Nextcloud user_ldap 2FA OTP bind failed after a few minutes causing logout when using password+otp, both nextcloud-desktop and WebUI

[tuxcrafter]

Steps to reproduce

1. Working user_ldap (1.10.2) (FreeIPA or AD example)
2. Login with user+password OR user with password+otp (when OPT is enabled in AD or FreeIPA LDAP backend)
3. Change password in LDAP backend if you did not use password+otp
4. Nexcloud-desktop and WebUI will logout with a Bind failed: 49: Invalid credentials after about 5 minutes (not after the session timeout and nexcloud-desktop should use the apptoken but this stops working as well.

Expected behaviour

apptokens stay working in nextcloud-desktop and user only gets logout when remember_login_cookie_lifetime session_lifetime timesout

Actual behaviour

after about 5 minutes the nextloud desktop stops syncing and the WebGUI goes back to the login screens.

Server configuration

Operating system:
[root@nextcloud01 ~]# cat /etc/system-release
CentOS Linux release 8.3.2011

Web server:
[root@nextcloud01 ~]# rpm -q httpd
httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64

Database:
[root@nextcloud01 ~]# rpm -q mariadb
mariadb-10.3.28-1.module_el8.3.0+757+d382997d.x86_64

PHP version:
[root@nextcloud01 ~]# php --version
PHP 7.4.19 (cli) (built: May 4 2021 11:06:37) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.19, Copyright (c), by Zend Technologies

Nextcloud version: (see Nextcloud admin page)
[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ status

• installed: true
• version: 20.0.9.1
• versionstring: 20.0.9
• edition:

List of activated apps:

``` [root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ app:list Enabled: - activity: 2.13.4 - bruteforcesettings: 2.1.0 - cloud_federation_api: 1.3.0 - dav: 1.16.2 - federatedfilesharing: 1.10.2 - files: 1.15.0 - files_external: 1.11.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - provisioning_api: 1.10.0 - richdocuments: 3.7.19 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - viewer: 1.4.0 - workflowengine: 2.2.0 Disabled: - accessibility - admin_audit - comments - contactsinteraction - dashboard - encryption - federation - files_trashbin - firstrunwizard - nextcloud_announcements - notifications - photos - privacy - recommendations - support - survey_client - systemtags - user_status - weather_status ```

Nextcloud configuration:

``` [root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ config:list system { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "192.168.40.195", "nextcloud01.organization.lan", "nextcloud.organization.org" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "20.0.9.1", "overwrite.cli.url": "https:\/\/nextcloud.organization.org\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": "6379", "dbindex": "0", "timeout": "0.5" }, "overwriteprotocol": "https", "htaccess.RewriteBase": "\/", "logtimezone": "Europe\/Amsterdam", "simpleSignUpLink.shown": false, "default_language": "en", "defaultapp": "files", "skeletondirectory": "", "mail_smtpmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_sendmailmode": "pipe", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "mail_smtpsecure": "tls", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": "1", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "share_folder": "\/Shared", "maintenance": false, "loglevel": 2, "remember_login_cookie_lifetime": "1296000", "session_lifetime": "86400", "session_keepalive": true, "token_auth_enforced": false } } ```

Are you using external storage, if yes which one: local/smb/sftp/...
SMB (systemwide Kerberos token auth) no user password needed to remember.

Are you using encryption: yes/no
NO

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP

LDAP configuration (delete this part if not used)

