LDAP self password change not possible when cn contains space

[goddib]

Hello,

first off, I'm not sure if this is related to #7135 or not - but since the preconditions are different I decided to open a separat issue to be merged if this is the same problem.

I have set up my nextcloud instance to work with LDAP. After long hours of configuration everything seems to finally work, except for the self password change by the user.

As an admin I can easily change a user password on the LDAP server in the nextcloud user list. However, if I try to do this as a user, I get the feedback "Wrong password" (I assume referring to the current password?) and the password is not changed.

Password change is successful when additional login attribute =uid is activated and user uses that to log in. Although it takes a very long time (especially compared to changing the user password from the admin view) Possible connected to #3762 ? Also, whatever goes on here might actually explain the log entry (see below).

After some further testing my assumption is that nextcloud tries to change the password using the incorrect login attribute and thus does not succeed.

Steps to reproduce

Preconditions: Make sure the cn configured on your LDAP for your users is a value with a space (eg "Firstname Lastname")

1. Configure nextcloud to use LDAP, including binding account and password change activated.
2. Configure the single possible login attribute to be the cn
   (as an extra I have also configured UUID=cn which leads to nextcloud internally replacing the spaces of the cn with underlines - further tests have shown that this configuration is not necessary to reproduce the bug)
3. Reconfirm password change works by changing the password of an LDAP user as nextcloud admin user
4. Login as that user and try to change password

Expected behaviour

Password change confirmation should appear and password should be changed on LDAP

Actual behaviour

Error message "Wrong password" and no change in password on LDAP server.

Server configuration

Operating system:
Debian 8.8

Web server:
Apache2

Database:
MySQL

PHP version:
5.6.30

Nextcloud version: (see Nextcloud admin page)
12.0.3

Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install

Where did you install Nextcloud from:
Turnkeylinux

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - bruteforcesettings: 1.0.2
  - calendar: 1.5.6
  - comments: 1.2.0
  - contacts: 2.0.1
  - dav: 1.3.0
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - groupfolders: 1.1.0
  - keeweb: 0.4.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - mail: 0.7.4
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - ransomware_protection: 1.0.5
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - user_ldap: 1.2.1
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - rainloop
  - user_external
  - user_saml

Nextcloud configuration:

Config report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "XXXX",
            "XXXX"
        ],
        "datadirectory": "\/usr\/share\/nextcloud\/data",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbtype": "mysql",
        "version": "12.0.3.3",
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "instanceid": "oc200x1ksm2a",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "app.mail.accounts.default": {
            "email": "%EMAIL%",
            "imapHost": "XXXX",
            "imapPort": 993,
            "imapSslMode": "ssl",
            "smtpHost": "XXXX",
            "smtpPort": 587,
            "smtpSslMode": "tls"
        },
        "mail_smtpmode": "php",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "nextcloud",
        "mail_domain": "XXXX"
    }
}

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                       |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                     |
| hasPagedResultSupport         |                                                                                                                       |
| homeFolderNamingRule          |                                                                                                                       |
| lastJpegPhotoLookup           | 0                                                                                                                     |
| ldapAgentName                 | cn=nextcloudsystem,dc=xx,dc=yy,dc=com                                                                  |
| ldapAgentPassword             | ***                                                                                                                   |
| ldapAttributesForGroupSearch  |                                                                                                                       |
| ldapAttributesForUserSearch   |                                                                                                                       |
| ldapBackupHost                |                                                                                                                       |
| ldapBackupPort                |                                                                                                                       |
| ldapBase                      | dc=xx,dc=yy,dc=com
                                                                                      |
| ldapBaseGroups                | ou=Groups,dc=xx,dc=yy,dc=com                                                                            |
| ldapBaseUsers                 | ou=Users,dc=xx,dc=yy,dc=com                                                                             |
| ldapCacheTTL                  | 600                                                                                                                   |
| ldapConfigurationActive       | 1                                                                                                                     |
| ldapDefaultPPolicyDN          |                                                                                                                       |
| ldapDynamicGroupMemberURL     |                                                                                                                       |
| ldapEmailAttribute            | mail                                                                                                                  |
| ldapExperiencedAdmin          | 0                                                                                                                     |
| ldapExpertUUIDGroupAttr       | cn                                                                                                                    |
| ldapExpertUUIDUserAttr        | cn                                                                                                                    |
| ldapExpertUsernameAttr        |                                                                                                                       |
| ldapGidNumber                 | gidNumber                                                                                                             |
| ldapGroupDisplayName          | cn                                                                                                                    |
| ldapGroupFilter               | (&(|(objectclass=groupOfNames))(|(cn=group1)(cn=group2)))                                                     |
| ldapGroupFilterGroups         | group1;group2
|
| ldapGroupFilterMode           | 0                                                                                                                     |
| ldapGroupFilterObjectclass    | groupOfNames                                                                                                          |
| ldapGroupMemberAssocAttr      | member                                                                                                                |
| ldapHost                      | ldaps://xx.yy.com                                                                                       |
| ldapIgnoreNamingRules         |                                                                                                                       |
| ldapLoginFilter               | (&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=group1,ou=Groups,dc=xx,dc=yy,dc=com)))(|(cn=%uid))) |
| ldapLoginFilterAttributes     | cn                                                                                                                    |
| ldapLoginFilterEmail          | 0                                                                                                                     |
| ldapLoginFilterMode           | 0                                                                                                                     |
| ldapLoginFilterUsername       | 0                                                                                                                     |
| ldapNestedGroups              | 0                                                                                                                     |
| ldapOverrideMainServer        |                                                                                                                       |
| ldapPagingSize                | 500                                                                                                                   |
| ldapPort                      | 636                                                                                                                   |
| ldapQuotaAttribute            |                                                                                                                       |
| ldapQuotaDefault              |                                                                                                                       |
| ldapTLS                       | 0                                                                                                                     |
| ldapUserDisplayName           | cn                                                                                                                    |
| ldapUserDisplayName2          |                                                                                                                       |
| ldapUserFilter                | (&(|(objectclass=inetOrgPerson))(|(memberof=cn=group1,ou=Groups,dc=xx,dc=yy,dc=com)))                |
| ldapUserFilterGroups          | nextcloud                                                                                                             |
| ldapUserFilterMode            | 0                                                                                                                     |
| ldapUserFilterObjectclass     | inetOrgPerson                                                                                                         |
| ldapUuidGroupAttribute        | auto                                                                                                                  |
| ldapUuidUserAttribute         | auto                                                                                                                  |
| turnOffCertCheck              | 0                                                                                                                     |
| turnOnPasswordChange          | 1                                                                                                                     |
| useMemberOfToDetectMembership | 1                                                                                                                     |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
Vivaldi 1.12.955.48

Operating system:
Win10

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

Warning | core | Login failed: 'username' (Remote IP: 'xx.xx.xx.xx')

[MorrisJobke]

first off, I'm not sure if this is related to #7135 or not - but since the preconditions are different I decided to open a separat issue to be merged if this is the same problem.

Looks like the same issue - let's continue in #7135