New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nextcloud user_ldap 2FA OTP bind failed after a few minutes causing logout when using password+otp, both nextcloud-desktop and WebUI #9726
Comments
Seems to be what I reported 3 weeks ago in #26502 (see this comment) |
This comment has been minimized.
This comment has been minimized.
I have updated to the latest stable and re-tested everything. I still got the same problem. I can login with LDAP username and password+opt, after five minutes or so the user gets automatically logout and I can see in the authorization back-end that there are failed login attempts. Nextcloud tries to cache the password and reuse or re validate it every five minutes, this will not work with an one time password. Can I request the fix to not use cached passwords and use a session cookie or other technology and don't cache the LDAP password, just use it for authentication once, until the session timeout. |
I have the same issue. |
I Have the same issue. |
Same problem (or feature request) here. Apparently nextcloud is caching user password and using it to re-authenticate to backend periodically which seems both pointless and intuitively insecure. Other closed (but never solved) issues that seem to describe the same behavior are nextcloud/server#21345 and nextcloud/server#11113 Nextcloud is the only app that prevents me from enforcing otp in freeIPA. If you are worried that something may depend on this exact behavior please at least consider making it configurable |
Same problem here. Did anyone found a workaround ? |
Is there a way to get this bug under the attention of one of the Nextcloud developers? It has been bugging me for more then a year, and I keep having obstacles with 2FA, I setup a keycloak server for SAML that I could use for Nextcloud, but it does not support ldap+otp for other clients that currently work... Getting around this Nextcloud issue of reusing the ldap password internally every five minutes would solve a lot of issues. |
It would be nice to at least acknowledge this problem by assigning it "To develop" label. It was confirmed to affect multiple people and as far as I can tell it isn't on any roadmap |
This issue has been acknowledged here: nextcloud/server#11113 |
This issue is also blocking me from enabling LDAP+OTP, which is a pity. |
@come-nc would you be able to advice on how to move forward with this bug ticket, its been a while now. |
+1 |
This comment was marked as outdated.
This comment was marked as outdated.
Please keep this ticket open! |
So can you reproduce this issue still? |
I will make a new test server for this in the next few weeks, this is a complicated issues and I had to remove my old environment and move to user_saml to work around this issue. |
Seems to work for me BUT only after making config changes mentioned in another issue: nextcloud/server#11113 (comment) Please document this somewhere or make this default setting Sorry for not testing this earlier, I almost gave up entirely on using ldap+2fa with nextcloud |
Steps to reproduce
Expected behaviour
apptokens stay working in nextcloud-desktop and user only gets logout when remember_login_cookie_lifetime session_lifetime timesout
Actual behaviour
after about 5 minutes the nextloud desktop stops syncing and the WebGUI goes back to the login screens.
Server configuration
Operating system:
[root@nextcloud01 ~]# cat /etc/system-release
CentOS Linux release 8.3.2011
Web server:
[root@nextcloud01 ~]# rpm -q httpd
httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64
Database:
[root@nextcloud01 ~]# rpm -q mariadb
mariadb-10.3.28-1.module_el8.3.0+757+d382997d.x86_64
PHP version:
[root@nextcloud01 ~]# php --version
PHP 7.4.19 (cli) (built: May 4 2021 11:06:37) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.19, Copyright (c), by Zend Technologies
Nextcloud version: (see Nextcloud admin page)
[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ status
List of activated apps:
Nextcloud configuration:
Are you using external storage, if yes which one: local/smb/sftp/...
SMB (systemwide Kerberos token auth) no user password needed to remember.
Are you using encryption: yes/no
NO
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP
LDAP configuration (delete this part if not used)
Client configuration
Browser:
Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Operating system:
Nextcloud log (data/nextcloud.log)
Relate issues I found but did not point to user_ldap bind failures.
nextcloud/server#18891
#9727
nextcloud/server#11390
nextcloud/server#21285
nextcloud/server#26502
nextcloud/server#3632
https://help.nextcloud.com/t/ldap-2-fa-auth-users-logged-out-after-5-minutes-app-passwords-destroyed/38218
Please update user_ldap to use admin_bind for lookups and user_credentials for validation. Update apptoken system not to fail when password of users changes (if that is the issue)
The text was updated successfully, but these errors were encountered: