nextcloud
New ldap users can't login: LDAP Login: Could not get user object for DN ... Maybe the LDAP entry has no set display name attribute?
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
I've NC integration with FreeIPA as ldap server. New LDAP users reports that can't login. Old users, can login without issues. New ldap username testing in tab LoginAttributes works fine NC 26.0.3 Dockerized Centos 7
Steps to reproduce
- create new ldap user
- login to NC
Expected behavior
Success login
Installation method
Community Docker image
Nextcloud Server version
26
Operating system
RHEL/CentOS
PHP engine version
None
Web server
None
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [ ] Default user-backend (database)
- [X] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.example.com",
"docs.example.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "26.0.3.2",
"overwrite.cli.url": "https:\/\/cloud.example.com",
"overwriteprotocol": "https",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": false,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"theme": "",
"loglevel": 0,
"logfile": "\/var\/www\/html\/nextcloud.log",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtpsecure": "ssl",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"auth.bruteforce.protection.enabled": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"allow_local_remote_servers": true
}
}
List of activated Apps
Enabled:
- activity: 2.18.0
- admin_audit: 1.16.0
- cfg_share_links: 4.1.0
- circles: 26.0.0
- cloud_federation_api: 1.9.0
- comments: 1.16.0
- contactsinteraction: 1.7.0
- dav: 1.25.0
- federatedfilesharing: 1.16.0
- federation: 1.16.0
- files: 1.21.1
- files_external: 1.18.0
- files_pdfviewer: 2.7.0
- files_rightclick: 1.5.0
- files_sharing: 1.18.0
- files_trashbin: 1.16.0
- files_versions: 1.19.1
- firstrunwizard: 2.15.0
- forms: 3.3.1
- logreader: 2.11.0
- lookup_server_connector: 1.14.0
- nextcloud_announcements: 1.15.0
- notifications: 2.14.0
- oauth2: 1.14.0
- onlyoffice: 7.8.0
- password_policy: 1.16.0
- passwords: 2023.6.30
- photos: 2.2.0
- privacy: 1.10.0
- provisioning_api: 1.16.0
- related_resources: 1.1.0-alpha1
- serverinfo: 1.16.0
- settings: 1.8.0
- sharebymail: 1.16.0
- support: 1.9.0
- survey_client: 1.14.0
- systemtags: 1.16.0
- text: 3.7.2
- theming: 2.1.1
- twofactor_backupcodes: 1.15.0
- updatenotification: 1.16.0
- user_ldap: 1.16.0
- user_status: 1.6.0
- viewer: 1.10.0
- weather_status: 1.6.0
- workflow_script: 1.11.2
- workflowengine: 2.8.0
Disabled:
- bruteforcesettings: 2.6.0 (installed 2.4.0)
- calendar: 4.4.2 (installed 4.4.2)
- contacts: 5.3.2 (installed 5.3.2)
- dashboard: 7.6.0 (installed 7.2.0)
- encryption: 2.14.0
- piwik: 0.11.1 (installed 0.11.1)
- recommendations: 1.5.0 (installed 0.5.0)
- spreed: 16.0.4 (installed 16.0.4)
- suspicious_login: 4.4.0
- twofactor_totp: 8.0.0
Nextcloud Signing status
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- EXTRA_FILE
- nextcloud.log
Raw output
==========
Array
(
[core] => Array
(
[EXTRA_FILE] => Array
(
[nextcloud.log] => Array
(
[expected] =>
[current] => 0ea9e4a39457de4dbf49de81b9c5ef5e3bea0facb9261d05728e991347b8581d27520a4657b3e1eaa028f9ffd0c577270737eee2cc882fcec94701f3b7d31f72
)
)
)
)
Nextcloud Logs
cat nextcloud.log | grep myuser|jq
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "initializing paged search for filter (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE))), base cn=users,cn=accounts,dc=ipa.dc=example,dc=com, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_search with parameters [{},\"cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE)))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":500,\"cookie\":\"\"},\"iscritical\":false}]]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_read with parameters [{},\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(!(nsaccountlock=TRUE))\",[\"displayname\"],0,-1]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "readAttribute failed for DN uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "No or empty name for uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com with filter (objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(!(nsaccountlock=TRUE)).",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_explode_dn with parameters [\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",0]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_explode_dn with parameters [\"myuser\",0]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "No DN found for myuser on ipa01.ipa.syntellect.ru",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "initializing paged search for filter (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE))), base cn=users,cn=accounts,dc=ipa.dc=example,dc=com, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_search with parameters [{},\"cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE)))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":500,\"cookie\":\"\"},\"iscritical\":false}]]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 0,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "Calling LDAP function ldap_explode_dn with parameters [\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",0]",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
{
"reqId": "W5SsDFbqpFOrsmWOX1o4",
"level": 2,
"time": "2023-08-08T08:58:40+00:00",
"remoteAddr": "10.1.1.1",
"user": "--",
"app": "user_ldap",
"method": "POST",
"url": "/login",
"message": "LDAP Login: Could not get user object for DN uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com. Maybe the LDAP entry has no set display name attribute?",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"version": "26.0.3.2",
"data": {
"app": "user_ldap"
}
}
Additional info
No response
But console test fail
./occ ldap:check-user myuser
The given user is not a recognized LDAP user.
