Sometimes this can happen when you have a mobile client still using an old password/token which constantly attempts to sync files and sends the wrong credentials and Nextcloud thinks your are being hacked.
You can send logs to support (Settings - Support) so I can check.
Can you try logging in to Nextcloud with a bad user from different clients, mobile/different browsers?
Logs are full of strange:
ul 19 10:13:01 syncloud Nextcloud[31421]: {“reqId”:“-”,“level”:2,“time”:“2022-07-19T08:13:01+00:00”,“remoteAddr”:“-”,“user”:“–”,“app”:“no app in context”,“method”:“POST”,“url”:“/login”,“message”:“Login failed: guilsauve (Remote IP: —)”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0”,“version”:“24.0.2.1”}
Ok, I think I know what is going on, some time ago Users app moved away from uid to cn as the main login field and most of the apps were updated. But if you had installed Nextcloud long time ago and keep upgrading it will stay on uid filed.
To check this can you run the following command:
snap run nextcloud.occ config:list | grep ldap_login_filter