Nextcloud Admin Processes
This page describes some common processes for our Nextcloud instance. The user-facing documentation is here.
If a user does not have access to their TOTP keys any more, you can reset it using the occ CLI tool of Nextcloud. Please take care that the request is somewhat verified, e.g. by a signed email or another confirmation that you can trust.
In this case, Nextcloud is running as the www-data user.
Find out the user's internal ID derived from the LDAP username: sudo -u www-data /var/www/nextcloud/occ ldap:search jane.doe. It will be something like 12343d6e-fede-1071-aad5-d3fabd36cf231.
Deactivate TOTP for this user: sudo -u www-data /var/www/nextcloud/occ twofactorauth:disable 12343d6e-fede-1071-aad5-d3fabd36cf231 totp
Now, when jane.doe logs in, she has to set TOTP codes again.