Slow login after change ldap password

[samuelallan72]

Steps to reproduce

1. enable ldap users in nextcloud
2. change an ldap user's password externally
3. discover that logins now take forever

Expected behaviour

Changing an ldap user's password should only affect nextcloud in that you need to login with your new password.

Actual behaviour

The new password is accepted, but login to the web interface takes ~30 seconds, and other apps such as the desktop sync client or mobile apps error out with timeouts.

Currently the desktop sync client is showing "No connection to Nextcloud at . Operation cancelled."

Server configuration

Operating system: Archlinux

Web server: Nginx

Database: MariaDB

PHP version: 7.1.1

Nextcloud version: 11.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Updated from 11.0.1 (which in turn was updated from 11.0.0)

Where did you install Nextcloud from:

Signing status:

Signing status

No errors have been found

List of activated apps:

App list

Enabled:
  - activity: 2.4.1
  - admin_audit: 1.1.0
  - announcementcenter: 3.0.0
  - audioplayer: 1.4.1
  - bookmarks: 0.9.1
  - calendar: 1.5.1
  - comments: 1.1.0
  - contacts: 1.5.3
  - dav: 1.1.1
  - external: true
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_accesscontrol: 1.1.2
  - files_external: 1.1.2
  - files_markdown: 1.0.1
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - keeweb: 0.3.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - news: 10.1.0
  - nextcloud_announcements: 1.0
  - notes: 2.2.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - tasks: 0.9.5
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_external: 0.4
  - user_ldap: 1.1.2
  - workflowengine: 1.1.1
Disabled:
  - direct_menu
  - encryption
  - files_automatedtagging
  - files_retention
  - richdocuments
  - templateeditor
  - user_saml

(however, it was slow even after updating to 11.0.2, where it automatically disables all extra apps)

The content of config/config.php:

Config report

{
    "system": {
        "instanceid": "oc9jp25ikolt",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "REDACTED"
        ],
        "datadirectory": "\/mnt\/storage1\/data\/nextcloud-data",
        "overwrite.cli.url": "REDACTED",
        "dbtype": "mysql",
        "version": "11.0.2.7",
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "appstoreenabled": true,
        "appstoreurl": "https:\/\/apps.nextcloud.com\/api\/v0",
        "appstore.experimental.enabled": true,
        "maintenance": false,
        "mail_smtpmode": "sendmail",
        "mail_from_address": "nextcloud",
        "mail_domain": "REDACTED",
        "auth.bruteforce.protection.enabled": true,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: smb

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+------------------------------------------------+
| Configuration                 |                                                |
+-------------------------------+------------------------------------------------+
| hasMemberOfFilterSupport      |                                                |
| hasPagedResultSupport         |                                                |
| homeFolderNamingRule          |                                                |
| lastJpegPhotoLookup           | 0                                              |
| ldapAgentName                 |                                                |
| ldapAgentPassword             | ***                                            |
| ldapAttributesForGroupSearch  |                                                |
| ldapAttributesForUserSearch   |                                                |
| ldapBackupHost                |                                                |
| ldapBackupPort                |                                                |
| ldapBase                      | REDACTED                                       |
| ldapBaseGroups                | ou=People,REDACTED                             |
| ldapBaseUsers                 | ou=People,REDACTED                             |
| ldapCacheTTL                  | 600                                            |
| ldapConfigurationActive       | 1                                              |
| ldapDynamicGroupMemberURL     |                                                |
| ldapEmailAttribute            | mail                                           |
| ldapExperiencedAdmin          | 0                                              |
| ldapExpertUUIDGroupAttr       |                                                |
| ldapExpertUUIDUserAttr        |                                                |
| ldapExpertUsernameAttr        |                                                |
| ldapGroupDisplayName          | cn                                             |
| ldapGroupFilter               | (&(|(objectclass=posixGroup)))                 |
| ldapGroupFilterGroups         |                                                |
| ldapGroupFilterMode           | 0                                              |
| ldapGroupFilterObjectclass    | posixGroup                                     |
| ldapGroupMemberAssocAttr      | uniqueMember                                   |
| ldapHost                      | localhost                                      |
| ldapIgnoreNamingRules         |                                                |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(|(uid=%uid))) |
| ldapLoginFilterAttributes     | uid                                            |
| ldapLoginFilterEmail          | 0                                              |
| ldapLoginFilterMode           | 0                                              |
| ldapLoginFilterUsername       | 0                                              |
| ldapNestedGroups              | 0                                              |
| ldapOverrideMainServer        |                                                |
| ldapPagingSize                | 500                                            |
| ldapPort                      | 389                                            |
| ldapQuotaAttribute            |                                                |
| ldapQuotaDefault              |                                                |
| ldapTLS                       | 0                                              |
| ldapUserDisplayName           | cn                                             |
| ldapUserDisplayName2          |                                                |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))                 |
| ldapUserFilterGroups          |                                                |
| ldapUserFilterMode            | 0                                              |
| ldapUserFilterObjectclass     | inetOrgPerson                                  |
| ldapUuidGroupAttribute        | auto                                           |
| ldapUuidUserAttribute         | auto                                           |
| turnOffCertCheck              | 0                                              |
| turnOnPasswordChange          | 0                                              |
| useMemberOfToDetectMembership | 1                                              |
+-------------------------------+------------------------------------------------+

