[GH-ISSUE #301] Allow two way syncing with other Authentication front ends (SCIM/LDAP edits) #113

New issue

Open

opened 2026-02-27 08:15:19 +03:00 by kerem · 26 comments

kerem commented 2026-02-27 08:15:19 +03:00

Owner

Copy link

Originally created by @shibco on GitHub (Sep 22, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/301

Thanks for building LLDAP, this is a very necessary implementation of a very overwhelming technology.

Projects like Keycloak (and others) offer many different ways to control new user registration and self service of their accounts. In my research for example, we've learned about system admins using community presence as a tool for self managing semi-open user signup systems, making them public facing but limited or protected from abusive signup through a user's presence in a community. In many cases account creation can happen seamlessly during user sign up.

The flow is like this:

1. A user is part of a community or a small organisation (eg Matrix server, Discord server etc) that has an SSO set of infrastructure (eg, Nextcloud, Peertube, Penpot, etc) and all of these services use an SSO strategy (eg Keycloak)
2. The user visits an application, such as Nextcloud, and clicks "Login with SSO"
3. The user authenticates via OAuth against their Matrix / Discord / etc account.
4. If the user doesn't exist inside LLDAP, then Keycloak creates a new user from the scope of the OAuth response
5. Keycloak syncs this newly created user back to LLDAP

For the user, this strategy is completely invisible. They land on the application, click Sign In via SSO, and are immediately greeted with the onboarding / welcome screen for the application they want to use. If they have an account in LLDAP, the user instead is logged in.

From reading through this project's discussion, I understand that write access or syncing is not on the roadmap for LLDAP right now, but this authentication strategy is growing in popularity, particularly amongst so-called "Dark Forest" public/private communities that require both a degree of openness but still need to protect their infrastructure from abuse. Some examples would include Furality, Lumbung Space, Lurk and Underscore. The simplicity of LLDAP's role as a source of truth for user accounts, combined with this secure but very simple authentication flow would make for a powerful combination for low-complexity account setup and authentication.

An initial implementation of this would simply allow for users to be created inside Keycloak to be synced back to LLDAP. The complete implementation would be to allow Keycloak or similar services to act as the front end for user account management, such as changing their email address or name, in the same place as they can do things like add 2FA.

Finally, as mentioned on the Discord, if this gets built I will post a guide on how to set this up on Underscore.

Originally created by @shibco on GitHub (Sep 22, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/301 Thanks for building LLDAP, this is a very necessary implementation of a very overwhelming technology. Projects like Keycloak (and others) offer many different ways to control new user registration and self service of their accounts. In [my research](https://newdesigncongress.org/en/research/the-para-real) for example, we've learned about system admins using community presence as a tool for self managing semi-open user signup systems, making them public facing but limited or protected from abusive signup through a user's presence in a community. In many cases account creation can happen seamlessly during user sign up. The flow is like this: 1. A user is part of a community or a small organisation (eg Matrix server, Discord server etc) that has an SSO set of infrastructure (eg, Nextcloud, Peertube, Penpot, etc) and all of these services use an SSO strategy (eg Keycloak) 2. The user visits an application, such as Nextcloud, and clicks "Login with SSO" 3. The user authenticates via OAuth against their Matrix / Discord / etc account. 4. If the user doesn't exist inside LLDAP, then Keycloak creates a new user from the scope of the OAuth response 5. Keycloak syncs this newly created user back to LLDAP For the user, this strategy is completely invisible. They land on the application, click Sign In via SSO, and are immediately greeted with the onboarding / welcome screen for the application they want to use. If they have an account in LLDAP, the user instead is logged in. From reading through this project's discussion, I understand that write access or syncing is not on the roadmap for LLDAP right now, but this authentication strategy is growing in popularity, particularly amongst so-called "Dark Forest" public/private communities that require both a degree of openness but still need to protect their infrastructure from abuse. Some examples would include [Furality](https://furality.org), [Lumbung Space](https://lumbung.space), [Lurk](https://lurk.org) and [Underscore](https://undersco.re). The simplicity of LLDAP's role as a source of truth for user accounts, combined with this secure but very simple authentication flow would make for a powerful combination for low-complexity account setup and authentication. An initial implementation of this would simply allow for users to be created inside Keycloak to be synced back to LLDAP. The complete implementation would be to allow Keycloak or similar services to act as the front end for user account management, such as changing their email address or name, in the same place as they can do things like add 2FA. Finally, as mentioned on the Discord, if this gets built I will post a guide on how to set this up on [Underscore](https://undersco.re).

kerem added the

enhancement

good first issue

backend

labels 2026-02-27 08:15:19 +03:00

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@poVoq commented on GitHub (Sep 22, 2022):

If you want OIDC (Oauth2) support you could try to use LLDAP with this: https://gitlab.com/yaal/canaille/

<!-- gh-comment-id:1255429959 --> @poVoq commented on GitHub (Sep 22, 2022): If you want OIDC (Oauth2) support you could try to use LLDAP with this: https://gitlab.com/yaal/canaille/

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@shibco commented on GitHub (Sep 23, 2022):

@poVoq we already have OIDC, the problem is that we'd like new accounts to be created automatically, which is a current limitation to LLDAP.

<!-- gh-comment-id:1256111515 --> @shibco commented on GitHub (Sep 23, 2022): @poVoq we already have OIDC, the problem is that we'd like new accounts to be created automatically, which is a current limitation to LLDAP.

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Oct 20, 2022):

Once #346 is submitted, can you give it a try? One thing that I wasn't sure about is how the password is managed. Currently it creates the user without a password and expects KeyCloak to follow that up with a PasswordModifyExtension request. Another possibility is that the password is given in plain text when creating the user (not handled now, but it could be added).
The last possibility (I hope it doesn't come to that) is that KeyCloak sends us the already hashed password. In that case, I'd have to store the hash and use that for logging in, meaning that I'd have to support two possible password schemes, and I'd really like to avoid that.

<!-- gh-comment-id:1285114710 --> @nitnelave commented on GitHub (Oct 20, 2022): Once #346 is submitted, can you give it a try? One thing that I wasn't sure about is how the password is managed. Currently it creates the user without a password and expects KeyCloak to follow that up with a PasswordModifyExtension request. Another possibility is that the password is given in plain text when creating the user (not handled now, but it could be added). The last possibility (I hope it doesn't come to that) is that KeyCloak sends us the already hashed password. In that case, I'd have to store the hash and use that for logging in, meaning that I'd have to support two possible password schemes, and I'd really like to avoid that.

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@shibco commented on GitHub (Nov 2, 2022):

Thanks for your hard work on this! We can definitely do passwords as part of the first sign in (we would use it as a recovery string actually).

It looks like it's merged, and I assume is part of :latest? If so, I'm getting this error when I try to sync the LDAP database in Keycloak:

🚨 [error]: [LDAP] Service Error: while handling incoming messages: while receiving LDAP op: ldapmsg invalid

My settings are the same as the guide, but edit mode is set to WRITEABLE rather than READ_ONLY. Any ideas?

