[GH-ISSUE #25] Group listing always returns empty string #4

New issue

Closed

opened 2026-03-02 03:44:33 +03:00 by kerem · 4 comments

kerem commented 2026-03-02 03:44:33 +03:00

Owner

Copy link

Originally created by @aakarshg on GitHub (Jun 11, 2021).
Original GitHub issue: https://github.com/dignajar/another-ldap-auth/issues/25

I have freeipa ldap server and authentication happens fine however listing groups for some reason always returns empty...

This is how i have configured the relevant parts of deployment

- name: LDAP_MANAGER_DN_USERNAME
  value: "uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net"
- name: LDAP_BIND_DN
  value: "uid={username},cn=users,cn=accounts,dc=blah,dc=net"
- name: LDAP_SEARCH_BASE
  value: "cn=users,dc=blah,dc=net"
- name: LDAP_SEARCH_FILTER
  value: "(uid={username})"

Now this is how my user looks like:

dn: uid=stew,cn=users,cn=accounts,dc=blah,dc=net         
memberOf: cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net                            

Here's my ingress annotations:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://another-ldap-auth.ingress-nginx.svc.cluster.local:9000
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "grafana-viewers";
      proxy_set_header Ldap-Allowed-Groups-Conditional "and";

Here's the logs:

{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "User not found in the cache for authentication.", "username": "aakarsh"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authenticating user.", "username": "aakarsh", "finalUsername": "uid=aakarsh,cn=users,cn=accounts,dc=blah,dc=net"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authentication successful.", "username": "aakarsh", "elapsedTime": "0.06220197677612305"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Adding user to the cache.", "username": "aakarsh"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups via cache.", "username": "aakarsh", "cacheGroups": ""}
{"date": "2021-06-11 19:29:44", "level": "WARNING", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups from cache.", "username": "aakarsh", "conditional": "and"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Search by filter.", "filter": "(uid=aakarsh)", "elapsedTime": "0.002645730972290039"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups.", "username": "aakarsh", "groups": "grafana-viewers", "conditional": "and"}
{"date": "2021-06-11 19:29:44", "level": "ERROR", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups for the user.", "username": "aakarsh", "matchedGroups": "", "groups": "grafana-viewers", "conditional": "and"}

What is interesting is that if I try to use the nginx-ldap-auth image instead wiht following config itt works fine:

auth:
  bindDN: uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net
  bindPW: blahpw
user:
  baseDN: cn=accounts,dc=blah,dc=net
  filter: "(uid={0})"
  requiredGroups:
  - grafana-viewers
group:
  baseDN: cn=accounts,dc=blah,dc=net
  groupAttr: cn
  filter: "(member={0})"

Can anyone please help me figure out the LDAP_SEARCH_BASE and LDAP_SEARCH_FILTER vars that i need to be rather using?

I;ve a tried a multitude of variations for LDAP_SEARCH_BASE and LDAP_SEARCH_FILTER but never succeeded..

Originally created by @aakarshg on GitHub (Jun 11, 2021). Original GitHub issue: https://github.com/dignajar/another-ldap-auth/issues/25 I have freeipa ldap server and authentication happens fine however listing groups for some reason always returns empty... This is how i have configured the relevant parts of deployment ``` - name: LDAP_MANAGER_DN_USERNAME value: "uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net" - name: LDAP_BIND_DN value: "uid={username},cn=users,cn=accounts,dc=blah,dc=net" - name: LDAP_SEARCH_BASE value: "cn=users,dc=blah,dc=net" - name: LDAP_SEARCH_FILTER value: "(uid={username})" ``` Now this is how my user looks like: ``` dn: uid=stew,cn=users,cn=accounts,dc=blah,dc=net memberOf: cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net ``` Here's my ingress annotations: ``` apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/auth-url: http://another-ldap-auth.ingress-nginx.svc.cluster.local:9000 nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header Ldap-Allowed-Groups "grafana-viewers"; proxy_set_header Ldap-Allowed-Groups-Conditional "and"; ``` Here's the logs: ``` {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "User not found in the cache for authentication.", "username": "aakarsh"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authenticating user.", "username": "aakarsh", "finalUsername": "uid=aakarsh,cn=users,cn=accounts,dc=blah,dc=net"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authentication successful.", "username": "aakarsh", "elapsedTime": "0.06220197677612305"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Adding user to the cache.", "username": "aakarsh"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups via cache.", "username": "aakarsh", "cacheGroups": ""} {"date": "2021-06-11 19:29:44", "level": "WARNING", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups from cache.", "username": "aakarsh", "conditional": "and"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Search by filter.", "filter": "(uid=aakarsh)", "elapsedTime": "0.002645730972290039"} {"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups.", "username": "aakarsh", "groups": "grafana-viewers", "conditional": "and"} {"date": "2021-06-11 19:29:44", "level": "ERROR", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups for the user.", "username": "aakarsh", "matchedGroups": "", "groups": "grafana-viewers", "conditional": "and"} ``` What is interesting is that if I try to use the [nginx-ldap-auth](https://github.com/tiagoapimenta/nginx-ldap-auth) image instead wiht following config itt works fine: ``` auth: bindDN: uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net bindPW: blahpw user: baseDN: cn=accounts,dc=blah,dc=net filter: "(uid={0})" requiredGroups: - grafana-viewers group: baseDN: cn=accounts,dc=blah,dc=net groupAttr: cn filter: "(member={0})" ``` Can anyone please help me figure out the `LDAP_SEARCH_BASE` and `LDAP_SEARCH_FILTER` vars that i need to be rather using? I;ve a tried a multitude of variations for `LDAP_SEARCH_BASE` and `LDAP_SEARCH_FILTER` but never succeeded..