[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:show-config
+-------------------------------+----------------------------------------------------------------+
| Configuration                 | s01                                                            |
+-------------------------------+----------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                              |
| homeFolderNamingRule          |                                                                |
| lastJpegPhotoLookup           | 0                                                              |
| ldapAgentName                 | uid=externalldapadmin,cn=sysaccounts,cn=etc,dc=organization,dc=lan |
| ldapAgentPassword             | ***                                                            |
| ldapAttributesForGroupSearch  |                                                                |
| ldapAttributesForUserSearch   |                                                                |
| ldapBackupHost                |                                                                |
| ldapBackupPort                |                                                                |
| ldapBase                      | dc=organization,dc=lan                                         |
| ldapBaseGroups                | cn=groups,cn=accounts,dc=organization,dc=lan                   |
| ldapBaseUsers                 | cn=users,cn=accounts,dc=organization,dc=lan                    |
| ldapCacheTTL                  | 3600                                                           |
| ldapConfigurationActive       | 1                                                              |
| ldapDefaultPPolicyDN          |                                                                |
| ldapDynamicGroupMemberURL     |                                                                |
| ldapEmailAttribute            | mail                                                           |
| ldapExperiencedAdmin          | 0                                                              |
| ldapExpertUUIDGroupAttr       |                                                                |
| ldapExpertUUIDUserAttr        |                                                                |
| ldapExpertUsernameAttr        | uid                                                            |
| ldapExtStorageHomeAttribute   | uid                                                            |
| ldapGidNumber                 | gidNumber                                                      |
| ldapGroupDisplayName          | cn                                                             |
| ldapGroupFilter               | (objectclass=ipausergroup)                                     |
| ldapGroupFilterGroups         |                                                                |
| ldapGroupFilterMode           | 1                                                              |
| ldapGroupFilterObjectclass    |                                                                |
| ldapGroupMemberAssocAttr      | member                                                         |
| ldapHost                      | ldap://freeipa01.organization.lan                              |
| ldapIgnoreNamingRules         |                                                                |
| ldapLoginFilter               | (&(objectclass=*)(uid=%uid))                                   |
| ldapLoginFilterAttributes     |                                                                |
| ldapLoginFilterEmail          | 0                                                              |
| ldapLoginFilterMode           | 1                                                              |
| ldapLoginFilterUsername       | 1                                                              |
| ldapMatchingRuleInChainState  | unknown                                                        |
| ldapNestedGroups              | 0                                                              |
| ldapOverrideMainServer        | 0                                                              |
| ldapPagingSize                | 500                                                            |
| ldapPort                      | 389                                                            |
| ldapQuotaAttribute            |                                                                |
| ldapQuotaDefault              |                                                                |
| ldapTLS                       | 0                                                              |
| ldapUserAvatarRule            | default                                                        |
| ldapUserDisplayName           | displayname                                                    |
| ldapUserDisplayName2          |                                                                |
| ldapUserFilter                | (objectclass=*)                                                |
| ldapUserFilterGroups          |                                                                |
| ldapUserFilterMode            | 1                                                              |
| ldapUserFilterObjectclass     |                                                                |
| ldapUuidGroupAttribute        | auto                                                           |
| ldapUuidUserAttribute         | auto                                                           |
| turnOffCertCheck              | 0                                                              |
| turnOnPasswordChange          | 0                                                              |
| useMemberOfToDetectMembership | 1                                                              |
+-------------------------------+----------------------------------------------------------------+

Client configuration

Browser:
Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0

Operating system:

Nextcloud log (data/nextcloud.log)

{"reqId":"YJF84LiMHIDHNaRorSHuIgAAAEw","level":2,"time":"2021-05-04T18:57:04+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"user_ldap","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Personal/Documents","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Linux) mirall/3.2.1-20210429.171749.5901a0f98-1.0~focal1 (Nextcloud, linuxmint-5.4.0-72-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"20.0.9.1"}
{"reqId":"YJF84LiMHIDHNaRorSHuIgAAAEw","level":2,"time":"2021-05-04T18:57:04+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"core","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Personal/Documents","message":"Login failed: 't.user' (Remote IP: '192.168.40.29')","userAgent":"Mozilla/5.0 (Linux) mirall/3.2.1-20210429.171749.5901a0f98-1.0~focal1 (Nextcloud, linuxmint-5.4.0-72-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"20.0.9.1"}

{"reqId":"YJFkTy9kZ@IUeZPiPtMCfwAAAY0","level":2,"time":"2021-05-04T17:12:15+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"user_ldap","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Organization","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"20.0.9.1"}
{"reqId":"YJFkTy9kZ@IUeZPiPtMCfwAAAY0","level":2,"time":"2021-05-04T17:12:16+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"core","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Organization","message":"Login failed: 't.user' (Remote IP: '192.168.40.29')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"20.0.9.1"}