<!-- gh-comment-id:1300309684 --> @shibco commented on GitHub (Nov 2, 2022): Thanks for your hard work on this! We can definitely do passwords as part of the first sign in (we would use it as a recovery string actually). It looks like it's merged, and I assume is part of `:latest`? If so, I'm getting this error when I try to sync the LDAP database in Keycloak: `🚨 [error]: [LDAP] Service Error: while handling incoming messages: while receiving LDAP op: ldapmsg invalid` My settings are the same as the guide, but edit mode is set to `WRITEABLE` rather than `READ_ONLY`. Any ideas?

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@ieugen commented on GitHub (Nov 8, 2022):

There is an open standard for user sync between services: SCIM http://www.simplecloud.info/ .
There is a big list of services / implementations on that page.

We use it to sync Azure AD users and groups to AWS IAM Identity Center.
This way we can have users in one environment and be synchronized in the other so we cam use them for access for example.

I would not implement 2 way sync though - it will probably be hard to do right - if possible.

IMO lldap should allow to be a target and a sink for SCIM.
It could be a target and a sink to multiple services.
I guess with this feature it might be possible to have users do 2 way sync ?!

For keycloak I found:
https://github.com/Captain-P-Goldfish/scim-for-keycloak
https://issues.redhat.com/browse/KEYCLOAK-2537

I hope it helps.

<!-- gh-comment-id:1306989432 --> @ieugen commented on GitHub (Nov 8, 2022): There is an open standard for user sync between services: SCIM http://www.simplecloud.info/ . There is a big list of services / implementations on that page. We use it to sync Azure AD users and groups to AWS IAM Identity Center. This way we can have users in one environment and be synchronized in the other so we cam use them for access for example. I would not implement 2 way sync though - it will probably be hard to do right - if possible. IMO lldap should allow to be a target and a sink for SCIM. It could be a target and a sink to multiple services. I guess with this feature it might be possible to have users do 2 way sync ?! For keycloak I found: https://github.com/Captain-P-Goldfish/scim-for-keycloak https://issues.redhat.com/browse/KEYCLOAK-2537 I hope it helps.

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Aug 3, 2023):

Sorry for the delay on the feature. Is that still something you'd like? I guess this falls under #518 , but I'm surprised we're getting ldapmsg invalid. Could you provide a pcap so we can have a look?

<!-- gh-comment-id:1664116775 --> @nitnelave commented on GitHub (Aug 3, 2023): Sorry for the delay on the feature. Is that still something you'd like? I guess this falls under #518 , but I'm surprised we're getting `ldapmsg invalid`. Could you provide a pcap so we can have a look?

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@shibco commented on GitHub (Aug 4, 2023):

Hi @nitnelave, we are still using LLDAP and are very happy with it. This would be a very handy feature!

<!-- gh-comment-id:1665224408 --> @shibco commented on GitHub (Aug 4, 2023): Hi @nitnelave, we are still using LLDAP and are very happy with it. This would be a very handy feature!

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Aug 4, 2023):

@shibacomputer I'm glad you're happy with LLDAP :) Could you get a packet capture of the traffic between keycloak and LLDAP with tcpdump when you get a ldapmsg invalid error? I'd like to see what they send.
LLDAP already implements creating a new user through the LDAP protocol, so it should work.

<!-- gh-comment-id:1665233111 --> @nitnelave commented on GitHub (Aug 4, 2023): @shibacomputer I'm glad you're happy with LLDAP :) Could you get a packet capture of the traffic between keycloak and LLDAP with tcpdump when you get a `ldapmsg invalid` error? I'd like to see what they send. LLDAP already implements creating a new user through the LDAP protocol, so it _should_ work.

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Aug 22, 2023):

I was unable to reproduce the ldapmsg invalid scenario. When I switched my keycloak to writeable it generated errors related to the old that's not implemented in lldap yet. Keycloak is still able to successfully import from lldap, but cannot add/modify any lldap user information. I assume that is expected until after #518

Scenario

3 users including lldapadmin in lldap
1 user in keycloak realm not in lldap
Keycloak -> set Edit Mode to "WRITEABLE" -> Sync all users

Keycloak logs

2023-08-22 18:51:20,066 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-39) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {fullSyncPeriod=[-1], pagination=[false], startTls=[false], connectionPooling=[false], usersDn=[ou=people,dc=bloopnet,dc=xyz], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], changedSyncPeriod=[84600], bindDn=[uid=keycloak,ou=people,dc=bloopnet,dc=xyz], usernameLDAPAttribute=[uid], lastSync=[1692730280], vendor=[other], uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false], connectionUrl=[ldap://lldap.auth.svc.cluster.local], syncRegistrations=[true], authType=[simple], searchScope=[2], useTruststoreSpi=[ldapsOnly], usePasswordModifyExtendedOp=[false], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[WRITABLE], validatePasswordPolicy=[false]}, binaryAttributes: []

2023-08-22 18:51:20,289 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync of federation mapper 'groups-mapper' finished. Status: UserFederationSyncResult [ 4 imported groups, 0 updated groups, 0 removed groups ]

2023-08-22 18:51:20,300 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync all users from LDAP to local store: realm: *******, federation provider: ldap

2023-08-22 18:51:20,524 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync all users finished: 0 imported users, 3 updated users

lldap logs

2023-08-22T18:51:20.094153239+00:00  INFO     LDAP session [ 113ms | 0.13% / 100.00% ]

2023-08-22T18:51:20.094411401+00:00  INFO     ┝━ LDAP request [ 112ms | 99.38% ]

2023-08-22T18:51:20.208855254+00:00  ERROR    ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2

2023-08-22T18:51:20.208858440+00:00  ERROR    ┝━ 🚨 [error]: Failed to parse ldapcontrol

2023-08-22T18:51:20.208863189+00:00  INFO     ┝━ LDAP request [ 550µs | 0.49% ]

2023-08-22T18:51:20.253140515+00:00  ERROR    ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2

2023-08-22T18:51:20.253143836+00:00  ERROR    ┝━ 🚨 [error]: Failed to parse ldapcontrol

2023-08-22T18:51:20.253147327+00:00  INFO     ┕━ LDAP request [ 3.56µs | 0.00% ]

2023-08-22T18:51:20.304407025+00:00  INFO     LDAP session [ 134ms | 0.11% / 100.00% ]

2023-08-22T18:51:20.304443975+00:00  INFO     ┝━ LDAP request [ 133ms | 99.57% ]

2023-08-22T18:51:20.440185929+00:00  ERROR    ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2

2023-08-22T18:51:20.440187960+00:00  ERROR    ┝━ 🚨 [error]: Failed to parse ldapcontrol

2023-08-22T18:51:20.440191417+00:00  INFO     ┝━ LDAP request [ 430µs | 0.32% ]

2023-08-22T18:51:20.488833733+00:00  ERROR    ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2

