If an ActiveDirectory user password expires, there are significant problems with the Android apps “Nextcloud Talk” and “Nextcloud”.
My Nextcloud is integrated into the ActiveDirectory.
The apps then constantly try to log in with the wrong password, and then of course “Fail2ban” strikes, and Nextclod itself then blocks the IP.
You can also not enter a new password in the apps.
The re-authorization in Nextcloud-Talk does not work.
All that remains is to delete the user in the app and create a new one.
That can’t be normal and should be intercepted by the apps.
Pässler’s PRTG console had similar problems, but the developers have finally changed that.
Programs should actually stop logging in after a failed attempt, right?
That makes the solution rather simple: Just don’t allow an AD account to expire… The User should take of that, users CAN change their password.
As the user is NOT using AD (They would notice it expired) the user can be removed - and they can remove the Apps off their Android mobile…
If you activated password expiry, you have your reasons. If a user doesn’t respect that, he doesn’t need AD, period!
Personally, I’d throw out that user! Then again, I do not use password expiry, as it also NEVER worked in any Windows environmen, no matter how large or small.
Force users to change passwords, the Password is taped to screen, keyboard, etc… You get worse security with such stupid actions like forced password expire!
Yes, even if the user changes the password himself, that doesn’t change the fact that you first have to remove the account in the Nextcloud app and then add it again.
Other apps show how it can work.
For example, the AquaMail, Thunderbird, PRTG-Console and DAVx⁵ apps report to the user that the password has expired.
All you have to do is enter the new password and everything is fine again.
The PRTG Console also previously caused hundreds of invalid authorizations and put the PRTG server into security mode.
Then this was reported and the developers have now changed the behavior.
The basic discussion about whether passwords should expire should be decided by each administration team.
With us, the passwords expire every 365 days, which is actually a long period of time.
There are some settings on Nextcloud but they seem to be for OpenLDAP…
Default password policy DN:
This feature requires OpenLDAP with ppolicy. The DN of a default password policy will be used for password expiry handling in the absence of any user specific password policy. Password expiry handling features the following:
When a LDAP password is about to expire, display a warning message to the user showing the number of days left before it expires. Password expiry warnings are displayed through the notifications app for Nextcloud.
Prompt LDAP users with expired passwords to reset their password during login, provided that an adequate number of grace logins is still available.
Leave the setting empty to keep password expiry handling disabled.
For the password expiry handling feature to work, LDAP password changes per user must be enabled and the LDAP server must be running OpenLDAP with its ppolicy module configured accordingly.