Open manolopm opened 1 month ago
I've tried to reduce the problem removing the other 2 AD in the configuration. Even with one AD it tries a lot of times to login but It doesn't reach to block the account in the AD because nextcloud detected as a bruteforce and block the request before it blocks the account. So the problem happens even with one AD server.
I think maybe could be related with the double check of the password to each backend related to urlencoded password (method checkPasswordNoLoggin in lib/private/User/Manager.php)
⚠️ This issue respects the following points: ⚠️
Bug description
I've configured the login against and AD. Everything it's functional, but when I fail the login, it launch 8 bind for the account and blocks it into the AD (and ip address its throttled in the nextcloud). I've capture the traffic with wireshark, checked that in 20.0.11 version of nextcloud the problem do not happen. I've tried to follow the code and even the checkPassword function from User_Proxy.php in user_ldap app it's called 8 times, so the problem I think comes from outside of user_ldap app.
Steps to reproduce
Expected behavior
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response