Client configuration

Browser: Chromium, and all others tested

Operating system: Archlinux, Android

Logs

Web server error log

Web server error log

2017/03/07 16:52:46 [error] 615#615: *257 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "PROPFIND /remote.php/dav/calendars/52488d1b-608a-4e9a-a615-1a809b6cdab2/contact_birthdays/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 16:53:47 [error] 615#615: *257 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "PROPFIND /remote.php/dav/addressbooks/users/52488d1b-608a-4e9a-a615-1a809b6cdab2/contacts.vcf/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 20:55:12 [error] 617#617: *13357 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "GET /index.php/apps/news/api/v1-2/items/updated?lastModified=1488837605&type=3&id=0 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 20:55:12 [error] 617#617: *13355 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "GET /index.php/apps/news/api/v1-2/user HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 20:55:12 [error] 617#617: *13358 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "GET /index.php/apps/news/api/v1-2/folders HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 20:55:12 [error] 617#617: *13356 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "GET /index.php/apps/news/api/v1-2/feeds HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"
2017/03/07 20:56:49 [error] 617#617: *13395 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.1, server: redacted.example.com, request: "PROPFIND /remote.php/dav/calendars/52488d1b-608a-4e9a-a615-1a809b6cdab2/calendar.ics/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock", host: "redacted.example.com"

