 | CN=Administrator,CN=Users,DC=stek,DC=home                                                                                                                                                      |
| ldapAgentPassword             | ***                                                                                                                                                                                            |
| ldapAttributesForGroupSearch  |                                                                                                                                                                                                |
| ldapAttributesForUserSearch   |                                                                                                                                                                                                |
| ldapBackupHost                |                                                                                                                                                                                                |
| ldapBackupPort                |                                                                                                                                                                                                |
| ldapBase                      | DC=stek,DC=home                                                                                                                                                                                |
| ldapBaseGroups                | DC=stek,DC=home                                                                                                                                                                                |
| ldapBaseUsers                 | DC=stek,DC=home                                                                                                                                                                                |
| ldapCacheTTL                  | 600                                                                                                                                                                                            |
| ldapConfigurationActive       | 1                                                                                                                                                                                              |
| ldapDefaultPPolicyDN          |                                                                                                                                                                                                |
| ldapDynamicGroupMemberURL     |                                                                                                                                                                                                |
| ldapEmailAttribute            | mail                                                                                                                                                                                           |
| ldapExperiencedAdmin          | 0                                                                                                                                                                                              |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                                                                |
| ldapExpertUUIDUserAttr        |                                                                                                                                                                                                |
| ldapExpertUsernameAttr        |                                                                                                                                                                                                |
| ldapExtStorageHomeAttribute   |                                                                                                                                                                                                |
| ldapGidNumber                 | gidNumber                                                                                                                                                                                      |
| ldapGroupDisplayName          | cn                                                                                                                                                                                             |
| ldapGroupFilter               | (&(|(objectclass=group))(|(cn=Cloud)(cn=Users)))                                                                                                                                               |
| ldapGroupFilterGroups         | Cloud;Users                                                                                                                                                                                    |
| ldapGroupFilterMode           | 0                                                                                                                                                                                              |
| ldapGroupFilterObjectclass    | group                                                                                                                                                                                          |
| ldapGroupMemberAssocAttr      | member                                                                                                                                                                                         |
| ldapHost                      | ldaps://nas01.stek.home                                                                                                                                                                        |
| ldapIgnoreNamingRules         |                                                                                                                                                                                                |
| ldapLoginFilter               | (&(&(|(objectclass=person))(|(|(memberof=CN=Users,CN=Builtin,DC=stek,DC=home)(primaryGroupID=545))(|(memberof=CN=Cloud,CN=Users,DC=stek,DC=home)(primaryGroupID=1111))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes     |                                                                                                                                                                                                |
| ldapLoginFilterEmail          | 0                                                                                                                                                                                              |
| ldapLoginFilterMode           | 1                                                                                                                                                                                              |
| ldapLoginFilterUsername       | 1                                                                                                                                                                                              |
| ldapNestedGroups              | 0                                                                                                                                                                                              |
| ldapOverrideMainServer        |                                                                                                                                                                                                |
| ldapPagingSize                | 500                                                                                                                                                                                            |
| ldapPort                      | 636                                                                                                                                                                                            |
| ldapQuotaAttribute            |                                                                                                                                                                                                |
| ldapQuotaDefault              |                                                                                                                                                                                                |
| ldapTLS                       | 0                                                                                                                                                                                              |
| ldapUserAvatarRule            | default                                                                                                                                                                                        |
| ldapUserDisplayName           | cn                                                                                                                                                                                             |
| ldapUserDisplayName2          |                                                                                                                                                                                                |
| ldapUserFilter                | (&(|(objectclass=person))(|(|(memberof=CN=Users,CN=Builtin,DC=stek,DC=home)(primaryGroupID=545))(|(memberof=CN=Cloud,CN=Users,DC=stek,DC=home)(primaryGroupID=1111))))                         |
| ldapUserFilterGroups          | Users;Cloud                                                                                                                                                                                    |
| ldapUserFilterMode            | 0                                                                                                                                                                                              |
| ldapUserFilterObjectclass     | person                                                                                                                                                                                         |
| ldapUuidGroupAttribute        | auto                                                                                                                                                                                           |
| ldapUuidUserAttribute         | auto                                                                                                                                                                                           |
| turnOffCertCheck              | 0                                                                                                                                                                                              |
| turnOnPasswordChange          | 1                                                                                                                                                                                              |
| useMemberOfToDetectMembership | 1                                                                                                                                                                                              |``
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Google Chrome 79.0.3945.130 (Build ufficiale) (a 64 bit) (cohort: Stable)

Operating system:
windows 10

Logs

Web server error log

Web server error log

no logs entry during this command`` Insert your webserver log here

Warning core Login failed: '3FC55926-BF6F-429D-88EB-487D93590EDE' (Remote IP: '178.39.238.12')   2020-02-12T21:02:23+0100
Warning core Login failed: '3FC55926-BF6F-429D-88EB-487D93590EDE' (Remote IP: '178.39.238.12')   2020-02-12T21:01:38+0100

``

Nextcloud log (data/nextcloud.log)

Nextcloud log

``no logs entry during this command````
Insert your Nextcloud log here

</details>

#### Browser log
<details>
<summary>Browser log</summary>

``no logs entry during this command````

</details>
@stefanoklett stefanoklett added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Feb 12, 2020
@Luticus
Copy link

Luticus commented May 11, 2020
edited
Loading

I have a similar problem where when I create a new account and send the user the credential for the first time, then I tell them to change their password, it will say wrong password.
ldappw

This is an LDAP account with up-to-date nextcloud and ldap applications. Oddly this doesn't seem to happen with all ldap accounts, only new ones and I'm not sure what the common factor is just yet.

@Luticus
Copy link

Luticus commented May 11, 2020
edited
Loading

For me, at least, it appears that the issue only occurred when users were mapped to their random uid string xxxxx-xxx-xxx-xxx-xxxxxxxx something that looked like that. When I created a user with the LDAP write app enabled and the "A random userid has to be generated" unchecked, it worked fine. Users were able to change their passwords. I don't know if it is advisable but you can remap your users to whatever the ldap uid is by going into the database and altering the owncloud_name column in the oc_ldap_user_mapping table. You can use a command like: UPDATE oc_ldap_user_mapping SET owncloud_name="username" WHERE ldap_dn="cn=ldap,dc=domain,dc=com"; for each user. This doesn't seem to have any negative consequences and works around the issue for now. Obviously, be VERY careful doing this, maybe make a database backup before you do, or at least export the table.

@blizzz
Copy link
Member

blizzz commented May 25, 2020

duplicate of #10809

@blizzz blizzz closed this as completed May 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blizzz @stefanoklett @Luticus