Forced password resets on LDAP backend substitute UUID for uid #39482
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
Running Nextcloud version 27.0.0 with LDAP user backend and an OpenLDAP server, connected via TLS.
Password changes work when triggered via the Settings->Security approach.
However, forced password changes (on first login in my case) do not work.
I have manually modified the LDAP login quey as such:
(&(&(|(objectclass=posixAccount))(|(memberOf=gid=nextcloudusers,ou=Services,dc=redacted)))(uid=%uid)(nextcloudEnabled=TRUE))
(note the nextcloudEnabled attribute)
Generally, things work as expected.
In particular, users can modify their passwords via the Settings->Security page.
On slapd, that looks like this:
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 fd=12 ACCEPT from IP=[<redacted>]:42654 (IP=[::]:636)
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=0 BIND dn="cn=Nextcloud Application User,ou=System,dc=redacted" method=128
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=0 BIND dn="cn=Nextcloud Application User,ou=System,dc=redacted" mech=SIMPLE bind_ssf=0 ssf=256
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=0 RESULT tag=97 err=0 qtime=0.000032 etime=0.000271 text=
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=1 SRCH base="ou=People,dc=redacted" scope=2 deref=0 filter="(&(&(|(objectClass=posixAccount))(|(memberOf=gid=nextcloudusers,ou=services,dc=redacted)))(uid=example.user)(nextcloudEnabled=true))"
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=1 SRCH attr=entryuuid nsuniqueid objectguid guid ipauniqueid dn uid samaccountname memberof nextcloudquota mail displayname telephonenumber labeleduri postaladdress jpegphoto thumbnailphoto
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.000638 nentries=1 text=
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 fd=15 ACCEPT from IP=[<redacted>]:42666 (IP=[::]:636)
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 op=0 BIND dn="uid=example.user,ou=people,dc=redacted" method=128
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 op=0 BIND dn="uid=example.user,ou=People,dc=redacted" mech=SIMPLE bind_ssf=0 ssf=256
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 op=0 RESULT tag=97 err=0 qtime=0.000052 etime=0.000260 text=
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 op=1 UNBIND
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=2 PASSMOD id="uid=example.user,ou=people,dc=redacted" new
Jul 19 14:30:45 redacted slapd[8433]: conn=1061 fd=15 closed
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=2 RESULT oid= err=0 qtime=0.000052 etime=0.001535 text=
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 op=3 UNBIND
Jul 19 14:30:45 redacted slapd[8433]: conn=1060 fd=12 closed
This works.
However, if I login with a fresh user who needs to change their password on first login (due to a password policy), the change fails on the reset password screen, claiming the login failed.
Checking the slapd logs reveals:
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 fd=12 ACCEPT from IP=[<redacted>]:53866 (IP=[::]:636)
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=0 BIND dn="cn=Nextcloud Application User,ou=System,dc=redacted" method=128
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=0 BIND dn="cn=Nextcloud Application User,ou=System,dc=redacted" mech=SIMPLE bind_ssf=0 ssf=256
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=0 RESULT tag=97 err=0 qtime=0.000058 etime=0.000491 text=
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=1 SRCH base="ou=People,dc=redacted" scope=2 deref=0 filter="(&(&(|(objectClass=posixAccount))(|(memberOf=gid=nextcloudusers,ou=services,dc=redacted)))(uid=99fce814-ba79-103d-898e-0b1aa26722b1)(nextcloudEnabled=true))"
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=1 SRCH attr=entryuuid nsuniqueid objectguid guid ipauniqueid dn uid samaccountname memberof nextcloudquota mail displayname telephonenumber labeleduri postaladdress jpegphoto thumbnailphoto
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000064 etime=0.000497 nentries=0 text=
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=2 SRCH base="ou=People,dc=redacted" scope=2 deref=0 filter="(&(&(|(objectClass=posixAccount))(|(memberOf=gid=nextcloudusers,ou=services,dc=redacted)))(uid=99fce814-ba79-103d-898e-0b1aa26722b1)(nextcloudEnabled=true))"
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=2 SRCH attr=entryuuid nsuniqueid objectguid guid ipauniqueid dn uid samaccountname memberof nextcloudquota mail displayname telephonenumber lableduri postaladdress jpegphoto thumbnailphoto
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.000352 nentries=0 text=
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 op=3 UNBIND
Jul 19 14:12:45 redacted slapd[8433]: conn=1047 fd=12 closed
Note how the search is for "(&(&(|(objectClass=posixAccount))(|(memberOf=gid=nextcloudusers,ou=services,dc=redacted)))(uid=99fce814-ba79-103d-898e-0b1aa26722b1)(nextcloudEnabled=true))".
Here, Nextcloud incorrectly substitues the entryUUID for the uid in the search, which then returns no results.
I considered changing the Override UUID detection setting to uid, but I don't think that's the optimal solution here.
It seems to me that it detects the entryUUID just fine.
The nextcloud logs for the failing password reset dialogue reveal:
{
"reqId": "RVthitzjgOxJM8wE54SL",
"level": 2,
"time": "2023-07-19T14:12:45+00:00",
"remoteAddr": "<redacted>",
"user": "--",
"app": "core",
"method": "POST",
"url": "/apps/user_ldap/renewpassword",
"message": "Login failed: '99fce814-ba79-103d-898e-0b1aa26722b1' (Remote IP: '<redacted>')",
"userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0",
"version": "27.0.0.8",
"data": {
"app": "core"
}
}
Steps to reproduce
- Set up Nextcloud with an LDAP backend.
- Add a password policy to the backend that forces password resets after a password was set or reset by an administrator.
- Create an LDAP user and set an account using
ldappasswd(via LDAP manager, root, ... whatever) - Attempt to log in with the new user
- Be prompted to reset your password
- Password change fails with failed login
Expected behavior
The password-reset-on-first-login should use the same LDAP query to search for users as the one in the Settings->Security page.
Installation method
Community Manual installation with Archive
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"skeletondirectory": "",
"templatedirectory": "",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"redacted"
],
"version": "27.0.0.8",
"overwrite.cli.url": "https:\/\/redacted",
"installed": true,
"defaultapp": "calendar",
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"default_phone_region": "DE",
"default_language": "de_DE",
"default_locale": "de_DE",
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"dbindex": 0,
"timeout": 5
}
}
}List of activated Apps
Enabled:
- activity: 2.19.0
- calendar: 4.4.3
- circles: 27.0.0
- cloud_federation_api: 1.10.0
- comments: 1.17.0
- contacts: 5.3.2
- contactsinteraction: 1.8.0
- dav: 1.27.0
- federatedfilesharing: 1.17.0
- files: 1.22.0
- files_pdfviewer: 2.8.0
- files_rightclick: 1.6.0
- files_sharing: 1.19.0
- files_trashbin: 1.17.0
- files_versions: 1.20.0
- logreader: 2.12.0
- lookup_server_connector: 1.15.0
- notifications: 2.15.0
- oauth2: 1.15.0
- password_policy: 1.17.0
- privacy: 1.11.0
- provisioning_api: 1.17.0
- recommendations: 1.6.0
- related_resources: 1.2.0
- serverinfo: 1.17.0
- settings: 1.9.0
- sharebymail: 1.17.0
- systemtags: 1.17.0
- text: 3.8.0
- theming: 2.2.0
- twofactor_backupcodes: 1.16.0
- updatenotification: 1.17.0
- user_ldap: 1.17.0
- user_status: 1.7.0
- viewer: 2.1.0
- weather_status: 1.7.0
- workflowengine: 2.9.0Nextcloud Signing status
No errors have been found.Nextcloud Logs
No response
Additional info
No response