LDAP user auth failing, sync succeeds though


#1

Basically I’ve configured LDAP to query an AD environment. Groups and users are syncing fine.

Unfortunately, users are unable to login using their AD credentials. The web UI reports an incorrect password (or perhaps user combination?).

User search for sharing also fails, but groups can be found. This may be related or not.

Any help would be appreciated.

All of the required info is below…

Steps to reproduce

  1. Install owncloud
  2. Configure LDAP, test along the way from web gui
  3. Attempt to login with LDAP user

Expected behaviour

Successful login with LDAP credentials

Actual behaviour

Web UI reports password is incorrect

Server configuration

Operating system:
3.10.0-862.14.4.el7.x86_64 (CentOS 7)

Web server:
nginx/1.14.0

Database:
MariaDB 10.3

PHP version:
php-fpm 7.2

ownCloud version: (see ownCloud admin page)
10.0.10.4

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
yum package

Signing status (ownCloud 9.0 and above):
Nothing showing invalid. Only app installed in LDAP.

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:

# ./occ config:list system
{
    "system": {
        "updatechecker": false,
        "instanceid": "ocvqm71yi4br",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "owncloud-impelling",
            "files.impelling.work"
        ],
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/var\/run\/redis\/redis.sock",
            "port": 0
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "datadirectory": "\/data",
        "overwrite.cli.url": "https:\/\/files.impelling.work",
        "dbtype": "mysql",
        "version": "10.0.10.4",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "allow_user_to_change_display_name": true,
        "ldapIgnoreNamingRules": false
    }
}

List of activated apps:

2$ ./occ app:list
Enabled:
  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.4.0
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.7.1
  - files_sharing: 0.11.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - market: 0.2.5
  - notifications: 0.3.5
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - updatenotification: 0.2.1
  - user_ldap: 0.11.0
Disabled:
  - encryption
  - external

Are you using external storage, if yes which one: local/smb/sftp/…
No - local disk

Are you using encryption: yes/no
No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
LDAP

LDAP configuration (delete this part if not used)

./occ ldap:show-config
+-------------------------------+----------------------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                                      |
+-------------------------------+----------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                        |
| hasPagedResultSupport         |                                                                                                          |
| homeFolderNamingRule          |                                                                                                          |
| lastJpegPhotoLookup           | 0                                                                                                        |
| ldapAgentName                 | cn=owncloud,ou=service accounts,ou=users,ou=nothing2ccs,DC=cs,DC=nothing2c                               |
| ldapAgentPassword             | ***                                                                                                      |
| ldapAttributesForGroupSearch  | cn                                                                                                       |
| ldapAttributesForUserSearch   | cn;samaccountname;displayname;givenname                                                                  |
| ldapBackupHost                |                                                                                                          |
| ldapBackupPort                |                                                                                                          |
| ldapBase                      | ou=nothing2ccs,DC=cs,DC=nothing2c                                                                        |
| ldapBaseGroups                | ou=owncloud,ou=groups,ou=nothing2ccs,DC=cs,DC=nothing2c                                                  |
| ldapBaseUsers                 | OU=staff,OU=Users,OU=nothing2cCS,DC=cs,DC=nothing2c;OU=admins,OU=Users,OU=nothing2cCS,DC=cs,DC=nothing2c |
| ldapCacheTTL                  | 300                                                                                                      |
| ldapConfigurationActive       | 1                                                                                                        |
| ldapDynamicGroupMemberURL     |                                                                                                          |
| ldapEmailAttribute            |                                                                                                          |
| ldapExperiencedAdmin          | 0                                                                                                        |
| ldapExpertUUIDGroupAttr       |                                                                                                          |
| ldapExpertUUIDUserAttr        | objectguid                                                                                               |
| ldapExpertUsernameAttr        | samaccountname                                                                                           |
| ldapGroupDisplayName          | cn                                                                                                       |
| ldapGroupFilter               | (&(|(objectclass=group)))                                                                                |
| ldapGroupFilterGroups         |                                                                                                          |
| ldapGroupFilterMode           | 0                                                                                                        |
| ldapGroupFilterObjectclass    | group                                                                                                    |
| ldapGroupMemberAssocAttr      | member                                                                                                   |
| ldapHost                      | 10.220.220.253                                                                                           |
| ldapIgnoreNamingRules         |                                                                                                          |
| ldapLoginFilter               | (&(&(|(objectclass=user)))(|(sAMAccountName=%uid)))                                                      |
| ldapLoginFilterAttributes     | sAMAccountName                                                                                           |
| ldapLoginFilterEmail          | 0                                                                                                        |
| ldapLoginFilterMode           | 0                                                                                                        |
| ldapLoginFilterUsername       | 0                                                                                                        |
| ldapNestedGroups              | 1                                                                                                        |
| ldapOverrideMainServer        |                                                                                                          |
| ldapPagingSize                | 2000                                                                                                     |
| ldapPort                      | 389                                                                                                      |
| ldapQuotaAttribute            |                                                                                                          |
| ldapQuotaDefault              |                                                                                                          |
| ldapTLS                       | 0                                                                                                        |
| ldapUserDisplayName           | displayname                                                                                              |
| ldapUserDisplayName2          | samaccountname                                                                                           |
| ldapUserFilter                | (&(|(objectclass=user)))                                                                                 |
| ldapUserFilterGroups          |                                                                                                          |
| ldapUserFilterMode            | 0                                                                                                        |
| ldapUserFilterObjectclass     | user                                                                                                     |
| ldapUuidGroupAttribute        | auto                                                                                                     |
| ldapUuidUserAttribute         | auto                                                                                                     |
| turnOffCertCheck              | 0                                                                                                        |
| useMemberOfToDetectMembership | 1                                                                                                        |
+-------------------------------+----------------------------------------------------------------------------------------------------------+

