[Bug]: Nextcloud 31 LDAP Configuration Not Working On Nextcloud 32

[daveatpinellas]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I have been cloning working Nextcloud 31 servers to version 32. The upgrade process mostly is going cleanly. However after upgrade LDAP throws errors about losing connection to ldap. Randomly pages will not load and report a ldap issue, and then after hitting reload of the page a few times it will finally work. However, if you reboot the server, LDAP is completely disabled and you cannot log in anymore. I then disable ldap on the command line and log in with the admin account, which continues to work. If I change LDAP from tcp/636 to tcp/389 it immediately works. My current theory is that the setting [x] Turn off SSL certificate validation might be root cause. We use this setting for our connections to LDAP.

Steps to reproduce

1. Upgrade working Nextcloud 31 server to 32 with LDAP configured to turn off ssl certificate validation
2. Immediately you see warnings in the logs and UI failures related to losing ldap connection

Expected behavior

LDAP should work :)

Nextcloud Server version

32

Operating system

RHEL/CentOS

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "davidlanding1"
        ],
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "default_phone_region": "US",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "32.0.0.13",
        "overwrite.cli.url": "https:\/\/davidlanding1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance_window_start": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "simpleSignUpLink.shown": false,
        "lost_password_link": "disabled",
        "trashbin_retention_obligation": "auto, 30",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "overwriteprotocol": "https",
        "maintenance": false,
        "loglevel": 0,
        "tempdirectory": "\/ncdata\/tmp"
    }
}

List of activated Apps

Enabled:
  - activity: 5.0.0-dev.0
  - bruteforcesettings: 5.0.0-dev.0
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - dav: 1.34.2
  - federatedfilesharing: 1.22.0
  - files: 2.4.0
  - files_accesscontrol: 3.0.0
  - files_automatedtagging: 3.0.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_external: 1.24.0
  - files_reminders: 1.5.0
  - files_retention: 3.0.0
  - files_sharing: 1.24.0
  - files_trashbin: 1.22.0
  - files_versions: 1.25.0
  - impersonate: 3.0.0
  - logreader: 5.0.0-dev.0
  - lookup_server_connector: 1.20.0
  - notifications: 5.0.0-dev.0
  - oauth2: 1.20.0
  - photos: 5.0.0-dev.1
  - privacy: 4.0.0-dev.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - related_resources: 3.0.0-dev.0
  - serverinfo: 4.0.0-dev.0
  - settings: 1.15.1
  - sharebymail: 1.22.0
  - support: 4.0.0-dev.0
  - systemtags: 1.22.0
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - user_ldap: 1.23.0
  - viewer: 5.0.0-dev.0
  - webhook_listeners: 1.3.0
  - workflowengine: 2.14.0
Disabled:
  - admin_audit: 1.22.0
  - app_api: 32.0.0 (installed 32.0.0)
  - circles: 32.0.0 (installed 25.0.0)
  - contactsinteraction: 1.13.1 (installed 1.1.0)
  - dashboard: 7.12.0 (installed 7.0.0)
  - encryption: 2.20.0
  - federation: 1.22.0 (installed 1.20.0)
  - files_pdfviewer: 5.0.0-dev.0 (installed 2.0.1)
  - firstrunwizard: 5.0.0-dev.0 (installed 2.9.0)
  - nextcloud_announcements: 4.0.0-dev.0 (installed 1.9.0)
  - password_policy: 4.0.0-dev.0 (installed 1.10.1)
  - recommendations: 5.0.0-dev.0 (installed 0.8.0)
  - survey_client: 4.0.0-dev.0 (installed 1.8.0)
  - suspicious_login: 10.0.0-dev.0
  - text: 6.0.0-dev.0 (installed 3.6.0)
  - twofactor_nextcloud_notification: 6.0.0-dev.0
  - twofactor_totp: 14.0.0
  - updatenotification: 1.22.0 (installed 1.10.0)
  - user_status: 1.12.0 (installed 1.0.0)
  - weather_status: 1.12.0 (installed 1.0.0)

Nextcloud Signing status

Nextcloud Logs

{"reqId":"aN52KBhPVkJoldgFr2S90AAAAIc","level":3,"time":"2025-10-02T12:55:04+00:00","remoteAddr":"10.94.109.150","user":"XXXXXXXXXX","app":"index","method":"GET","url":"/nextcloud/index.php/apps/files/api/v1/stats","message":"Lost connection to LDAP server.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36","version":"32.0.0.13","exception":{"Exception":"OC\\ServerNotAvailableException","Message":"Lost connection to LDAP server.","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":405,"function":"processLDAPError","class":"OCA\\User_LDAP\\LDAP","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":287,"function":"postFunctionCall","class":"OCA\\User_LDAP\\LDAP","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":44,"function":"invokeLDAPMethod","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":750,"function":"bind","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":644,"function":"bind","class":"OCA\\User_LDAP\\Connection","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":234,"function":"establishConnection","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":242,"function":"init","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":189,"function":"getConnectionResource","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_LDAP.php","line":275,"function":"readAttribute","class":"OCA\\User_LDAP\\Access","type":"->"},{"function":"userExistsOnLDAP","class":"OCA\\User_LDAP\\User_LDAP","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php","line":66,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Proxy.php","line":153,"function":"walkBackends","class":"OCA\\User_LDAP\\User_Proxy","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php","line":202,"function":"handleRequest","class":"OCA\\User_LDAP\\Proxy","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php","line":179,"function":"userExistsOnLDAP","class":"OCA\\User_LDAP\\User_Proxy","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Manager.php","line":140,"function":"userExists","class":"OCA\\User_LDAP\\User_Proxy","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":181,"function":"get","class":"OC\\User\\Manager","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_App.php","line":182,"function":"getUser","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":250,"function":"getEnabledApps","class":"OC_App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1014,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/index.php","line":25,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","Line":367,"message":"Lost connection to LDAP server.","exception":{},"CustomMessage":"Lost connection to LDAP server."}}

Additional info

No response

[szaimen]

Cc @come-nc @blizzz

[daveatpinellas]

Just to check one more thing, I used an IP of one of the servers in the ldap rotary and that failed as well on tcp/636. So it's not a host name lookup issue or an issue with using a rotary. It will just not connect with the setting to not check for valid certs.

I will try and generate certs for one of the servers and see if I can get that to work. That is just to assist with debugging and not how we want it deployed.

[hbree]

In my testing environment, I have set up LDAP without TLS/SSL and nextcloud is configured to use IP address to connect to LDAP server. Nextcloud is not working until I disable the LDAP plugin. So for me it look similar although not 100% the same as mentioned above

Can I do something or provide something to help resolving this issue?

[peacepenguin]

Same issue here. After upgrading to v32 LDAP breaks. Only fix is to use a proper, fully trusted, ldaps certificate, no matter the setting for "turnOffCertCheck". Or, to switch to non-encrypted ldap: url on port 389. I'm using Active Directory.

Seems like the bug is indeed related to the "turnOffCertCheck" function just no longer working.