Relate issues I found but did not point to user_ldap bind failures.

nextcloud/server#18891
#9727
nextcloud/server#11390
nextcloud/server#21285
nextcloud/server#26502
nextcloud/server#3632
https://help.nextcloud.com/t/ldap-2-fa-auth-users-logged-out-after-5-minutes-app-passwords-destroyed/38218

Please update user_ldap to use admin_bind for lookups and user_credentials for validation. Update apptoken system not to fail when password of users changes (if that is the issue)

[aeisen]

Seems to be what I reported 3 weeks ago in #26502 (see this comment)

[tuxcrafter]

# sudo -u apache php /var/www/html/nextcloud/occ update:check
Everything up to date

# sudo -u apache php /var/www/html/nextcloud/updater/updater.phar 
Nextcloud Updater - version: v20.0.0beta4-11-g68fa0d4
Current version is 22.2.3.
No update available.
Nothing to do.

I have updated to the latest stable and re-tested everything. I still got the same problem. I can login with LDAP username and password+opt, after five minutes or so the user gets automatically logout and I can see in the authorization back-end that there are failed login attempts. Nextcloud tries to cache the password and reuse or re validate it every five minutes, this will not work with an one time password. Can I request the fix to not use cached passwords and use a session cookie or other technology and don't cache the LDAP password, just use it for authentication once, until the session timeout.

[quinhn]

I have the same issue.
-Nextcloud v23.0.0.
-FreeIPA 2FA OTP.
Please fix it asap!

[Mundball]

I Have the same issue.
Nextcloud v22.2.3
FreeIPA 4.9.6 Password+OTP

[olewales]

Same problem (or feature request) here. Apparently nextcloud is caching user password and using it to re-authenticate to backend periodically which seems both pointless and intuitively insecure. Other closed (but never solved) issues that seem to describe the same behavior are nextcloud/server#21345 and nextcloud/server#11113

Nextcloud is the only app that prevents me from enforcing otp in freeIPA. If you are worried that something may depend on this exact behavior please at least consider making it configurable

[RphCos]

Same problem here.
Nextcloud v 22.2.3
FreeIPA v4.9.6

Did anyone found a workaround ?
On my end, every LDAP users are affected, OTP or not. DB are unaffected tho.
EDIT: The issue with all LDAP users was caused by a manipulation of the owncloud_name column of oc_ldap_user_mapping without deleting the oc_user entry for the same uid entry.

[tuxcrafter]

Is there a way to get this bug under the attention of one of the Nextcloud developers? It has been bugging me for more then a year, and I keep having obstacles with 2FA, I setup a keycloak server for SAML that I could use for Nextcloud, but it does not support ldap+otp for other clients that currently work... Getting around this Nextcloud issue of reusing the ldap password internally every five minutes would solve a lot of issues.

[olewales]

It would be nice to at least acknowledge this problem by assigning it "To develop" label. It was confirmed to affect multiple people and as far as I can tell it isn't on any roadmap

[alfonsrv]

This issue has been acknowledged here: nextcloud/server#11113

[duburcqa]

This issue is also blocking me from enabling LDAP+OTP, which is a pity.

[tuxcrafter]

@come-nc would you be able to advice on how to move forward with this bug ticket, its been a while now.

[enekux]

+1

[tuxcrafter]

Please keep this ticket open!

[szaimen]

So can you reproduce this issue still?

[tuxcrafter]

I will make a new test server for this in the next few weeks, this is a complicated issues and I had to remove my old environment and move to user_saml to work around this issue.

[olewales]

Seems to work for me BUT only after making config changes mentioned in another issue: nextcloud/server#11113 (comment)
'auth.storeCryptedPassword' => false

Please document this somewhere or make this default setting
Before that both web ui and nextcloud destktop app (linux) were logged out after about 5 minutes

Sorry for not testing this earlier, I almost gave up entirely on using ldap+2fa with nextcloud