Steps to reproduce
- Log into locally hosted owncloud using bad PW.
- Owncloud attempts to authenticate with AD 3 times per LDAP server configuration
- Account locked due to AD policies locking after 5 failed attempts.
Server configuration
Operating system
Ubuntu 24.04
Web server:
Apache2
Database:
MySQL
PHP version:
7.4.3
ownCloud version: (see ownCloud admin page)
10.15.2.0
Updated from an older ownCloud or fresh install:
Updated
Where did you install ownCloud from:
Owncloud repo’s
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
No errors found.
The content of config/config.php:
Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.
or
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder
*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.
{
“system”: {
“instanceid”: “oc3j47462vsz”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“REMOVED SENSITIVE VALUE”,
“REMOVED SENSITIVE VALUE”
],
“datadirectory”: “/opt/owncloud/data”,
“overwrite.cli.url”: “REMOVED SENSITIVE VALUE”,
“maintenance”: false,
“dbtype”: “mysql”,
“version”: “10.15.2.0”,
“dbname”: “owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “UTC”,
“installed”: true,
“session_lifetime”: 900,
“session_keepalive”: false,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “smtp”,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “587”,
“mail_smtptimeout”: 30,
“mail_smtpsecure”: “tls”,
“upgrade.automatic-app-update”: true,
“memcache.locking”: “\OC\Memcache\Redis”,
“memcache.local”: “\OC\Memcache\Redis”,
“redis”: {
“host”: “/var/run/redis/redis-server.sock”,
“port”: 0
},
“ldapIgnoreNamingRules”: false,
“trashbin_retention_obligation”: “auto,3”,
“logfile”: “/var/log/owncloud.log”,
“loglevel”: 0,
“log_rotate_size”: 104857600,
“integrity.excluded.files”: [
“js/files.js”
],
“integrity.ignore.missing.app.signature”: [
“REMOVED SENSITIVE VALUE”
],
“allow_user_to_change_mail_address”: “”,
“apps_paths”: [
{
“path”: “/var/www/owncloud/apps”,
“url”: “/apps”,
“writable”: false
},
{
“path”: “/var/www/owncloud/apps-external”,
“url”: “/apps-external”,
“writable”: true
}
]
}
}
List of activated apps:
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.
Enabled:
- activity:
- Version: 2.7.2
- Path: /var/www/owncloud/apps/activity
- brute_force_protection:
- Version: 1.3.0
- Path: /var/www/owncloud/apps-external/brute_force_protection
- comments:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/comments
- configreport:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/configreport
- dav:
- Version: 0.7.0
- Path: /var/www/owncloud/apps/dav
- diagnostics:
- Version: 0.2.1
- Path: /var/www/owncloud/apps/diagnostics
- duo:
- Version: 2.5.2
- Path: /var/www/owncloud/apps-external/duo
- federatedfilesharing:
- Version: 0.5.0
- Path: /var/www/owncloud/apps/federatedfilesharing
- federation:
- Version: 0.1.0
- Path: /var/www/owncloud/apps/federation
- files:
- Version: 1.6.0
- Path: /var/www/owncloud/apps/files
- files_external:
- Version: 0.9.0
- Path: /var/www/owncloud/apps/files_external
- files_mediaviewer:
- Version: 1.0.5
- Path: /var/www/owncloud/apps/files_mediaviewer
- files_pdfviewer:
- Version: 1.0.2
- Path: /var/www/owncloud/apps/files_pdfviewer
- files_sharing:
- Version: 0.14.0
- Path: /var/www/owncloud/apps/files_sharing
- files_texteditor:
- Version: 2.6.1
- Path: /var/www/owncloud/apps/files_texteditor
- files_trashbin:
- Version: 0.9.1
- Path: /var/www/owncloud/apps/files_trashbin
- files_versions:
- Version: 1.3.0
- Path: /var/www/owncloud/apps/files_versions
- market:
- Version: 0.9.0
- Path: /var/www/owncloud/apps/market
- provisioning_api:
- Version: 0.5.0
- Path: /var/www/owncloud/apps/provisioning_api
- systemtags:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/systemtags
- updatenotification:
- Version: 0.2.1
- Path: /var/www/owncloud/apps/updatenotification
- user_ldap:
- Version: 0.19.1
- Path: /var/www/owncloud/apps/user_ldap
Are you using external storage, if yes which one: local/smb/sftp/…
No
Are you using encryption: yes/no
Yes. Backend.
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
LDAP/Active Directory
LDAP configuration (delete this part if not used)
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | ***REMOVED SENSITIVE VALUE*** |
| ldapAgentPassword | ***REMOVED SENSITIVE VALUE*** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | ldaps://***REMOVED SENSITIVE VALUE*** |
| ldapBackupPort | 636 |
| ldapBase | ***REMOVED SENSITIVE VALUE*** |
| ldapBaseGroups | ***REMOVED SENSITIVE VALUE*** |
| ldapBaseUsers | ***REMOVED SENSITIVE VALUE*** |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertGroupnameAttr | cn |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | sAMAccountName |
| ldapExposedAttributesForUser | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAlgo | groupScan |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldaps://***REMOVED SENSITIVE VALUE*** |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=person))(|(|(***REMOVED SENSITIVE VALUE***)(primaryGroupID=513))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapNetworkTimeout | 2 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectClass=person)(***REMOVED SENSITIVE VALUE***)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | person |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------+
Client configuration
Browser:
Edge/Chrome
Operating system:
Windows 11
Hello everyone! I am reaching out because our Owncloud instance for some reason is attempting to authenticate against Active Directory 3 times for each LDAP server configuration, aka 6 times if I have 2 LDAP servers configured. When an individual puts in a wrong password this is causing their accounts to get locked due to our domain policy to lock accounts after 5 failed attempts.
Why is Owncloud attempting to authenticate 3 times per LDAP server and is there anyway I can force it to only attempt to authenticate once?