2023-08-22T18:51:20.488837448+00:00  ERROR    ┝━ 🚨 [error]: Failed to parse ldapcontrol

2023-08-22T18:51:20.488841266+00:00  INFO     ┕━ LDAP request [ 3.96µs | 0.00% ]

<!-- gh-comment-id:1688767752 --> @h3mmy commented on GitHub (Aug 22, 2023): I was unable to reproduce the `ldapmsg invalid` scenario. When I switched my keycloak to writeable it generated errors related to the old that's not implemented in lldap yet. Keycloak is still able to successfully import from lldap, but cannot add/modify any lldap user information. I assume that is expected until after #518 Scenario 3 users including lldapadmin in lldap 1 user in keycloak realm not in lldap Keycloak -> set Edit Mode to "WRITEABLE" -> Sync all users Keycloak logs ``` 2023-08-22 18:51:20,066 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-39) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {fullSyncPeriod=[-1], pagination=[false], startTls=[false], connectionPooling=[false], usersDn=[ou=people,dc=bloopnet,dc=xyz], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], changedSyncPeriod=[84600], bindDn=[uid=keycloak,ou=people,dc=bloopnet,dc=xyz], usernameLDAPAttribute=[uid], lastSync=[1692730280], vendor=[other], uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false], connectionUrl=[ldap://lldap.auth.svc.cluster.local], syncRegistrations=[true], authType=[simple], searchScope=[2], useTruststoreSpi=[ldapsOnly], usePasswordModifyExtendedOp=[false], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[WRITABLE], validatePasswordPolicy=[false]}, binaryAttributes: [] 2023-08-22 18:51:20,289 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync of federation mapper 'groups-mapper' finished. Status: UserFederationSyncResult [ 4 imported groups, 0 updated groups, 0 removed groups ] 2023-08-22 18:51:20,300 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync all users from LDAP to local store: realm: *******, federation provider: ldap 2023-08-22 18:51:20,524 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-39) Sync all users finished: 0 imported users, 3 updated users ``` lldap logs ``` 2023-08-22T18:51:20.094153239+00:00 INFO LDAP session [ 113ms | 0.13% / 100.00% ] 2023-08-22T18:51:20.094411401+00:00 INFO ┝━ LDAP request [ 112ms | 99.38% ] 2023-08-22T18:51:20.208855254+00:00 ERROR ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2 2023-08-22T18:51:20.208858440+00:00 ERROR ┝━ 🚨 [error]: Failed to parse ldapcontrol 2023-08-22T18:51:20.208863189+00:00 INFO ┝━ LDAP request [ 550µs | 0.49% ] 2023-08-22T18:51:20.253140515+00:00 ERROR ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2 2023-08-22T18:51:20.253143836+00:00 ERROR ┝━ 🚨 [error]: Failed to parse ldapcontrol 2023-08-22T18:51:20.253147327+00:00 INFO ┕━ LDAP request [ 3.56µs | 0.00% ] 2023-08-22T18:51:20.304407025+00:00 INFO LDAP session [ 134ms | 0.11% / 100.00% ] 2023-08-22T18:51:20.304443975+00:00 INFO ┝━ LDAP request [ 133ms | 99.57% ] 2023-08-22T18:51:20.440185929+00:00 ERROR ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2 2023-08-22T18:51:20.440187960+00:00 ERROR ┝━ 🚨 [error]: Failed to parse ldapcontrol 2023-08-22T18:51:20.440191417+00:00 INFO ┝━ LDAP request [ 430µs | 0.32% ] 2023-08-22T18:51:20.488833733+00:00 ERROR ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2 2023-08-22T18:51:20.488837448+00:00 ERROR ┝━ 🚨 [error]: Failed to parse ldapcontrol 2023-08-22T18:51:20.488841266+00:00 INFO ┕━ LDAP request [ 3.96µs | 0.00% ] ```

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Aug 22, 2023):

Hmm, that relates to a slightly deeper issue: the query cannot be parsed by the LDAP library we're using. To be fair, I haven't looked into the controls of the LDAP protocol, so I'm not sure what it's supposed to do, but the library just plain drops the message (which is the right thing to do). This needs to be investigated some more, to determine what that control is and whether we want to support it, then adding support in the LDAP library.

<!-- gh-comment-id:1688843510 --> @nitnelave commented on GitHub (Aug 22, 2023): Hmm, that relates to a slightly deeper issue: the query cannot be parsed by the LDAP library we're using. To be fair, I haven't looked into the controls of the LDAP protocol, so I'm not sure what it's supposed to do, but the library just plain drops the message (which is the right thing to do). This needs to be investigated some more, to determine what that control is and whether we want to support it, then adding support in the LDAP library.

kerem commented 2026-02-27 08:15:19 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Aug 22, 2023):

Looking into it, it seems to be ManageDsaIT control, which only comes into play when using referrals (AFAIU references to entries in other, connected LDAP servers), which we don't support. We can check with the LDAP library if it's conceivable to report unsupported controls without failing the parse, so we can ignore it.

<!-- gh-comment-id:1688860951 --> @nitnelave commented on GitHub (Aug 22, 2023): Looking into it, it seems to be ManageDsaIT control, which only comes into play when using referrals (AFAIU references to entries in other, connected LDAP servers), which we don't support. We can check with the LDAP library if it's conceivable to report unsupported controls without failing the parse, so we can ignore it.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Aug 23, 2023):

That's good to know. I know the old for the LDAPv3 modify password request is 1.3.6.1.4.1.4203.1.11.1 (https://www.rfc-editor.org/rfc/rfc3062) but is also an extended operation, so may be out of scope for lldap.

I do think this specific issue of having keycloak write back to lldap would be covered by #518 if you are looking to merge them together.

<!-- gh-comment-id:1689217856 --> @h3mmy commented on GitHub (Aug 23, 2023): That's good to know. I know the old for the LDAPv3 modify password request is 1.3.6.1.4.1.4203.1.11.1 (https://www.rfc-editor.org/rfc/rfc3062) but is also an extended operation, so may be out of scope for lldap. I do think this specific issue of having keycloak write back to lldap would be covered by #518 if you are looking to merge them together.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Aug 23, 2023):

The modify password extended operation is supported. What's not supported is the use of controls for operations, basically opt in options. That's what's failing here, and it won't be covered by #518 (though 518 is probably also necessary)

<!-- gh-comment-id:1689234052 --> @nitnelave commented on GitHub (Aug 23, 2023): The modify password extended operation is supported. What's not supported is the use of controls for operations, basically opt in options. That's what's failing here, and it won't be covered by #518 (though 518 is probably also necessary)

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Sep 14, 2023):

Can you give it another try? We now support that specific control.

