LDAP Not Working Despite Correct Configuration

[infroger]

Steps to reproduce

1. Install a fresh instance of Nextcloud (I used a docker image, version 14.0.3)
2. Configure LDAP as per the Admin Manual
3. Try to login with a LDAP account

Expected behaviour

Login should succeed

Actual behaviour

Got message "wrong password" on UI and "Login Failed" on Nextcloud log. Spent one working day investigating. Turned out that Settings / LDAP/AD Integration / Advanced / Configuration Active wasn't checked. After manually checking this option, LDAP authentication began working.

Requests

1. Nextcloud Admin Manual informs that "Configuration Active" is automatically checked when a successful test is performed during LDAP configuration. I've performed multiple tests and this option wasn't automatically checked. Don't know why.

2. Change the error message from "Login failed" to "No Active LDAP configuration found".

I've already opened issue #912 on Nextcloud Documentation requesting the manual is more explicit about the need of having this configuration item checked for LDAP to work.

Server configuration

Operating system: Debian (docker image)

Web server: NGINX

Database: MySQL 5.7.24

PHP version: 7.2.11

Nextcloud version: 14.0.3

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: Docker Hub

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• accessibility: 1.0.1
• activity: 2.7.0
• admin_audit: 1.4.0
• admin_notifications: 1.0.2
• announcementcenter: 3.3.1
• calendar: 1.6.3
• cloud_federation_api: 0.0.1
• comments: 1.4.0
• dav: 1.6.0
• deck: 0.4.1
• drawio: 0.9.1
• dropit: 0.1.1
• federatedfilesharing: 1.4.0
• federation: 1.4.0
• files: 1.9.0
• files_markdown: 2.0.4
• files_mindmap: 0.0.9
• files_pdfviewer: 1.3.2
• files_sharing: 1.6.2
• files_texteditor: 2.6.0
• files_trashbin: 1.4.1
• files_versions: 1.7.1
• files_videoplayer: 1.3.0
• firstrunwizard: 2.3.0
• gallery: 18.1.0
• gpxedit: 0.0.9
• gpxmotion: 0.0.7
• gpxpod: 2.3.1
• logreader: 2.0.0
• lookup_server_connector: 1.2.0
• mail: 0.11.0
• nextcloud_announcements: 1.3.0
• notes: 2.4.2
• notifications: 2.2.1
• oauth2: 1.2.1
• password_policy: 1.4.0
• phonetrack: 0.3.6
• provisioning_api: 1.4.0
• serverinfo: 1.4.0
• sharebymail: 1.4.0
• spreed: 4.0.0
• support: 1.0.0
• survey_client: 1.2.0
• systemtags: 1.4.0
• theming: 1.5.0
• twofactor_backupcodes: 1.3.1
• updatenotification: 1.4.1
• user_external: 0.4
• user_ldap: 1.4.0
• workflowengine: 1.4.0
  Disabled:
• encryption
• files_external
• unsplash

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"drive-hom.procempa.com.br"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "14.0.3.0",
"overwrite.cli.url": "http://localhost",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"instanceid": "REMOVED SENSITIVE VALUE",
"installed": true,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\User_LDAP\LDAPProviderFactory",
"auth.bruteforce.protection.enabled": false,
"proxy": "lproxy:3128",
"loglevel": 2,
"log_rotate_size": 10485760,
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "25"
}
}

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | SENSITIVE |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | SENSITIVE |
| ldapBackupPort | 389 |
| ldapBase | SENSITIVE
|
| ldapBaseGroups | SENSITIVE |
| ldapBaseUsers | SENSITIVE |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | SENSITIVE
|
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | SENSITIVE |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | SENSITIVE
|
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | SENSITIVE
|
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: Chrome

Operating system: Ubuntu 18.04

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

{"reqId":"p42z7FsnMY04X4CWulLY","level":2,"time":"2018-10-24T12:54:27+00:00","remoteAddr":"SENSITIVE","user":"--","app":"core","method":"POST","url":"/login","message":"Login failed: 'roger.krolow' (Remote IP: 'SENSITIVE')","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36","version":"14.0.3.0"}

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[nextcloud-bot]

GitMate.io thinks possibly related issues are #7135 (LDAP password change not always working), #4296 (LDAP Configuration not available after Copying Instance), #11026 (LDAP quota-sync does not work anymore), #5168 (Dynamic LDAP groups no longer working), and #1621 (ldap-user FIRSTlogin with internet explorer won't work.).

[blizzz]

Thank you for your report and your suggestions.

Nextcloud Admin Manual informs that "Configuration Active" is automatically checked when a successful test is performed during LDAP configuration. I've performed multiple tests and this option wasn't automatically checked. Don't know why.

The absence of it would not help you either. Also, it rather makes more sense to notify only about error cases, not successful operation.

We don't automatically enable configurations when you revisit and edit an inactive one.

Change the error message from "Login failed" to "No Active LDAP configuration found".

End users should not care about those, also there's no exclusivity included with the LDAP backend.

At the bottom line it is a configuration thing, and I am sorry for you that you spend a too much time on it. At some point we should overhaul the whole wizard and improve on the overall experience. This I would keep as is for now, as it proved to be working for ~99% cases.