kerem closed this issue 2026-03-02 03:44:33 +03:00

kerem commented 2026-03-02 03:44:34 +03:00

Author

Owner

Copy link

@dignajar commented on GitHub (Jun 13, 2021):

the memberof is in lowercases ? cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net ?

because I'm checking and the regex to get the groups is 'CN=((\w*\s?_?-?)*)'

<!-- gh-comment-id:860202683 --> @dignajar commented on GitHub (Jun 13, 2021): the memberof is in lowercases ? `cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net` ? because I'm checking and the regex to get the groups is `'CN=((\w*\s?_?-?)*)'`

kerem commented 2026-03-02 03:44:34 +03:00

Author

Owner

Copy link

@dignajar commented on GitHub (Jun 13, 2021):

probably I need to add ignore case sensitive in the regex here: https://github.com/dignajar/another-ldap-auth/blob/master/files/aldap.py#L74

adGroup = re.match('CN=((\w*\s?_?-?)*)', adGroup, re.IGNORECASE).group(1)

<!-- gh-comment-id:860204304 --> @dignajar commented on GitHub (Jun 13, 2021): probably I need to add ignore case sensitive in the regex here: https://github.com/dignajar/another-ldap-auth/blob/master/files/aldap.py#L74 ``` adGroup = re.match('CN=((\w*\s?_?-?)*)', adGroup, re.IGNORECASE).group(1) ```

kerem commented 2026-03-02 03:44:34 +03:00

Author

Owner

Copy link

@dignajar commented on GitHub (Jun 14, 2021):

Fixed in version 2.1.
https://github.com/dignajar/another-ldap-auth/releases/tag/2.1

<!-- gh-comment-id:860549768 --> @dignajar commented on GitHub (Jun 14, 2021): Fixed in version 2.1. https://github.com/dignajar/another-ldap-auth/releases/tag/2.1

kerem commented 2026-03-02 03:44:34 +03:00

Author

Owner

Copy link

@aakarshg commented on GitHub (Jun 15, 2021):

Thanks @dignajar ! I'll give it a shot later today.. and let you know how it goes.

<!-- gh-comment-id:861493040 --> @aakarshg commented on GitHub (Jun 15, 2021): Thanks @dignajar ! I'll give it a shot later today.. and let you know how it goes.

kerem referenced this issue 2026-03-02 03:44:38 +03:00

[PR #4] [MERGED] Implementation of python logger #13

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dignajar-patch-1

dependabot/pip/files/flask-2.3.2

refactor/improve-get-user-ip

bugfix/users-without-memberof

fix-uid-and-gid-in-dockerfile

bugfixes/fix-regex-and-search-cn

user-group-matching

refactor/include-all-active-directory-groups-in-chache

bugfix/case-insensitive-for-groups

refactor/include-brute-force-protection

bugfix/remove-list-initialization

refactor/update-helm-chart-2-0-2

bugfix/allow-hyphen-in-regex

refactor/helm-chart-and-minor-bugs-fixes

updates-for-v2

mandatory-fields-for-logs

add-logging-and-improve-cache

case-sensitive-for-groups

add-license-1

2.4

2.3

2.2.1

2.2

2.1

2.0.3

2.0.2

2.0.1

2.0

1.9

1.8

1.7

1.6

1.5

1.4

1.3

1.2.1

1.2

1.1

1.0

Labels

Clear labels   

bug

  

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/another-ldap-auth#4

No description provided.