<!-- gh-comment-id:1718485913 --> @nitnelave commented on GitHub (Sep 14, 2023): Can you give it another try? We now support that specific control.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Sep 15, 2023):

Did the same thing. No changes to the users, 1 user in keycloak not in lldap. In Keycloak: User Federation -> Sync all users

No errors were observed in this scenario. User was not added to lldap (I believe this is expected for now)

Keycloak logs:

2023-09-15 17:57:53,484 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-79) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {pagination=[false], fullSyncPeriod=[-1], startTls=[false], connectionPooling=[false], usersDn=[ou=people,dc=bloopnet,dc=xyz], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], usernameLDAPAttribute=[uid], changedSyncPeriod=[84600], bindDn=[uid=keycloak,ou=people,dc=bloopnet,dc=xyz], lastSync=[1694800673], vendor=[other], uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false], connectionUrl=[ldap://lldap.auth.svc.cluster.local], syncRegistrations=[true], authType=[simple], searchScope=[2], useTruststoreSpi=[ldapsOnly], usePasswordModifyExtendedOp=[true], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[WRITABLE], validatePasswordPolicy=[false]}, binaryAttributes: []

2023-09-15 17:57:53,952 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync of federation mapper 'groups-mapper' finished. Status: UserFederationSyncResult [ 0 imported groups, 5 updated groups, 0 removed groups ]

2023-09-15 17:57:53,956 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync all users from LDAP to local store: realm: dfefb809-c8dc-49e3-8037-1616a9741e58, federation provider: ldap

2023-09-15 17:57:54,146 INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync all users finished: 0 imported users, 6 updated users

lldap logs:

2023-09-15T17:57:53.544170514+00:00  INFO     LDAP session [ 74.4ms | 0.26% / 100.00% ]

2023-09-15T17:57:53.546713681+00:00  INFO     ┝━ LDAP request [ 72.4ms | 97.32% ]

2023-09-15T17:57:53.873506118+00:00  INFO     ┝━ LDAP request [ 1.79ms | 2.41% ]

2023-09-15T17:57:53.921580310+00:00  INFO     ┕━ LDAP request [ 4.57µs | 0.01% ]

2023-09-15T17:57:53.959188830+00:00  INFO     LDAP session [ 75.3ms | 0.13% / 100.00% ]

2023-09-15T17:57:53.959383467+00:00  INFO     ┝━ LDAP request [ 74.1ms | 98.40% ]

2023-09-15T17:57:54.036309955+00:00  INFO     ┝━ LDAP request [ 1.10ms | 1.47% ]

2023-09-15T17:57:54.045136146+00:00  INFO     ┕━ LDAP request [ 2.50µs | 0.00% ]

<!-- gh-comment-id:1721656089 --> @h3mmy commented on GitHub (Sep 15, 2023): Did the same thing. No changes to the users, 1 user in keycloak not in lldap. In Keycloak: User Federation -> Sync all users No errors were observed in this scenario. User was not added to lldap (I believe this is expected for now) Keycloak logs: ``` 2023-09-15 17:57:53,484 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-79) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {pagination=[false], fullSyncPeriod=[-1], startTls=[false], connectionPooling=[false], usersDn=[ou=people,dc=bloopnet,dc=xyz], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], usernameLDAPAttribute=[uid], changedSyncPeriod=[84600], bindDn=[uid=keycloak,ou=people,dc=bloopnet,dc=xyz], lastSync=[1694800673], vendor=[other], uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false], connectionUrl=[ldap://lldap.auth.svc.cluster.local], syncRegistrations=[true], authType=[simple], searchScope=[2], useTruststoreSpi=[ldapsOnly], usePasswordModifyExtendedOp=[true], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[WRITABLE], validatePasswordPolicy=[false]}, binaryAttributes: [] 2023-09-15 17:57:53,952 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync of federation mapper 'groups-mapper' finished. Status: UserFederationSyncResult [ 0 imported groups, 5 updated groups, 0 removed groups ] 2023-09-15 17:57:53,956 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync all users from LDAP to local store: realm: dfefb809-c8dc-49e3-8037-1616a9741e58, federation provider: ldap 2023-09-15 17:57:54,146 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (executor-thread-79) Sync all users finished: 0 imported users, 6 updated users ``` lldap logs: ``` 2023-09-15T17:57:53.544170514+00:00 INFO LDAP session [ 74.4ms | 0.26% / 100.00% ] 2023-09-15T17:57:53.546713681+00:00 INFO ┝━ LDAP request [ 72.4ms | 97.32% ] 2023-09-15T17:57:53.873506118+00:00 INFO ┝━ LDAP request [ 1.79ms | 2.41% ] 2023-09-15T17:57:53.921580310+00:00 INFO ┕━ LDAP request [ 4.57µs | 0.01% ] 2023-09-15T17:57:53.959188830+00:00 INFO LDAP session [ 75.3ms | 0.13% / 100.00% ] 2023-09-15T17:57:53.959383467+00:00 INFO ┝━ LDAP request [ 74.1ms | 98.40% ] 2023-09-15T17:57:54.036309955+00:00 INFO ┝━ LDAP request [ 1.10ms | 1.47% ] 2023-09-15T17:57:54.045136146+00:00 INFO ┕━ LDAP request [ 2.50µs | 0.00% ] ```

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Sep 15, 2023):

@h3mmy could you retry with the verbose LLDAP logs? There isn't much to see right there

<!-- gh-comment-id:1721659313 --> @nitnelave commented on GitHub (Sep 15, 2023): @h3mmy could you retry with the verbose LLDAP logs? There isn't much to see right there

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Sep 15, 2023):

Sure!

Again, no users changed, via keycloak "User Federation" -> "Update all users"