Client configuration

Firefox 63.0b3

Operating system:
Windows 10 1803

Logs

Web server error log

1.2.3.4 - - [09/Oct/2018:18:57:33 +0100] "POST /login?user=username-removed HTTP/2.0" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" "-"
1.2.3.4 - - [09/Oct/2018:18:57:34 +0100] "GET /login?user=username-removed HTTP/2.0" 200 10497 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" "-"
1.2.3.4 - - [09/Oct/2018:18:57:34 +0100] "GET /core/js/oc.js?v=70b35359928ff3e767d6be3c60b3a615 HTTP/2.0" 200 2616 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" "-"

ownCloud log (data/owncloud.log)

{"reqId":"jAPQPMyvRKYlMiDK1jZu","level":2,"time":"2018-10-09T17:19:51+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"POST","url":"\/login?user=username-removed","message":"Login failed: 'username-removed' (Remote IP: '1.2.3.4')"}
{"reqId":"rA5W93Vc4g20kb9QmFBM","level":2,"time":"2018-10-09T17:25:15+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"POST","url":"\/login?user=username-removed","message":"Login failed: 'username-removed' (Remote IP: '1.2.3.4')"}
{"reqId":"ODAzWiVReYlqWHYvfL8w","level":2,"time":"2018-10-09T17:31:00+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"POST","url":"\/login?user=username-removed","message":"Login failed: 'username-removed' (Remote IP: '1.2.3.4')"}

#2

Hey,

unfortunately i don’t have any experience with LDAP. But from time to time i had read something about a shell command via occ which is required to sync new users so that they are able to login.


#3

Hey Tom

Thanks for this. I did already try the command below without success:
./occ user:sync "OCA\User_LDAP\User_Proxy"

Any other ideas?


#4

Hey,

ah yes. This was exactly the command i have seen in the past in other posts.

Unfortunately i don’t use/know LDAP so i’m not much of a help anymore. Hope that some one else with LDAP knowledge is reading this thread and can provide an answer.


#5

In the LDAP section of the settings, under the Login Attributes tab, I have selected both check boxes for “LDAP / AD Username”, “LDAP / AD Email Address” and under the “Other Attributes” drop down, I have added “userPrincipalName”. I believe this last option helped me get things working reliably at my end.


#6

Thanks @aclemence

I’ll give that a try in about an hour.


#7

Hi again

Cheers but I’ve had no joy with that approach. I’ve done 2 more things:

  1. Modified the Login attributes to be
(&(&(|(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(userPrincipalName=%uid))))
  1. Modified the Expert tab to set:
Internal Username Attribute: mail
UUID for Users and Groups: blank

After this, I’ve cleared the username and groupname LDAP mapping and resync’d via command line. The resync also removed old users to create new ones.

The new users have the email LDAP field for the Internal Username as expected.

Login still fails via the web GUI, citing incorrect password (or username). I’ve tried both the sAMAccountName and mail LDAP attributes for the username and a known AD password without success.

Any other ideas from the community?