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"\/sUcXl9OXKlwyviaNPeC","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:25:48+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"qfyDdI9JaS\/lmMCv1eQM","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:11+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"qfyDdI9JaS\/lmMCv1eQM","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:11+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"3JOJgObBuSJp9tYQIlV2","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:13+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"3JOJgObBuSJp9tYQIlV2","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:13+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"PCigR+5hw7LLFIo+Tzda","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:13+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"PCigR+5hw7LLFIo+Tzda","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:13+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"pQko6\/9kHQE4fXP+UOkE","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:14+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/calendars\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/calendar.ics\/","user":"--","version":"11.0.2.7"}
{"reqId":"pQko6\/9kHQE4fXP+UOkE","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:14+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/calendars\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/calendar.ics\/","user":"--","version":"11.0.2.7"}
{"reqId":"\/sUcXl9OXKlwyviaNPeC","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:18+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"\/sUcXl9OXKlwyviaNPeC","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:18+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"qfyDdI9JaS\/lmMCv1eQM","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:41+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"qfyDdI9JaS\/lmMCv1eQM","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:41+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"3JOJgObBuSJp9tYQIlV2","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:43+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"3JOJgObBuSJp9tYQIlV2","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:43+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"PFLJFUZfxFwkIGA\/5XKW","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:43+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/contacts.vcf\/","user":"--","version":"11.0.2.7"}
{"reqId":"PFLJFUZfxFwkIGA\/5XKW","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:43+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/contacts.vcf\/","user":"--","version":"11.0.2.7"}
{"reqId":"pQko6\/9kHQE4fXP+UOkE","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:26:44+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/calendars\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/calendar.ics\/","user":"--","version":"11.0.2.7"}
{"reqId":"pQko6\/9kHQE4fXP+UOkE","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:26:44+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/calendars\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/calendar.ics\/","user":"--","version":"11.0.2.7"}
{"reqId":"PFLJFUZfxFwkIGA\/5XKW","remoteAddr":"10.0.0.1","app":"no app in context","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"Session has been closed - no further changes to the session are allowed\",\"Code\":0,\"Trace\":\"#0 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/lib\\\/private\\\/Session\\\/Internal.php(64): OC\\\\Session\\\\Internal->validateSession()\\n#1 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/lib\\\/private\\\/Session\\\/CryptoSessionData.php(164): OC\\\\Session\\\\Internal->set('encrypted_sessi...', '57f9e844f69aeb4...')\\n#2 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php(132): OC\\\\Session\\\\CryptoSessionData->close()\\n#3 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Backend\\\/AbstractBasic.php(105): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->validateUserPass(*** sensitive parameters replaced ***)\\n#4 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php(251): Sabre\\\\DAV\\\\Auth\\\\Backend\\\\AbstractBasic->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php(154): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->auth(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#6 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(199): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#7 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(150): Sabre\\\\DAV\\\\Auth\\\\Plugin->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#8 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#9 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#10 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#11 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#12 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Server.php(227): Sabre\\\\DAV\\\\Server->exec()\\n#13 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(30): OCA\\\\DAV\\\\Server->exec()\\n#14 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/remote.php(165): require_once('\\\/mnt\\\/storage1\\\/s...')\\n#15 {main}\",\"File\":\"\\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/lib\\\/private\\\/Session\\\/Internal.php\",\"Line\":154}","level":3,"time":"2017-03-07T10:27:14+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/contacts.vcf\/","user":"52488d1b-608a-4e9a-a615-1a809b6cdab2","version":"11.0.2.7"}
{"reqId":"PFLJFUZfxFwkIGA\/5XKW","remoteAddr":"10.0.0.1","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 503 Exception: Session has been closed - no further changes to the session are allowed\",\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ServiceUnavailable\",\"Code\":0,\"Trace\":\"#0 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(199): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(150): Sabre\\\\DAV\\\\Auth\\\\Plugin->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#3 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#4 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#5 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#6 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Server.php(227): Sabre\\\\DAV\\\\Server->exec()\\n#7 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(30): OCA\\\\DAV\\\\Server->exec()\\n#8 \\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/remote.php(165): require_once('\\\/mnt\\\/storage1\\\/s...')\\n#9 {main}\",\"File\":\"\\\/mnt\\\/storage1\\\/srv\\\/http\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php\",\"Line\":162,\"User\":\"52488d1b-608a-4e9a-a615-1a809b6cdab2\"}","level":4,"time":"2017-03-07T10:27:14+00:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/52488d1b-608a-4e9a-a615-1a809b6cdab2\/contacts.vcf\/","user":"52488d1b-608a-4e9a-a615-1a809b6cdab2","version":"11.0.2.7"}
{"reqId":"33\/FJYqSKY2qBcEQFVwy","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"oNvaDlfB7NhFzMJP5sPs","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"33\/FJYqSKY2qBcEQFVwy","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"oNvaDlfB7NhFzMJP5sPs","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"3U\/xRH1JI4avzx8WXEZt","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"3U\/xRH1JI4avzx8WXEZt","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:24+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"gJtDVS5IuykvttUM42RR","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:25+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"gJtDVS5IuykvttUM42RR","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:25+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"33\/FJYqSKY2qBcEQFVwy","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"33\/FJYqSKY2qBcEQFVwy","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/user","user":"--","version":"11.0.2.7"}
{"reqId":"oNvaDlfB7NhFzMJP5sPs","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"oNvaDlfB7NhFzMJP5sPs","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/folders","user":"--","version":"11.0.2.7"}
{"reqId":"3U\/xRH1JI4avzx8WXEZt","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"3U\/xRH1JI4avzx8WXEZt","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:54+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/items\/updated?lastModified=1488837605&type=3&id=0","user":"--","version":"11.0.2.7"}
{"reqId":"gJtDVS5IuykvttUM42RR","remoteAddr":"10.0.0.1","app":"user_ldap","message":"Bind failed: 49: Invalid credentials","level":2,"time":"2017-03-07T10:46:55+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}
{"reqId":"gJtDVS5IuykvttUM42RR","remoteAddr":"10.0.0.1","app":"core","message":"Login failed: 'redacted' (Remote IP: '10.0.0.1')","level":2,"time":"2017-03-07T10:46:55+00:00","method":"GET","url":"\/index.php\/apps\/news\/api\/v1-2\/feeds","user":"--","version":"11.0.2.7"}

