[Bug]: Crash when ldap login filter does not contain `%uid`

[Fregf]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I want to import users from LDAP, but let them log in via OpenID Connect (Keycloak), hence I want to disable login via LDAP. To do so, I went to the third tab Login Attributes in the LDAP/AD integration administration settings, and unchecked both options LDAP/AD username and LDAP/AD e-mail address. The LDAP filter then became " LDAP Filter: (&(|(objectclass=gosaAccount)))", and from that moment on, any request to Nextcloud fails with this error:

Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

Nextcloud log says:

{"reqId":"ANQKJ8MGTgb7AKu2KO9H","level":2,"time":"May 20, 2023 21:14:26","remoteAddr":"xxx","user":"foo","app":"user_ldap","method":"GET","url":"/settings/admin/ldap","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0","version":"26.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"ANQKJ8MGTgb7AKu2KO9H","level":2,"time":"May 20, 2023 21:14:26","remoteAddr":"xxx","user":"foo","app":"user_ldap","method":"GET","url":"/settings/admin/ldap","message":"Configuration is invalid, cannot connect","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0","version":"26.0.1.1","data":{"app":"user_ldap"}}

The only way to make Nextcloud work again is to execute this SQL query: update oc_appconfig set configvalue='(&(|(objectclass=gosaAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))' where configkey='s01ldap_login_filter';

Steps to reproduce

Prerequisite: working setup where users can log in via their LDAP account.

1. Log in as administrator
2. Go in the menu Administration Settings
3. Go to LDAP/AD integration
4. Click on the third tab Login Attributes
5. Disable both LDAP/AD username and LDAP/AD e-mail address

Expected behavior

Users cannot log in with their LDAP account, but their username and groups taken from the LDAP are still present in Nextcloud

Installation method

Other Community project

Nextcloud Server version

26

Operating system

Debian/Ubuntu

PHP engine version

Other

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [ ] Default user-backend (database)
• [X] LDAP/ Active Directory
• [ ] SSO - SAML
• [X] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxx.xxx.xxx.xxx"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "debug": false,
        "version": "26.0.1.1",
        "overwrite.cli.url": "https:\/\/cloud.example.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "htaccess.RewriteBase": "\/",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "overwritehost": "cloud.example.com",
        "overwriteprotocol": "https",
        "skeletondirectory": "",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "AI",
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "default_phone_region": "BE",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "log_type": "file",
        "logfile": "\/var\/www\/nextcloud\/data\/nextcloud.log",
        "logdateformat": "F d, Y H:i:s",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "loglevel": 2,
        "theme": "",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "unsplash",
            "files_retention",
            "ransomware_detection",
            "files_readmemd",
            "bruteforcesettings",
            "files_antivirus",
            "talk_matterbridge",
            "impersonate",
            "files_markdown"
        ],
        "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/exiftool-bin\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/exiftool-bin\/go-vod-amd64",
        "memories.gis_type": 2,
        "allow_user_to_change_display_name": false,
        "lost_password_link": "disabled",
        "oidc_login_auto_redirect": false,
        "oidc_login_provider_url": "",
        "oidc_login_client_id": "",
        "oidc_login_client_secret": "",
        "oidc_login_logout_url": "",
        "oidc_login_end_session_redirect": true,
        "oidc_login_default_quota": "32212254720",
        "oidc_login_button_text": "Log in with SSO account",
        "oidc_login_hide_password_form": false,
        "oidc_login_use_id_token": false,
        "oidc_login_attributes": {
            "id": "preferred_username",
            "mail": "email",
            "login_filter": "nextcloudGroups",
            "groups": "nextcloudGroups",
            "is_admin": "nextcloudAdmin"
        },
        "oidc_login_filter_allowed_values": [
            "nextcloud"
        ],
        "oidc_login_use_external_storage": false,
        "oidc_login_scope": "openid profile email roles",
        "oidc_login_proxy_ldap": false,
        "oidc_login_disable_registration": true,
        "oidc_login_redir_fallback": false,
        "oidc_login_tls_verify": true,
        "oidc_create_groups": false,
        "oidc_login_webdav_enabled": true,
        "oidc_login_password_authentication": false,
        "oidc_login_public_key_caching_time": 86400,
        "oidc_login_min_time_between_jwks_requests": 10,
        "oidc_login_well_known_caching_time": 86400,
        "oidc_login_skip_proxy": false,
        "oidc_login_code_challenge_method": "",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
    }
}