#8

Question: what exactly are you entering when failing to login?

In the expert tab, you need to enter samAccountName for the Internal Username attribute.

https://doc.owncloud.com/server/10.0/admin_manual/configuration/user/user_auth_ldap.html?highlight=ldap#expert-settings


#9

Thanks Dmitry

I have previously tried this, but for the sake of my own sanity I’ve tried it again. After including the sAMAccountName attribute for the Internal Username, I resync’d users with LDAP and removed the old accounts. As expected the list of users is now based on the sAMAccountName instead of email that I had set before, however logins still fail.

Testing has been done with my own personal AD account and with another colleague. Both use AD daily and are 100% sure of passwords.

The username entered is an exact match of the sAMAccountName attribute.

I’m still struggling. Any other suggestions or info I can provide to help debug?


#10

Okay, as I am starting from the middle of the issue here, can you restart?

Delete the LDAP configuration in the ownCloud LDAP settings app.

Just click next to the server address on the top and click the trash bin.

Then configure this new, and set for the internal username samaccount name. do not change anything else. ownCloud is pretty good at detecting the right configuration.

when executing the sync command choose remove

occ user:sync "OCA\User_LDAP\User_Proxy"


#11

I’ve done that and still having no joy.

Below is the only info I can find about the failure…

{"reqId":"syrgL3YPN0nV8RuFNW5D","level":3,"time":"2018-10-10T09:10:40+00:00","remoteAddr":"1.2.3.4","user":"--","app":"user_ldap","method":"POST","url":"\/login?user=username-here","message":"Exception: {"Exception":"Exception","Message":"No user available for the given login name on local.domain:389","Code":0,"Trace":"#0 /var/www/html/owncloud/apps/user_ldap/lib/User_LDAP.php(140): OCA\User_LDAP\User\Manager->getLDAPUserByLoginName('username-here')
#1 [internal function]: OCA\User_LDAP\User_LDAP->checkPassword(*** sensitive parameters replaced ***)
#2 /var/www/html/owncloud/apps/user_ldap/lib/User_Proxy.php(75): call_user_func_array(Array, Array)
#3 /var/www/html/owncloud/apps/user_ldap/lib/Proxy.php(145): OCA\User_LDAP\User_Proxy->walkBackends('username-here', 'checkPassword', Array)
#4 /var/www/html/owncloud/apps/user_ldap/lib/User_Proxy.php(180): OCA\User_LDAP\Proxy->handleRequest('username-here', 'checkPassword', Array)
#5 /var/www/html/owncloud/lib/private/User/Manager.php(252): OCA\User_LDAP\User_Proxy->checkPassword(*** sensitive parameters replaced ***)
#6 /var/www/html/owncloud/lib/private/User/Session.php(521): OC\User\Manager->checkPassword(*** sensitive parameters replaced ***)
#7 /var/www/html/owncloud/lib/private/User/Session.php(333): OC\User\Session->loginWithPassword(*** sensitive parameters replaced ***)
#8 /var/www/html/owncloud/core/Controller/LoginController.php(203): OC\User\Session->login(*** sensitive parameters replaced ***)
#9 /var/www/html/owncloud/lib/private/AppFramework/Http/Dispatcher.php(153): OC\Core\Controller\LoginController->tryLogin(*** sensitive parameters replaced ***)
#10 /var/www/html/owncloud/lib/private/AppFramework/Http/Dispatcher.php(85): OC\AppFramework\Http\Dispatcher->executeController(Object(OC\Core\Controller\LoginController), 'tryLogin')
#11 /var/www/html/owncloud/lib/private/AppFramework/App.php(100): OC\AppFramework\Http\Dispatcher->dispatch(Object(OC\Core\Controller\LoginController), 'tryLogin')
#12 /var/www/html/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main('LoginController', 'tryLogin', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
#13 /var/www/html/owncloud/lib/private/Route/Router.php(342): OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
#14 /var/www/html/owncloud/lib/base.php(909): OC\Route\Router->match('/login')
#15 /var/www/html/owncloud/index.php(54): OC::handleRequest()
#16 {main}","File":"/var/www/html/owncloud/apps/user_ldap/lib/User/Manager.php","Line":423}"}
{"reqId":"syrgL3YPN0nV8RuFNW5D","level":2,"time":"2018-10-10T09:10:40+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"POST","url":"\/login?user=username-here","message":"Login failed: 'username-here' (Remote IP: '1.2.3.4')"}

#12

Please ignore the trace in my previous post. This was due to a slight error in selecting the Base User Tree options. I’ve corrected that now and the trace no longer exists when login attempts are made.