2023-09-15T23:15:09.233945957+00:00  INFO     LDAP session [ 112ms | 0.24% / 100.00% ]
2023-09-15T23:15:09.234094712+00:00  INFO     ┝━ LDAP request [ 110ms | 0.06% / 98.60% ]
2023-09-15T23:15:09.234111201+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", cred: LdapBindCred::Simple }), ctrl: [] }
2023-09-15T23:15:09.234115805+00:00  DEBUG    │  ┝━ do_bind [ 110ms | 0.04% / 98.54% ] dn: uid=keycloak,ou=people,dc=bloopnet,dc=xyz
2023-09-15T23:15:09.234131396+00:00  DEBUG    │  │  ┝━ bind [ 110ms | 0.02% / 98.09% ]
2023-09-15T23:15:09.234138379+00:00  DEBUG    │  │  │  ┝━ get_password_file_for_user [ 344µs | 0.31% ] user_id: UserId("keycloak")
2023-09-15T23:15:09.237139026+00:00  DEBUG    │  │  │  ┕━ passwords_match [ 109ms | 97.76% ] username: keycloak
2023-09-15T23:15:09.346455114+00:00  DEBUG    │  │  ┝━ get_user_groups [ 472µs | 0.42% ] user_id: "keycloak"
2023-09-15T23:15:09.352282130+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }, GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), attributes: [] }, GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), attributes: [] }}
2023-09-15T23:15:09.352287008+00:00  DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-09-15T23:15:09.352293705+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-09-15T23:15:09.353088390+00:00  INFO     ┝━ LDAP request [ 1.27ms | 0.17% / 1.14% ]
2023-09-15T23:15:09.353102570+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=bloopnet,dc=xyz", scope: Subtree, aliases: Always, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectclass", "groupOfUniqueNames")]), attrs: ["uid", "member", "cn", "objectclass"] }), ctrl: [LdapControl::ManageDsaIT { criticality: false }] }
2023-09-15T23:15:09.353104029+00:00  DEBUG    │  ┝━ do_search [ 1.08ms | 0.40% / 0.97% ]
2023-09-15T23:15:09.353113626+00:00  DEBUG    │  │  ┝━ 🐛 [debug]:  | request.base: "ou=groups,dc=bloopnet,dc=xyz" | scope: Groups
2023-09-15T23:15:09.353114824+00:00  DEBUG    │  │  ┝━ get_groups_list [ 608µs | 0.01% / 0.54% ]
2023-09-15T23:15:09.353118969+00:00  DEBUG    │  │  │  ┝━ 🐛 [debug]:  | filters: And([And([])])
2023-09-15T23:15:09.353122378+00:00  DEBUG    │  │  │  ┕━ list_groups [ 591µs | 0.53% ] filters: Some(And([And([])]))
2023-09-15T23:15:09.358452641+00:00  DEBUG    │  │  │     ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), users: [UserId("authentik"), UserId("ldapadmin"), UserId("camelusplexii"), UserId("keycloak")], attributes: [] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), users: [UserId("keycloak")], attributes: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-08-22T18:28:23.375969, uuid: Uuid("2b65114d-80a4-3381-b318-02622dc75613"), users: [], attributes: [] }, Group { id: GroupId(6), display_name: "mqtt", creation_date: 2023-08-23T11:08:18.409300, uuid: Uuid("2d7ff51c-43eb-3a03-b635-4354c5913de2"), users: [UserId("tautulli"), UserId("zwavejs")], attributes: [] }, Group { id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), users: [UserId("keycloak"), UserId("authentik"), UserId("tautulli"), UserId("zwavejs"), UserId("camelusplexii")], attributes: [] }]
2023-09-15T23:15:09.361020903+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 7.40µs | 0.01% ] ldap_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361027889+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361039972+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 4.79µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361044638+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361066194+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 4.82µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361071322+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361076409+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 3.15µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361079490+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361085024+00:00  DEBUG    │  │  ┕━ expand_attribute_wildcards [ 3.14µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361087953+00:00  DEBUG    │  │     ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "member", "cn", "objectclass"]
2023-09-15T23:15:09.361133076+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_admin"] }, LdapPartialAttribute { atype: "member", vals: ["uid=authentik,ou=people,dc=bloopnet,dc=xyz", "uid=ldapadmin,ou=people,dc=bloopnet,dc=xyz", "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz", "uid=keycloak,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_admin"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] })
2023-09-15T23:15:09.361185916+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_password_manager"] }, LdapPartialAttribute { atype: "member", vals: ["uid=keycloak,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_password_manager"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] })
2023-09-15T23:15:09.361205266+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_strict_readonly"] }, LdapPartialAttribute { atype: "member", vals: [] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_strict_readonly"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] })
2023-09-15T23:15:09.361223152+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=mqtt,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["mqtt"] }, LdapPartialAttribute { atype: "member", vals: ["uid=tautulli,ou=people,dc=bloopnet,dc=xyz", "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["mqtt"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] })
2023-09-15T23:15:09.361244350+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=service_account,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["service_account"] }, LdapPartialAttribute { atype: "member", vals: ["uid=keycloak,ou=people,dc=bloopnet,dc=xyz", "uid=authentik,ou=people,dc=bloopnet,dc=xyz", "uid=tautulli,ou=people,dc=bloopnet,dc=xyz", "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz", "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["service_account"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] })
2023-09-15T23:15:09.361257484+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-09-15T23:15:09.405942988+00:00  INFO     ┕━ LDAP request [ 24.3µs | 0.02% ]
2023-09-15T23:15:09.405964095+00:00  DEBUG       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] }
2023-09-15T23:15:09.416439503+00:00  INFO     LDAP session [ 128ms | 0.17% / 100.00% ]
2023-09-15T23:15:09.416652001+00:00  INFO     ┝━ LDAP request [ 126ms | 0.07% / 97.88% ]
2023-09-15T23:15:09.416677368+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", cred: LdapBindCred::Simple }), ctrl: [] }
2023-09-15T23:15:09.416682766+00:00  DEBUG    │  ┝━ do_bind [ 125ms | 0.05% / 97.81% ] dn: uid=keycloak,ou=people,dc=bloopnet,dc=xyz
2023-09-15T23:15:09.416707850+00:00  DEBUG    │  │  ┝━ bind [ 125ms | 0.03% / 97.33% ]
2023-09-15T23:15:09.416717600+00:00  DEBUG    │  │  │  ┝━ get_password_file_for_user [ 574µs | 0.45% ] user_id: UserId("keycloak")
2023-09-15T23:15:09.419008269+00:00  DEBUG    │  │  │  ┕━ passwords_match [ 124ms | 96.86% ] username: keycloak
2023-09-15T23:15:09.543229268+00:00  DEBUG    │  │  ┝━ get_user_groups [ 546µs | 0.43% ] user_id: "keycloak"
2023-09-15T23:15:09.547011255+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }, GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), attributes: [] }, GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), attributes: [] }}
2023-09-15T23:15:09.547018669+00:00  DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-09-15T23:15:09.547029076+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-09-15T23:15:09.548348420+00:00  INFO     ┝━ LDAP request [ 2.49ms | 0.58% / 1.94% ]
2023-09-15T23:15:09.548378209+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=bloopnet,dc=xyz", scope: Subtree, aliases: Always, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectclass", "person")]), attrs: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] }), ctrl: [LdapControl::ManageDsaIT { criticality: false }] }
2023-09-15T23:15:09.548379951+00:00  DEBUG    │  ┝━ do_search [ 1.74ms | 0.64% / 1.36% ]
2023-09-15T23:15:09.548389096+00:00  DEBUG    │  │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=bloopnet,dc=xyz" | scope: Users
2023-09-15T23:15:09.548391398+00:00  DEBUG    │  │  ┝━ get_user_list [ 818µs | 0.01% / 0.64% ]
2023-09-15T23:15:09.548395392+00:00  DEBUG    │  │  │  ┝━ 🐛 [debug]:  | filters: And([And([])])
2023-09-15T23:15:09.548399831+00:00  DEBUG    │  │  │  ┕━ list_users [ 801µs | 0.62% ] filters: Some(And([And([])])) | _get_groups: false
2023-09-15T23:15:09.553105046+00:00  DEBUG    │  │  │     ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("authentik"), email: "bloopyboi+authentik@***.com", display_name: Some("zwavejs"), creation_date: 2023-08-23T11:07:38.098917, uuid: Uuid("1b219cd6-8af1-378a-a8eb-a00f02ab7cdb"), attributes: [] }, groups: Some([GroupDetails { group_id: GroupId(6), display_name: "mqtt", creation_date: 2023-08-23T11:08:18.409300, uuid: Uuid("2d7ff51c-43eb-3a03-b635-4354c5913de2"), attributes: [] }, GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }]) }]
2023-09-15T23:15:09.557336464+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 19.2µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557354698+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557382162+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 12.1µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557394297+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557412454+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 12.2µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557424321+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557446462+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 11.4µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557457700+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557474915+00:00  DEBUG    │  │  ┝━ expand_attribute_wildcards [ 22.9µs | 0.02% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557496654+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557538176+00:00  DEBUG    │  │  ┕━ expand_attribute_wildcards [ 26.0µs | 0.02% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557563320+00:00  DEBUG    │  │     ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"]
2023-09-15T23:15:09.557642756+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=authentik,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["authentik"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi+authentik@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:31:25.313838+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:31:25.313838+00:00"] }] })
2023-09-15T23:15:09.557791950+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["camelusplexii"] }, LdapPartialAttribute { atype: "mail", vals: ["camelus@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-09-03T14:09:10.766847+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-09-03T14:09:10.766847+00:00"] }] })
2023-09-15T23:15:09.557888032+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["keycloak"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi+keycloak@***.com"] }, LdapPartialAttribute { atype: "givenname", vals: ["keycloak"] }, LdapPartialAttribute { atype: "sn", vals: ["workload"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:32:50.691197+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:32:50.691197+00:00"] }] })
2023-09-15T23:15:09.557977794+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=ldapadmin,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["ldapadmin"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:28:23.380411+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:28:23.380411+00:00"] }] })
2023-09-15T23:15:09.558058196+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=tautulli,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["tautulli"] }, LdapPartialAttribute { atype: "mail", vals: ["tautulli@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-23T11:10:16.349303+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-23T11:10:16.349303+00:00"] }] })
2023-09-15T23:15:09.558135159+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["zwavejs"] }, LdapPartialAttribute { atype: "mail", vals: ["zwavejs@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-23T11:07:38.098917+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-23T11:07:38.098917+00:00"] }] })
2023-09-15T23:15:09.558229161+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-09-15T23:15:09.560114321+00:00  INFO     ┕━ LDAP request [ 10.7µs | 0.01% ]
2023-09-15T23:15:09.560123597+00:00  DEBUG       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] }