(I'm guessing the bind failed is from some app still trying to login with the old password, even though I'm sure I updated them all.)

Also I tried turning off the bruteforce protection setting, to no avail.

[samuelallan72]

Update: it is now working ok after running a system update and rebooting the server. ¯\_(ツ)_/¯

I'd still be interested to know why it does this though - it's the second time I've had the issue, and now both times it's mysteriously resolved itself.

[MorrisJobke]

could be related to the brute force detection somehow.

[MorrisJobke]

cc @nextcloud/ldap

[blizzz]

I also think brute force detection kicked in. Would be the case if there were any clients from the same network (IP) trying to access Nc with the old password. Likely, @swalladge ?

[samuelallan72]

@blizzz yep that is most likely. Are there docs explaining the behaviour of the brute force protection? Either way it's not very user friendly if this happens on local networks every time someone changes their password.

[KB7777]

Every LDAP implementation is not user friendly :(
When LDAP user got info at desktop to change his password he often do it at the last moment :)
There is a situation when password expires at AD, but user is still logged in and he can work with his desktop no problems until he logoff. Meanwhile Nextcloud client will check the LDAP backend and... voila! Wrong password! Very confusing end users until they teach how it works.

Maybe there is some workaround?

[blizzz]

Well, this is not specific to LDAP, but would happen with the local backend or any other user backend as well. Then however, perhaps you could add some logic that prevents brute force protection to kick in for an hour or so, when the password is changed. However, we can only now internally about this event, not from other systems like the LDAP server.

You could advise your users to use app/device passwords for clients or machines instead (this can be enforced for non-website auth when you enable TOTP, while then the web interface will ask for a one-time token). Of course this adds some overhead and work for users, but then the LDAP password change would effect web interface login only.

About the brute force protection:

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)

#479

Another point is that the ideal client would recognize that authentication failed (not that the server is offline or has other issues) and asks for entering the password. If enough people share the same IP (proxy?) it won't make a difference though.

[GitHubUser4234]

For expired passwords, the #1023 enhancement might be helpful in this regard, at least for OpenLDAP users. Users would be notified when their password is about to expire, and with grace logins allowed, an active session wouldn't be oddly interrupted on expiry, and for new sessions, users with expired passwords are instructed to renew their password during login.

[blizzz]

After a discussion with @LukasReschke yesterday it's also worthwhile to think about deleting brute force attempts from the DB after a successful login from within the IP. This requires frequent DB access (at least another read per login on success).

[samuelallan72]

It would be nice to have a way to view the status of brute force protection from the admin panel - history of brute force attempts, whether it is currently active, and button to reset it.

[blizzz]

#7263 resets the brute force attempts on successful login → closing