List of activated Apps

Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - announcementcenter: 6.6.1
  - bookmarks: 13.0.1
  - bruteforcesettings: 2.6.0
  - calendar: 4.3.4
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contacts: 5.2.0
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - deck: 1.9.2
  - event_update_notification: 2.2.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_accesscontrol: 1.16.0
  - files_antivirus: 5.0.0
  - files_automatedtagging: 1.16.1
  - files_markdown: 2.4.0
  - files_pdfviewer: 2.7.0
  - files_readmemd: 2.0.0
  - files_retention: 1.15.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - forms: 3.2.0
  - groupfolders: 14.0.2
  - guests: 2.5.0
  - impersonate: 1.13.0
  - integration_gitlab: 1.0.17
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - maps: 1.0.2
  - memories: 5.1.0
  - news: 21.2.0
  - nextcloud_announcements: 1.15.0
  - notes: 4.7.2
  - notifications: 2.14.0
  - notify_push: 0.6.3
  - oauth2: 1.14.0
  - oidc_login: 2.5.1
  - password_policy: 1.16.0
  - photos: 2.2.0
  - polls: 5.0.5
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - quota_warning: 1.17.0
  - recommendations: 1.5.0
  - related_resources: 1.1.0-alpha1
  - richdocuments: 8.0.2
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - spreed: 16.0.3
  - support: 1.9.0
  - survey_client: 1.14.0
  - suspicious_login: 4.4.0
  - systemtags: 1.16.0
  - tables: 0.5.0
  - tasks: 0.15.0
  - text: 3.7.2
  - theming: 2.1.1
  - timetracker: 0.0.79
  - twofactor_backupcodes: 1.15.0
  - twofactor_totp: 8.0.0-alpha.0
  - twofactor_webauthn: 1.2.0
  - unsplash: 2.2.0
  - updatenotification: 1.16.0
  - uppush: 1.3.0
  - user_ldap: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - apporder: 0.15.0 (installed 0.15.0)
  - encryption: 2.14.0 (installed 2.8.1)
  - files_external: 1.18.0 (installed 1.18.0)
  - files_texteditor: 2.15.0 (installed 2.15.0)
  - integration_whiteboard: 0.0.14 (installed 0.0.14)
  - mail: 3.1.1 (installed 3.1.1)
  - ransomware_protection: 1.14.0 (installed 1.14.0)
  - socialsharing_email: 2.6.0 (installed 2.6.0)
  - talk_matterbridge: 1.26.0 (installed 1.26.0)
  - user_oidc: 1.3.2 (installed 1.3.2)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"ANQKJ8MGTgb7AKu2KO9H","level":2,"time":"May 20, 2023 21:14:26","remoteAddr":"xxx","user":"foo","app":"user_ldap","method":"GET","url":"/settings/admin/ldap","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0","version":"26.0.1.1","data":{"app":"user_ldap"}}
{"reqId":"ANQKJ8MGTgb7AKu2KO9H","level":2,"time":"May 20, 2023 21:14:26","remoteAddr":"xxx","user":"foo","app":"user_ldap","method":"GET","url":"/settings/admin/ldap","message":"Configuration is invalid, cannot connect","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0","version":"26.0.1.1","data":{"app":"user_ldap"}}

Additional info

Nextcloud installed from source, updated by updater/updater.phar, running on Debian Bookworm with PHP 8.2.

[juresaht2]

It's worth noting that the GUI does not do this error checking and instantly saves whatever query you enter even if it has no %uid, instacrashing the entire install and preventing users from logging in (for example the admin changing the settings).

Settings can still be fixed also using occ (you don't have to edit the database).

It's important to note that the parameters ldapLoginFilter and ldapUserFilter are named backwards, as ldapLoginFilter provides user details (contains %uid) and ldapUserFilter (no %uid) is used for logins. It took me forever to realise my instal wasn't working because I had swapped the values while trying to fix things.