#13

@dmitry is there any more info that you need from me to troubleshoot?


#14

This is all very strange.

So as I understand you have connection to the LDAP server, right?

It’s an OpenLDAP server.

You can see the users and groups with ldapsearch but you can’t login?


#15

In the interest of helping others who might have similar troubles, here is the content of our private chat caused by the new user limits in Discourse…

WISPa:

I’ve reached my limit in Discourse, so I have to wait 2 hours. I was trying to reply with:

Almost.

Yes I have a connection to LDAP, but it’s MS AD running on Server 2016. Users and Groups, along with their relationships are correctly syncing with Owncloud.

If I modify the Internal User Attribute, remove mappings and resync I can see that attribute change in the resulting users.

With all of this, I’m currently unable to login using AD passwords, where usernames entered are either the sAMAccountName or the mail field from LDAP.

dmitry:

That is very strange.

So you followed my suggestion and deleted the ldap server configuration and created a new one right?

and still you can’t log in.

Can you send me the login filter you are using?

WISPa:

Yes, started from a clean setup. I did include 2 user bases though, for staff and admins else many service accounts would be included.

login filter is:

(&(&(|(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

and for completeness…

User filter: (&(|(objectclass=person)(objectclass=user)))
Group filter: (&(|(objectclass=group)))
Base user tree:

OU=Staff,OU=Users,OU=companyCS,DC=cs,DC=company
OU=Admins,OU=Users,OU=companyCS,DC=cs,DC=company

Base group tree: OU=Owncloud,OU=Groups,OU=companyCS,DC=cs,DC=company

And again - I can’t reply, and I can’t open a new thread now. I’m all out of options so I’m editing this in the hope you might spot it!

In answer to your comment…

With just 1 user base the issue remains the same.

The owncloud OU was created purely to manage file access. Users exist in the 2 user base OUs and are added to the Owncloud OU as a secondary or greater OU / group.

dmitry:

Can you try with just one user base?

Also I think I suspect a nested group issue here.

Are the users that are in the ownCloud OU just in the ownCloud OU or are they in many different groups?


#16

And to answer…

With just one user base the results remain unchanged.

But then things get stranger. If I duplicate an existing user in AD (obviously maintaining group memberships, OU etc), append 1 to the username, and set the password the same I can successfully login.

I have also noticed that when I attempt to login with the existing username, the LDAP attribute badPwdCount increments once or twice.

So next up, I double-checked that the users weren’t locked out in AD and forced the Unlock otion on them. Retried and still failed.

As a last resort, I reset the user passwords for the 2 accounts I knew in AD to the exact same passwords again. Retried, and what do you know, it worked!

I have no idea why this worked. I still have 2 user base trees, and still have nested groups enabled.

Tomorrow I’ll test fully with other users, but for now please assume this is resolved.

Thanks @dmitry for your help today, and sorry for sending private messages. If I hadn’t gone off trying to help others around the forum I wouldn’t have hit the limit - perhaps this limit could be increased or the limits made clearer to new users?


#17

Glad that you are on the track to find the core of the issue.

About the limitation for new users - I suppose it’s because of spammers.

You surely don’t want to read spam messages while you are looking for the solution to your problem.

With the current new user limitation I suppose it’s difficult for a spammer to do much damage before he has to create a new account.

I think you can only reply in the same topic 3 times, but you can edit your post. This is kinda a workaround to this.


#18

Thanks dmitry

I understand the limitation is to prevent spammers, but I think equally there could be a method by which to bypass that - perhaps by demonstrating to admins that you’ve adding value. My own personal case was made worse by the fact I had gone elsewhere to assist others. Anyway, I’m free now. Woop!

I can confirm that the same issue of passwords needing a reset exists for all AD users, which I’m struggling to make sense of. Obviously OC is eventually capable of the authentication against AD’s LDAP, but I don’t understand what could possibly cause the need for an initial AD password reset before first OC login.

Any ideas?


#19

You are correct. If a user shows high activity in helping others he should be rewarded in raising him above a new user.

On the topic of LDAP, I don’t really know. It’s a very strange behavior, because it seems that even if you type in the right password, the LDAP “wrong password meter” goes up. Also I suppose the user get’s locked out of the LDAP eventually.