server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon nextcloud

[Bug]: WebDAV not working with LDAP OTP

Open duburcqa opened this issue 3 years ago • 0 comments

⚠️ This issue respects the following points: ⚠️

  • [X] This is a bug, not a question or a configuration/webserver/proxy issue.
  • [X] This issue is not already reported on Github (I've searched it).
  • [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

WebDAV access is not working with FreeIPA LDAP backend with OTP. More precisely, the password has an OTP token as suffix, which means there is a single password but constantly changing. It seems to be related to these issues: https://github.com/nextcloud/server/issues/11113 https://github.com/nextcloud/server/issues/26883

I can confirm 'auth.storeCryptedPassword' => false is fixing the logout issue every 5 min, but WebDAV access is still not working at all. It is completely impossible to connect. After disabling OTP everything is fine.

Steps to reproduce

  1. Enable OTP in FreeIPA
  2. Try to connect via WebDAV (davs://<hostname>/remote.php/dav/files/<username>)
  3. Getting authentication failure

Expected behavior

If the OTP is currently valid, authentication should be successful.

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • [ ] Default user-backend (database)
  • [X] LDAP/ Active Directory
  • [ ] SSO - SAML
  • [ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.local.tplusone.io"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "cloud.local.tplusone.io",
        "overwriteprotocol": "https",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.2.3",
        "overwrite.cli.url": "https:\/\/cloud.local.tplusone.io",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "default_phone_region": "FR",
        "maintenance": false,
        "theme": "",
        "loglevel": 0,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "skeletondirectory": "",
        "defaultapp": "files",
        "allow_user_to_change_display_name": false,
        "auth.bruteforce.protection.enabled": true,
        "trashbin_retention_obligation": "auto, 14",
        "mail_smtpsecure": "ssl",
        "auth.storeCryptedPassword": false
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - calendar: 4.1.2
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_accesscontrol: 1.15.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - richdocuments: 7.0.2
  - richdocumentscode: 22.5.802
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.2
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - updatenotification: 1.15.0
  - user_ldap: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - contacts: 5.0.2
  - dashboard: 7.5.0
  - encryption: 2.13.0
  - files_external
  - firstrunwizard: 2.14.0
  - mail: 2.2.2
  - password_policy: 1.15.0
  - photos: 2.0.1
  - support: 1.8.0
  - suspicious_login
  - weather_status: 1.5.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"BhMpYqqffRLdAcQrY8so","level":2,"time":"2022-12-24T16:58:38+00:00","remoteAddr":"10.2.2.3","user":"--","app":"user_ldap","method":"PROPFIND","url":"/remote.php/dav/files/alexis.duburcq","message":"Bind failed: 49: Invalid credentials","userAgent":"gvfs/1.48.2","version":"25.0.2.3","data":{"app":"user_ldap"},"id":"63a736ea02541"}

Additional info

No response

duburcqa avatar Dec 24 '22 17:12 duburcqa