Our owncloud instance is running behind a WAF (Sophos UTM). As an added layer of security we were using the reverse authentication feature of the firewall.
When upgrading the OS from debian 9 to 10, owncloud got upgraded from 9.1 to 10.3 as well.
The user logs in on the login page provided by the WAF. The login details are getting passed to the owncloud webserver via basic auth. Owncloud logs the user in and returns the requested page.
The user logs in on the login page provided by the WAF. The login details are getting passed to the webserver via basic auth. Owncloud ignores them and requests that the user logs in on the owncloud login page.
As a workaround we have disabled reverse authentication from the WAF.
Both are using the same LDAP server to validate the login details.
Debian 10 Buster
Updated from 7.0 together with owncloud and the OS.
Updated from an older ownCloud or fresh install:
Updated from 9.1
Where did you install ownCloud from:
Initial installation (as far as I can tell) and upgrade has been done via APT.
Are you using encryption: yes/no
No. The WAF handles HTTPS.
Nothing that points to an authentication error in the owncloud and in the apache error log.
Only token refresh messages in owncloud.log.
Has there been an update that changed the way owncloud handles logins? I didnt find anything that could be connected to my issue in the changelogs.