<!-- gh-comment-id:1721998451 --> @h3mmy commented on GitHub (Sep 15, 2023): Sure! Again, no users changed, via keycloak "User Federation" -> "Update all users" ``` 2023-09-15T23:15:09.233945957+00:00 INFO LDAP session [ 112ms | 0.24% / 100.00% ] 2023-09-15T23:15:09.234094712+00:00 INFO ┝━ LDAP request [ 110ms | 0.06% / 98.60% ] 2023-09-15T23:15:09.234111201+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", cred: LdapBindCred::Simple }), ctrl: [] } 2023-09-15T23:15:09.234115805+00:00 DEBUG │ ┝━ do_bind [ 110ms | 0.04% / 98.54% ] dn: uid=keycloak,ou=people,dc=bloopnet,dc=xyz 2023-09-15T23:15:09.234131396+00:00 DEBUG │ │ ┝━ bind [ 110ms | 0.02% / 98.09% ] 2023-09-15T23:15:09.234138379+00:00 DEBUG │ │ │ ┝━ get_password_file_for_user [ 344µs | 0.31% ] user_id: UserId("keycloak") 2023-09-15T23:15:09.237139026+00:00 DEBUG │ │ │ ┕━ passwords_match [ 109ms | 97.76% ] username: keycloak 2023-09-15T23:15:09.346455114+00:00 DEBUG │ │ ┝━ get_user_groups [ 472µs | 0.42% ] user_id: "keycloak" 2023-09-15T23:15:09.352282130+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }, GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), attributes: [] }, GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), attributes: [] }} 2023-09-15T23:15:09.352287008+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-09-15T23:15:09.352293705+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-09-15T23:15:09.353088390+00:00 INFO ┝━ LDAP request [ 1.27ms | 0.17% / 1.14% ] 2023-09-15T23:15:09.353102570+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=bloopnet,dc=xyz", scope: Subtree, aliases: Always, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectclass", "groupOfUniqueNames")]), attrs: ["uid", "member", "cn", "objectclass"] }), ctrl: [LdapControl::ManageDsaIT { criticality: false }] } 2023-09-15T23:15:09.353104029+00:00 DEBUG │ ┝━ do_search [ 1.08ms | 0.40% / 0.97% ] 2023-09-15T23:15:09.353113626+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=bloopnet,dc=xyz" | scope: Groups 2023-09-15T23:15:09.353114824+00:00 DEBUG │ │ ┝━ get_groups_list [ 608µs | 0.01% / 0.54% ] 2023-09-15T23:15:09.353118969+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | filters: And([And([])]) 2023-09-15T23:15:09.353122378+00:00 DEBUG │ │ │ ┕━ list_groups [ 591µs | 0.53% ] filters: Some(And([And([])])) 2023-09-15T23:15:09.358452641+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), users: [UserId("authentik"), UserId("ldapadmin"), UserId("camelusplexii"), UserId("keycloak")], attributes: [] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), users: [UserId("keycloak")], attributes: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-08-22T18:28:23.375969, uuid: Uuid("2b65114d-80a4-3381-b318-02622dc75613"), users: [], attributes: [] }, Group { id: GroupId(6), display_name: "mqtt", creation_date: 2023-08-23T11:08:18.409300, uuid: Uuid("2d7ff51c-43eb-3a03-b635-4354c5913de2"), users: [UserId("tautulli"), UserId("zwavejs")], attributes: [] }, Group { id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), users: [UserId("keycloak"), UserId("authentik"), UserId("tautulli"), UserId("zwavejs"), UserId("camelusplexii")], attributes: [] }] 2023-09-15T23:15:09.361020903+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 7.40µs | 0.01% ] ldap_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361027889+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361039972+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 4.79µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361044638+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361066194+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 4.82µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361071322+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361076409+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 3.15µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361079490+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361085024+00:00 DEBUG │ │ ┕━ expand_attribute_wildcards [ 3.14µs | 0.00% ] ldap_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361087953+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "member", "cn", "objectclass"] 2023-09-15T23:15:09.361133076+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_admin"] }, LdapPartialAttribute { atype: "member", vals: ["uid=authentik,ou=people,dc=bloopnet,dc=xyz", "uid=ldapadmin,ou=people,dc=bloopnet,dc=xyz", "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz", "uid=keycloak,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_admin"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] }) 2023-09-15T23:15:09.361185916+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_password_manager"] }, LdapPartialAttribute { atype: "member", vals: ["uid=keycloak,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_password_manager"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] }) 2023-09-15T23:15:09.361205266+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["lldap_strict_readonly"] }, LdapPartialAttribute { atype: "member", vals: [] }, LdapPartialAttribute { atype: "cn", vals: ["lldap_strict_readonly"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] }) 2023-09-15T23:15:09.361223152+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=mqtt,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["mqtt"] }, LdapPartialAttribute { atype: "member", vals: ["uid=tautulli,ou=people,dc=bloopnet,dc=xyz", "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["mqtt"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] }) 2023-09-15T23:15:09.361244350+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=service_account,ou=groups,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["service_account"] }, LdapPartialAttribute { atype: "member", vals: ["uid=keycloak,ou=people,dc=bloopnet,dc=xyz", "uid=authentik,ou=people,dc=bloopnet,dc=xyz", "uid=tautulli,ou=people,dc=bloopnet,dc=xyz", "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz", "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz"] }, LdapPartialAttribute { atype: "cn", vals: ["service_account"] }, LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }] }) 2023-09-15T23:15:09.361257484+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) 2023-09-15T23:15:09.405942988+00:00 INFO ┕━ LDAP request [ 24.3µs | 0.02% ] 2023-09-15T23:15:09.405964095+00:00 DEBUG ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] } 2023-09-15T23:15:09.416439503+00:00 INFO LDAP session [ 128ms | 0.17% / 100.00% ] 2023-09-15T23:15:09.416652001+00:00 INFO ┝━ LDAP request [ 126ms | 0.07% / 97.88% ] 2023-09-15T23:15:09.416677368+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", cred: LdapBindCred::Simple }), ctrl: [] } 