Skip to content

Failed client logins counted as brute force attack when LDAP server is unavailable #3514

Description

@linucksrox

Steps to reproduce

  1. Configure Nextcloud to authenticate users against Active Directory or LDAP.
  2. Set up a Nextcloud client to sync with an LDAP account.
  3. Break the connection to the LDAP server (many ways to do this, pick one).
  4. Wait a little while, maybe 30-60 minutes while the client continues to retry the login, filling up the oc_bruteforce_attempts table.
  5. Restore the connection to the LDAP server, allowing login to work again.

Expected behaviour

No bruteforce attempts should be recorded for any known LDAP users during the time that Nextcloud is not able to connect to any LDAP server for authentication, because we don't know for sure that this is an attack.

Actual behaviour

The oc_bruteforce_attempts table is flooded with entries from all the "failed" login attempts that the client makes during the LDAP outage.

Server configuration

Operating system:
Ubuntu 16.04 x64

Web server:
Apache

Database:
MariaDB

PHP version:
7.0

Nextcloud version: (see Nextcloud admin page)
11.0.1

Updated from an older Nextcloud/ownCloud or fresh install:
Updated from Nextcloud 10

Where did you install Nextcloud from:
.zip package

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmapenhancement

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions