[Bug]: LDAP users cannot log in

tcpluess commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I have configured LDAP/AD Integration of my Nextcloud Server. This worked fine for a couple years now. However, since a couple months, it seems that new users can no longer log in. However, existing users are not affected.

When a new user wants to login, I see the following error in the Nextcloud log:

LDAP Login: Could not get user object for DN cn=<first name, last name>,ou=employees,ou=<redacted>,dc=<redacted>,dc=<redacted>,dc=ch. Maybe the LDAP entry has no set display name attribute?

however, when I check for that user on the "LDAP/AD integration / Login Attributes" page, I get the message "User found and settings verified". So the user definitely exists, and can be found via LDAP, but for some reason, this fails for the login.

Steps to reproduce

try to login with a LDAP/AD user that has never logged in before.
the login fails with the error message

LDAP Login: Could not get user object for DN cn=<first name, last name>,ou=employees,ou=<redacted>,dc=<redacted>,dc=<redacted>,dc=ch. Maybe the LDAP entry has no set display name attribute?

Expected behavior

The user can log in successfully using his LDAP/AD account and password.

Installation method

None

Nextcloud Server version

27

Operating system

RHEL/CentOS

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

[ ] Default user-backend (database)
[X] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

# sudo -u apache php occ config:list system
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.iap.unibe.ch"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.2.1",
        "overwrite.cli.url": "https:\/\/nextcloud.iap.unibe.ch",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable"
    }
}

List of activated Apps

# sudo -u apache php occ app:list
Enabled:
  - activity: 2.19.0
  - bruteforcesettings: 2.7.0
  - calendar: 4.4.4
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_ldap: 1.17.0
  - viewer: 2.1.0
  - workflowengine: 2.9.0
Disabled:
  - admin_audit: 1.17.0
  - contactsinteraction: 1.8.0 (installed 1.1.0)
  - dashboard: 7.7.0 (installed 7.0.0)
  - encryption: 2.15.0
  - federation: 1.17.0 (installed 1.10.1)
  - files_external: 1.19.0
  - firstrunwizard: 2.16.0 (installed 2.9.0)
  - recommendations: 1.6.0 (installed 0.8.0)
  - support: 1.10.0 (installed 1.3.0)
  - survey_client: 1.15.0 (installed 1.8.0)
  - suspicious_login: 5.0.0
  - twofactor_totp: 9.0.0
  - user_status: 1.7.0 (installed 1.0.0)
  - weather_status: 1.7.0 (installed 1.0.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

tcpluess commented 11 months ago

any feedback on this?

I found that rolling back to 25.0.0 solves the issue

https://help.nextcloud.com/t/upgrade-25-0-0-to-25-0-1-ldap-error-maybe-the-ldap-entry-has-no-set-display-name-attribute/149327

or another possibility would be to manually downgrade the LDAP App:

https://help.nextcloud.com/t/ldap-authentifizierung-nach-update-ohne-funktion/151140

I have tested the latter, which does not work, and the former is not possible as downgrading is not supported. And I cannot make a new installation as users are already using the Nextcloud.

AlexBocken commented 7 months ago

I'm experiencing the exact same issue now. Is there a way I can help in triage?

overlaps1 commented 6 months ago

Same issue here, everything was working fine. Since I raised my domain functional level from 2K8 to 2K12 that issue appeard. Tried to setup a new nextcloud from scratch, connected the user_ldap to my AD and same behaviour. All light are green, user_ldap can find AD users but they are unable to login. here is the error: "LDAP Login: Could not get user object for DN cn=administrateur,cn=users,dc=domain,dc=tld. Maybe the LDAP entry has no set display name attribute?" Anyone has a solution ?

stillagorilla commented 6 months ago

Same issue here.

My LDAP query for Users:

(&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=Nextcloud Users,CN=Users,DC=mydomain,DC=local)(primaryGroupID=4291))))

Nextcloud Hub 6 (27.1.4) under TrueNAS-13.0-U6.1 LDAP backend 1.17.0

knieselpriem commented 6 months ago

I'm struggling with the same behavior at version 28.0.1. Sporadically the LDAP users are not found and can either connect to (CalDav/CardDav/WebDav) or log in to nextcloud.

nextcloud / server