New ldap users can't login: `LDAP Login: Could not get user object for DN ... Maybe the LDAP entry has no set display name attribute?`

[romale]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I've NC integration with FreeIPA as ldap server.
New LDAP users reports that can't login.
Old users, can login without issues.
New ldap username testing in tab LoginAttributes works fine
NC 26.0.3
Dockerized
Centos 7

Steps to reproduce

1. create new ldap user
2. login to NC

Expected behavior

Success login

Installation method

Community Docker image

Nextcloud Server version

26

Operating system

RHEL/CentOS

PHP engine version

None

Web server

None

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.example.com",
            "docs.example.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "26.0.3.2",
        "overwrite.cli.url": "https:\/\/cloud.example.com",
        "overwriteprotocol": "https",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": false,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 0,
        "logfile": "\/var\/www\/html\/nextcloud.log",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "auth.bruteforce.protection.enabled": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "allow_local_remote_servers": true
    }
}

List of activated Apps

Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - cfg_share_links: 4.1.0
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contactsinteraction: 1.7.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_external: 1.18.0
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - forms: 3.3.1
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - onlyoffice: 7.8.0
  - password_policy: 1.16.0
  - passwords: 2023.6.30
  - photos: 2.2.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - related_resources: 1.1.0-alpha1
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - support: 1.9.0
  - survey_client: 1.14.0
  - systemtags: 1.16.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - user_ldap: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflow_script: 1.11.2
  - workflowengine: 2.8.0
Disabled:
  - bruteforcesettings: 2.6.0 (installed 2.4.0)
  - calendar: 4.4.2 (installed 4.4.2)
  - contacts: 5.3.2 (installed 5.3.2)
  - dashboard: 7.6.0 (installed 7.2.0)
  - encryption: 2.14.0
  - piwik: 0.11.1 (installed 0.11.1)
  - recommendations: 1.5.0 (installed 0.5.0)
  - spreed: 16.0.4 (installed 16.0.4)
  - suspicious_login: 4.4.0
  - twofactor_totp: 8.0.0

Nextcloud Signing status

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- EXTRA_FILE
		- nextcloud.log

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [nextcloud.log] => Array
                        (
                            [expected] => 
                            [current] => 0ea9e4a39457de4dbf49de81b9c5ef5e3bea0facb9261d05728e991347b8581d27520a4657b3e1eaa028f9ffd0c577270737eee2cc882fcec94701f3b7d31f72
                        )

                )

        )

)

Nextcloud Logs

cat nextcloud.log | grep myuser|jq
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "initializing paged search for filter (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE))), base cn=users,cn=accounts,dc=ipa.dc=example,dc=com, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_search with parameters [{},\"cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE)))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":500,\"cookie\":\"\"},\"iscritical\":false}]]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_read with parameters [{},\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(!(nsaccountlock=TRUE))\",[\"displayname\"],0,-1]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "readAttribute failed for DN uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "No or empty name for uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com with filter (objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(!(nsaccountlock=TRUE)).",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_explode_dn with parameters [\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",0]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_explode_dn with parameters [\"myuser\",0]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "No DN found for myuser on ipa01.ipa.syntellect.ru",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "initializing paged search for filter (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE))), base cn=users,cn=accounts,dc=ipa.dc=example,dc=com, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_search with parameters [{},\"cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",\"(&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa.dc=example,dc=com)(uid=myuser)(!(nsaccountlock=TRUE)))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"carlicense\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":500,\"cookie\":\"\"},\"iscritical\":false}]]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 0,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "Calling LDAP function ldap_explode_dn with parameters [\"uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com\",0]",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "W5SsDFbqpFOrsmWOX1o4",
  "level": 2,
  "time": "2023-08-08T08:58:40+00:00",
  "remoteAddr": "10.1.1.1",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "LDAP Login: Could not get user object for DN uid=myuser,cn=users,cn=accounts,dc=ipa.dc=example,dc=com. Maybe the LDAP entry has no set display name attribute?",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}

Additional info

No response

[romale]

But console test fail

./occ ldap:check-user myuser
The given user is not a recognized LDAP user.

[romale]

updating NC to 26.0.4 not solves the issue

[tcpluess]

I have the same issue, updated NC to 27.0.2 but with no effect, i.e. new users still get this error, while old users can log in.
Funny enough, I get this in the error log:

{"reqId":"ZN5K65cw4r5KFBhTyaxqtgAAkCM","level":2,"time":"2023-08-17T16:29:31+00:00","remoteAddr":"xxxxx","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"LDAP Login: Could not get user object for DN cn=,ou=,ou=,dc=,dc=,dc=. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0","version":"27.0.2.1","data":{"app":"user_ldap"}}

so the user name is definitely found in the LDAP but for some reason the user cannot authenticate.

[solracsf]

Is this still an issue on 26.0.6/27.1.0 ?

[mcfly82]

Hi!
I think we have the same Problem.
we are running on nextcloud aio 27.1.0 (ubuntu 22.04)

{"reqId":"sVE5vuSfOy8yblClWO6L","level":2,"time":"2023-09-20T15:41:44+00:00","remoteAddr":"X.X.X.X","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"LDAP Login: Could not get user object for DN cn=YYY,ou=,dc=,dc=. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36","version":"27.1.0.7","data":{"app":"user_ldap"},"id":"650b14313140f"}

Best

[mcfly82]

Do you need more Infos?
Which info would be helpful?
Best

[tcpluess]

For me it was still an issue.
However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.

However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.

[romale]

Is this still an issue on 26.0.6/27.1.0 ?

yes. today upgraded from 26.0.5 to 26.0.7 and the issue still exists

[romale]

Is this still an issue on 26.0.6/27.1.0 ?

yes. today upgraded from 26.0.5 to 26.0.7 and the issue still exists

UPD. upgrade from 26.0.7 to 27.1.2 not solves this issue

[DeubaGit]

For me it was still an issue. However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.

However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.

For me it was still an issue. However, I fixed it by manually downgrading the LDAP plugin: I downloaded an old version of Nextcloud (v. 24) and extracted the relevant files and replaced them in my Nextcloud setup. This indeed gave me a working LDAP.

However, it is very interesting that with the recent update to 27.1.1 the LDAP plugin got reverted to the newest version as well and LDAP still works. But I cannot test right now if new users will be visible or if the behaviour will be as before, where just existing users appear and no new ones are added.

Hi, looks the same issue is on 27.1.3 too.
which files you replaced? i tried with few files and the whole folder but no solution