Password update by LDAP user in Nextcloud "Personal"

[vacy]

Steps to reproduce

1. https://docs.nextcloud.com/server/11/admin_manual/configuration_user/user_auth_ldap.html - Enable LDAP password changes per user: Here is mentioned that Access Control Lists must be set on the LDAP Server to allow this step

2. Try to update your own password as "testuser" on a shell running on the webserver host:
   ldappasswd -h ldaps://mgmt.host.it -p 636 -a $OLDPWD -s $NEWPWD -w $OLDPWD -vvv -D "uid=testuser,cn=users,cn=accounts,dc=host,dc=tld"
   ldap_initialize( )
   Result: Success (0)

That means Access Control Lists should be setup fine

3. Login as testuser to the nextcloud and go to "personal", enter old and new password and hit "change password"

Expected behaviour

I expect Nextcloud to update the password in the LDAP directory of the user testuser

Actual behaviour

Above step 3 -> runs into "Unable to change password" error
From the nextcloud log on loglevel 0:
{"reqId":"WIUw8oaxJKia2yi0gQcq4AAAAMs","remoteAddr":"IP","app":"PHP","message":"ldap_mod_replace(): Modify: Insufficient access at /var/www/dir/pub/nextcloud/apps/user_ldap/lib/LDAP.php#268","level":3,"time":"2017-01-22T22:23:47+00:00","method":"POST","url":"/nextcloud/index.php/settings/personal/changepassword","user":"testuser","version":"11.0.1.2"}
{"reqId":"WIUw8oaxJKia2yi0gQcq4AAAAMs","remoteAddr":"IP","app":"user_ldap","message":"LDAP error Insufficient access (50) after calling ldap_mod_replace","level":0,"time":"2017-01-22T22:23:47+00:00","method":"POST","url":"/nextcloud/index.php/settings/personal/changepassword","user":"testuser","version":"11.0.1.2"}

Server configuration

Operating system:
CentOS7.2

Web server:
Apache httpd 2.4.6
Database:
mariadb 5.5.52
PHP version:
5.6.25
Nextcloud version: (see Nextcloud admin page)
11.0.1.2

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install

Where did you install Nextcloud from:
zip download from nextcloud.com

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled: - activity: 2.4.1 - calendar: 1.5.0 - comments: 1.1.0 - contacts: 1.5.2 - dav: 1.1.1 - federatedfilesharing: 1.1.1 - federation: 1.1.1 - files: 1.6.1 - files_pdfviewer: 1.0.1 - files_sharing: 1.1.1 - files_texteditor: 2.2 - files_trashbin: 1.1.0 - files_versions: 1.4.0 - files_videoplayer: 1.0.0 - firstrunwizard: 2.0 - gallery: 16.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.0 - notes: 2.2.0 - notifications: 1.0.1 - password_policy: 1.1.0 - provisioning_api: 1.1.0 - serverinfo: 1.1.1 - sharebymail: 1.0.1 - survey_client: 0.1.5 - systemtags: 1.1.3 - theming: 1.1.1 - twofactor_backupcodes: 1.0.0 - updatenotification: 1.1.1 - user_ldap: 1.1.1 - workflowengine: 1.1.1

The content of config/config.php:

Config report

'ocnxfzq0an3i', 'passwordsalt' => '...', 'secret' => '.../', 'trusted_domains' => array ( 0 => 'host.it', ), 'datadirectory' => '/var/www/dir/data/nextcloud/', 'overwrite.cli.url' => 'https://host.it/nextcloud', 'dbtype' => 'mysql', 'loglevel' => '0', 'version' => '11.0.1.2', 'dbname' => 'dbname', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'user', 'dbpassword' => 'pwd', 'logtimezone' => 'UTC', 'installed' => true, 'ldapIgnoreNamingRules' => false, 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', 'mail_smtpmode' => 'smtp', 'mail_from_address' => 'nextcloud', 'mail_domain' => 'host.it', 'mail_smtphost' => 'localhost', 'mail_smtpport' => '25', 'singleuser' => false, );

Are you using external storage, if yes which one: local/smb/sftp/...
local
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+-----------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | attr:mail | | lastJpegPhotoLookup | 0 | | ldapAgentName | uid=ldap_browser,cn=sysaccounts,cn=etc,dc=host,dc=tld | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | cn | | ldapAttributesForUserSearch | uid;cn | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=host,dc=tld | | ldapBaseGroups | cn=groups,cn=accounts,dc=host,dc=tld | | ldapBaseUsers | cn=users,cn=accounts,dc=host,dc=tld | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | ipaUniqueID | | ldapExpertUUIDUserAttr | ipaUniqueID | | ldapExpertUsernameAttr | uid | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ldaps://mgmt.host.it | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person))(|(memberof=cn=ipausers,cn=groups,cn=accounts,dc=host,dc=tld))(|(uid=%uid)(|(mail=%uid))))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 636 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayName | | ldapUserDisplayName2 | uid | | ldapUserFilter | (&(|(objectclass=person))(|(memberof=cn=ipausers,cn=groups,cn=accounts,dc=host,dc=tld))) | | ldapUserFilterGroups | group | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | person | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 1 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-----------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
Chrome/55.0.2883.87
Operating system:
Fedora 25

Logs

Web server error log

Web server error log

access.log IP - - [22/Jan/2017:23:48:20 +0100] "POST /nextcloud/index.php/settings/personal/changepassword HTTP/1.1" 200 18 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"WIUw8oaxJKia2yi0gQcq4AAAAMs","remoteAddr":"IP","app":"PHP","message":"ldap_mod_replace(): Modify: Insufficient access at \/var\/www\/dir\/pub\/nextcloud\/apps\/user_ldap\/lib\/LDAP.php#268","level":3,"time":"2017-01-22T22:23:47+00:00","method":"POST","url":"\/nextcloud\/index.php\/settings\/personal\/changepassword","user":"testuser","version":"11.0.1.2"} {"reqId":"WIUw8oaxJKia2yi0gQcq4AAAAMs","remoteAddr":"IP","app":"user_ldap","message":"LDAP error Insufficient access (50) after calling ldap_mod_replace","level":0,"time":"2017-01-22T22:23:47+00:00","method":"POST","url":"\/nextcloud\/index.php\/settings\/personal\/changepassword","user":"testuser","version":"11.0.1.2"}

Browser log

Browser log

Don't think that is useful

[hagsted]

I had the same error. Solved it by giving the user used for database lookup write permission to userPassword in the ldap database. This is a workaround that I do not like. Userpasswords should be changed by the user itself not by the database lookup user.

[MorrisJobke]

cc @blizzz

[MorrisJobke]

ref #2286 - cc @GitHubUser4234

[GitHubUser4234]

@vacy By design, user_ldap generally executes LDAP operations using the User DN configured in the Server Settings. So if you would like to use the "LDAP password changes" feature, you need to assign write privilege to it so it can update userPassword fields.

[blizzz]

@vacy is the issue solved with @GitHubUser4234's hint?

[blizzz]

I take it as answered, there's also a PR to have the answer in the doc nextcloud/documentation#625 → Closing

[vacy]

@blizzz
thank you, yes please consider as resolved.