I have the same issue, updated NC to 27.0.2 but with no effect, i.e. new users still get this error, while old users can log in. Funny enough, I get this in the error log:
{"reqId":"ZN5K65cw4r5KFBhTyaxqtgAAkCM","level":2,"time":"2023-08-17T16:29:31+00:00","remoteAddr":"xxxxx","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"LDAP Login: Could not get user object for DN cn=
so the user name is definitely found in the LDAP but for some reason the user cannot authenticate.
Hi! I think we have the same Problem. we are running on nextcloud aio 27.1.0 (ubuntu 22.04)
{"reqId":"sVE5vuSfOy8yblClWO6L","level":2,"time":"2023-09-20T15:41:44+00:00","remoteAddr":"X.X.X.X","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"LDAP Login: Could not get user object for DN cn=YYY,ou=,dc=,dc=. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36","version":"27.1.0.7","data":{"app":"user_ldap"},"id":"650b14313140f"}
Best
For me it was still an issue. However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.
However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.
Is this still an issue on 26.0.6/27.1.0 ?
yes. today upgraded from 26.0.5 to 26.0.7 and the issue still exists
Is this still an issue on 26.0.6/27.1.0 ?
yes. today upgraded from 26.0.5 to 26.0.7 and the issue still exists
UPD. upgrade from 26.0.7 to 27.1.2 not solves this issue
For me it was still an issue. However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.
However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.
For me it was still an issue. However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.
However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.
Hi, looks the same issue is on 27.1.3 too. which files you replaced? i tried with few files and the whole folder but no solution
ldapPagingSize was set to 0 for whatever reason. Setting it on the default of 500 solved the issue for me.
ldapPagingSize was set to 0 for whatever reason. Setting it on the default of 500 solved the issue for me.
i'ved <ldapPagingSize>500</ldapPagingSize> but not works, unfortunately
After detailed research, I found out that perhaps it was my mistake. By changing the ldap search in "Users" from (objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com)(!(nsaccountlock=TRUE))
to
(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com)(!(nsaccountlock=TRUE)))
New ldap users may login now.
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
None of the above hints are working in my case. 28.0.1 still doesn't add new LDAP users.
same issue here,
NC27, ldap was working fine, then I raised the domain functionnal level of my windowsserver AD and the issue appeard.
Tried to setup a new nextcloud from scratch, connected the user_ldap to my AD and same behaviour.
All light are green, user_ldap can find AD users but they are unable to login.
here is the error:
"LDAP Login: Could not get user object for DN cn=administrateur,cn=users,dc=domain,dc=tld. Maybe the LDAP entry has no set display name attribute?"
Back to a 2K8 server with 2K8 domain functional level, everything runs ok
Anyone has a solution ?
I'm having the same issue. New AD users are unable to login to Nextcloud even though they can be found with the LDAP test.
My LDAP Query for Users:
(&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=Nextcloud Users,CN=Users,DC=mydomain,DC=local)(primaryGroupID=4291))))
Nextcloud Hub 6 (27.1.4) under TrueNAS-13.0-U6.1 LDAP backend 1.17.0