2023-09-15T23:15:09.416682766+00:00 DEBUG │ ┝━ do_bind [ 125ms | 0.05% / 97.81% ] dn: uid=keycloak,ou=people,dc=bloopnet,dc=xyz 2023-09-15T23:15:09.416707850+00:00 DEBUG │ │ ┝━ bind [ 125ms | 0.03% / 97.33% ] 2023-09-15T23:15:09.416717600+00:00 DEBUG │ │ │ ┝━ get_password_file_for_user [ 574µs | 0.45% ] user_id: UserId("keycloak") 2023-09-15T23:15:09.419008269+00:00 DEBUG │ │ │ ┕━ passwords_match [ 124ms | 96.86% ] username: keycloak 2023-09-15T23:15:09.543229268+00:00 DEBUG │ │ ┝━ get_user_groups [ 546µs | 0.43% ] user_id: "keycloak" 2023-09-15T23:15:09.547011255+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }, GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-08-22T18:28:23.364516, uuid: Uuid("74439c93-7cf3-304a-b448-e1aecafc497a"), attributes: [] }, GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-22T18:28:23.371498, uuid: Uuid("fe9a204b-7635-3636-ae79-ae22d5613695"), attributes: [] }} 2023-09-15T23:15:09.547018669+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-09-15T23:15:09.547029076+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-09-15T23:15:09.548348420+00:00 INFO ┝━ LDAP request [ 2.49ms | 0.58% / 1.94% ] 2023-09-15T23:15:09.548378209+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=bloopnet,dc=xyz", scope: Subtree, aliases: Always, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectclass", "person")]), attrs: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] }), ctrl: [LdapControl::ManageDsaIT { criticality: false }] } 2023-09-15T23:15:09.548379951+00:00 DEBUG │ ┝━ do_search [ 1.74ms | 0.64% / 1.36% ] 2023-09-15T23:15:09.548389096+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | request.base: "ou=people,dc=bloopnet,dc=xyz" | scope: Users 2023-09-15T23:15:09.548391398+00:00 DEBUG │ │ ┝━ get_user_list [ 818µs | 0.01% / 0.64% ] 2023-09-15T23:15:09.548395392+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | filters: And([And([])]) 2023-09-15T23:15:09.548399831+00:00 DEBUG │ │ │ ┕━ list_users [ 801µs | 0.62% ] filters: Some(And([And([])])) | _get_groups: false 2023-09-15T23:15:09.553105046+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("authentik"), email: "bloopyboi+authentik@***.com", display_name: Some("zwavejs"), creation_date: 2023-08-23T11:07:38.098917, uuid: Uuid("1b219cd6-8af1-378a-a8eb-a00f02ab7cdb"), attributes: [] }, groups: Some([GroupDetails { group_id: GroupId(6), display_name: "mqtt", creation_date: 2023-08-23T11:08:18.409300, uuid: Uuid("2d7ff51c-43eb-3a03-b635-4354c5913de2"), attributes: [] }, GroupDetails { group_id: GroupId(5), display_name: "service_account", creation_date: 2023-08-22T18:34:00.001433, uuid: Uuid("835557ee-17a6-386e-9b6a-8ac80213b7b2"), attributes: [] }]) }] 2023-09-15T23:15:09.557336464+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 19.2µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557354698+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557382162+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 12.1µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557394297+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557412454+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 12.2µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557424321+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557446462+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 11.4µs | 0.01% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557457700+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557474915+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 22.9µs | 0.02% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557496654+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557538176+00:00 DEBUG │ │ ┕━ expand_attribute_wildcards [ 26.0µs | 0.02% ] ldap_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557563320+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["uid", "mail", "givenname", "sn", "objectclass", "createTimestamp", "modifyTimestamp"] 2023-09-15T23:15:09.557642756+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=authentik,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["authentik"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi+authentik@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:31:25.313838+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:31:25.313838+00:00"] }] }) 2023-09-15T23:15:09.557791950+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=camelusplexii,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["camelusplexii"] }, LdapPartialAttribute { atype: "mail", vals: ["camelus@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-09-03T14:09:10.766847+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-09-03T14:09:10.766847+00:00"] }] }) 2023-09-15T23:15:09.557888032+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=keycloak,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["keycloak"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi+keycloak@***.com"] }, LdapPartialAttribute { atype: "givenname", vals: ["keycloak"] }, LdapPartialAttribute { atype: "sn", vals: ["workload"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:32:50.691197+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:32:50.691197+00:00"] }] }) 2023-09-15T23:15:09.557977794+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=ldapadmin,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["ldapadmin"] }, LdapPartialAttribute { atype: "mail", vals: ["bloopyboi@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-22T18:28:23.380411+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-22T18:28:23.380411+00:00"] }] }) 2023-09-15T23:15:09.558058196+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=tautulli,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["tautulli"] }, LdapPartialAttribute { atype: "mail", vals: ["tautulli@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-23T11:10:16.349303+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-23T11:10:16.349303+00:00"] }] }) 2023-09-15T23:15:09.558135159+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=zwavejs,ou=people,dc=bloopnet,dc=xyz", attributes: [LdapPartialAttribute { atype: "uid", vals: ["zwavejs"] }, LdapPartialAttribute { atype: "mail", vals: ["zwavejs@***.com"] }, LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "createTimestamp", vals: ["2023-08-23T11:07:38.098917+00:00"] }, LdapPartialAttribute { atype: "modifyTimestamp", vals: ["2023-08-23T11:07:38.098917+00:00"] }] }) 2023-09-15T23:15:09.558229161+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) 2023-09-15T23:15:09.560114321+00:00 INFO ┕━ LDAP request [ 10.7µs | 0.01% ] 2023-09-15T23:15:09.560123597+00:00 DEBUG ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] } ```

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Sep 16, 2023):

Hmm, I see a perfectly normal session listing the groups and then the users. If there's any problem left, we'll have to find them in the other service. I can imagine that we're not returning a property that they expect, but I wouldn't know what's missing.

<!-- gh-comment-id:1722214864 --> @nitnelave commented on GitHub (Sep 16, 2023): Hmm, I see a perfectly normal session listing the groups and then the users. If there's any problem left, we'll have to find them in the other service. I can imagine that we're not returning a property that they expect, but I wouldn't know what's missing.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Sep 17, 2023):

Hmm, I see a perfectly normal session listing the groups and then the users. If there's any problem left, we'll have to find them in the other service. I can imagine that we're not returning a property that they expect, but I wouldn't know what's missing.

Yes, that is correct. I did not observe any errors. Because I didn't change any users i don't think it would have tried to use the controls involved with LDAP write.

It does seem to be fine with the ManageDsaIT control though.

<!-- gh-comment-id:1722387253 --> @h3mmy commented on GitHub (Sep 17, 2023): > Hmm, I see a perfectly normal session listing the groups and then the users. If there's any problem left, we'll have to find them in the other service. I can imagine that we're not returning a property that they expect, but I wouldn't know what's missing. Yes, that is correct. I did not observe any errors. Because I didn't change any users i don't think it would have tried to use the controls involved with LDAP write. It does seem to be fine with the ManageDsaIT control though.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Jan 22, 2024):

I'm closing this issue because I think it was resolved, feel free to re-open if it's not.

<!-- gh-comment-id:1905020318 --> @nitnelave commented on GitHub (Jan 22, 2024): I'm closing this issue because I think it was resolved, feel free to re-open if it's not.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Jan 23, 2024):

I would like a scope clarification. Based on the closing of this issue, I should be able to create/edit users in LDAP via an external idp such as keycloak. Is that correct?

<!-- gh-comment-id:1906565818 --> @h3mmy commented on GitHub (Jan 23, 2024): I would like a scope clarification. Based on the closing of this issue, I should be able to create/edit users in LDAP via an external idp such as keycloak. Is that correct?

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Jan 23, 2024):

Creating users through LDAP is possible, so a basic sync is possible. Editing users is not implemented, though. Is it required for your needs?

<!-- gh-comment-id:1906663995 --> @nitnelave commented on GitHub (Jan 23, 2024): Creating users through LDAP is possible, so a basic sync is possible. Editing users is not implemented, though. Is it required for your needs?

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@h3mmy commented on GitHub (Jan 23, 2024):

Creating users through LDAP is possible, so a basic sync is possible. Editing users is not implemented, though. Is it required for your needs?

I run keycloakand authentik in my homelab. I want to be able to manage my users in keycloak and have them stay in sync with an LDAP backend. This requires the LDAP backend to be writeable.

As I understand it, in the current state lldap is not capable of this. I want to know which issue to watch since this one is closing.

<!-- gh-comment-id:1906973125 --> @h3mmy commented on GitHub (Jan 23, 2024): > Creating users through LDAP is possible, so a basic sync is possible. Editing users is not implemented, though. Is it required for your needs? I run keycloakand authentik in my homelab. I want to be able to manage my users in keycloak and have them stay in sync with an LDAP backend. This requires the LDAP backend to be writeable. As I understand it, in the current state lldap is not capable of this. I want to know which issue to watch since this one is closing.

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@lulezi commented on GitHub (Nov 24, 2024):

Editing users is not implemented, though. Is it required for your needs?

Hi @nitnelave, I'm using lldap as a backend for authelia for our cycling club's SSO. The user data is synced to lldap from our member management tool using some Go I cobbled together. After implementing the user creation I got to user modification and came to find out that it's not yet supported by lldap. Do you have any plans for this?

<!-- gh-comment-id:2496129197 --> @lulezi commented on GitHub (Nov 24, 2024): > Editing users is not implemented, though. Is it required for your needs? Hi @nitnelave, I'm using lldap as a backend for authelia for our cycling club's SSO. The user data is synced to lldap from our member management tool using some Go I cobbled together. After implementing the user creation I got to user modification and came to find out that it's not yet supported by lldap. Do you have any plans for this?

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Nov 24, 2024):

It's on the to-do list, but I don't have time to work on LLDAP these days. If someone wants to implement it, it shouldn't be too hard and I can provide guidance, but I don't expect to work on this in the coming months.

However, for your use case, unless you want to be generic, it sounds like you'd be better served by the GraphQL API, the command line interface (potentially scripted by go), or the bootstrap script (declarative users and groups)

<!-- gh-comment-id:2496130316 --> @nitnelave commented on GitHub (Nov 24, 2024): It's on the to-do list, but I don't have time to work on LLDAP these days. If someone wants to implement it, it shouldn't be too hard and I can provide guidance, but I don't expect to work on this in the coming months. However, for your use case, unless you want to be generic, it sounds like you'd be better served by the GraphQL API, the command line interface (potentially scripted by go), or the bootstrap script (declarative users and groups)

kerem commented 2026-02-27 08:15:20 +03:00

Author

Owner

Copy link

@lulezi commented on GitHub (Nov 25, 2024):

great, I'll try the GraphQL API, thanks!

<!-- gh-comment-id:2498939911 --> @lulezi commented on GitHub (Nov 25, 2024): great, I'll try the GraphQL API, thanks!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/github_actions/codecov/codecov-action-6

copilot/fix-equality-filters-list-attributes

dependabot/github_actions/docker/build-push-action-7

dependabot/github_actions/docker/metadata-action-6

dependabot/github_actions/docker/setup-buildx-action-4

dependabot/github_actions/docker/login-action-4

copilot/update-download-artifact-action

copilot/fix-opensuse-warnings

copilot/fix-1268

copilot/fix-727

copilot/fix-898

copilot/fix-1256

copilot/fix-1251

copilot/fix-1249

copilot/fix-1206

user-attribute-form

user-ui

group-ui

server-user-attribute-schema

crates

haveibeenpwned

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.0.1

Labels

Clear labels   

backend

  

blocked

  

bug

  

cleanup

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

frontend

  

github_actions

  

good first issue

  

help wanted

  

help wanted

  

integration

  

invalid

  

ldap

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

rust

  

rust

  

tests

  

wontfix

No labels

backend

blocked

bug

cleanup

dependencies

docker

documentation

duplicate

enhancement

enhancement

frontend

github_actions

good first issue

help wanted

help wanted

integration

invalid

ldap

pull-request

question

rust

rust

tests

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/lldap-lldap#113

No description provided.