starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #373] [BUG] Cannot log in when authelia blocks the request #142

New issue
Open
opened 2026-02-27 08:15:30 +03:00 by kerem · 4 comments
kerem commented 2026-02-27 08:15:30 +03:00
Owner
Copy link

Originally created by @ptoulouse on GitHub (Nov 18, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/373

Strange issue here. I configured both lldap and authelia according to the documentation in this repo.

When I try to reach lldap.example.com, I first hit authelia. I then authenticate, then get redirected to lldap. If I go back to authelia login page (auth.example.com) and logout on that page, I can still access lldap.example.com afterward. However username and password won't work.

I have to clear cookies to get redirected to authelia again when trying to reach lldap.example.com. AS far as I know, LLDAP is the only app that I have deployed that shows this behavior.

Originally created by @ptoulouse on GitHub (Nov 18, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/373 Strange issue here. I configured both lldap and authelia according to the documentation in this repo. When I try to reach lldap.example.com, I first hit authelia. I then authenticate, then get redirected to lldap. If I go back to authelia login page (auth.example.com) and logout on that page, I can still access lldap.example.com afterward. However username and password won't work. I have to clear cookies to get redirected to authelia again when trying to reach lldap.example.com. AS far as I know, LLDAP is the only app that I have deployed that shows this behavior.
kerem commented 2026-02-27 08:15:30 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 18, 2022):

It's probably due to the cache: loading the LLDAP page only loads static assets that are cached by your browser (the code of the SPA), so Authelia doesn't get a chance to trigger.
But when you try to log in, it has to check with the server if the password is correct. At that point, the request is blocked by Authelia since you're not logged in, so it shows up as "password is wrong" even though it's actually a redirect to the Authelia login page.

I guess the cleanest way to handle that would be to add support for the Authelia cookies (so if you're logged in to Authelia you're logged in to LLDAP), and check the LLDAP log in response to see if Authelia highjacked it.

<!-- gh-comment-id:1319628791 --> @nitnelave commented on GitHub (Nov 18, 2022): It's probably due to the cache: loading the LLDAP page only loads static assets that are cached by your browser (the code of the SPA), so Authelia doesn't get a chance to trigger. But when you try to log in, it has to check with the server if the password is correct. At that point, the request is blocked by Authelia since you're not logged in, so it shows up as "password is wrong" even though it's actually a redirect to the Authelia login page. I guess the cleanest way to handle that would be to add support for the Authelia cookies (so if you're logged in to Authelia you're logged in to LLDAP), and check the LLDAP log in response to see if Authelia highjacked it.
kerem commented 2026-02-27 08:15:30 +03:00
Author
Owner
Copy link

@pixelrazor commented on GitHub (Dec 16, 2022):

It's probably due to the cache: loading the LLDAP page only loads static assets that are cached by your browser (the code of the SPA), so Authelia doesn't get a chance to trigger.
But when you try to log in, it has to check with the server if the password is correct. At that point, the request is blocked by Authelia since you're not logged in, so it shows up as "password is wrong" even though it's actually a redirect to the Authelia login page.

I guess the cleanest way to handle that would be to add support for the Authelia cookies (so if you're logged in to Authelia you're logged in to LLDAP), and check the LLDAP log in response to see if Authelia highjacked it.

Would it be preferred to use trusted header auth over the authelia cookie?

<!-- gh-comment-id:1355621760 --> @pixelrazor commented on GitHub (Dec 16, 2022): > It's probably due to the cache: loading the LLDAP page only loads static assets that are cached by your browser (the code of the SPA), so Authelia doesn't get a chance to trigger. > But when you try to log in, it has to check with the server if the password is correct. At that point, the request is blocked by Authelia since you're not logged in, so it shows up as "password is wrong" even though it's actually a redirect to the Authelia login page. > > I guess the cleanest way to handle that would be to add support for the Authelia cookies (so if you're logged in to Authelia you're logged in to LLDAP), and check the LLDAP log in response to see if Authelia highjacked it. Would it be preferred to use trusted header auth over the authelia cookie?
kerem commented 2026-02-27 08:15:30 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Dec 16, 2022):

Yes, trusted header is probably better.

On Fri, 16 Dec 2022, 22:18 Austin Alvarado, @.***>
wrote:

It's probably due to the cache: loading the LLDAP page only loads static
assets that are cached by your browser (the code of the SPA), so Authelia
doesn't get a chance to trigger.
But when you try to log in, it has to check with the server if the
password is correct. At that point, the request is blocked by Authelia
since you're not logged in, so it shows up as "password is wrong" even
though it's actually a redirect to the Authelia login page.

I guess the cleanest way to handle that would be to add support for the
Authelia cookies (so if you're logged in to Authelia you're logged in to
LLDAP), and check the LLDAP log in response to see if Authelia highjacked
it.

Would it be preferred to use trusted header auth over the authelia cookie?


Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/373#issuecomment-1355621760,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWK42REH7DGZJWORU4LWNTMCJANCNFSM6AAAAAASEDTRDI
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1355724707 --> @nitnelave commented on GitHub (Dec 16, 2022): Yes, trusted header is probably better. On Fri, 16 Dec 2022, 22:18 Austin Alvarado, ***@***.***> wrote: > It's probably due to the cache: loading the LLDAP page only loads static > assets that are cached by your browser (the code of the SPA), so Authelia > doesn't get a chance to trigger. > But when you try to log in, it has to check with the server if the > password is correct. At that point, the request is blocked by Authelia > since you're not logged in, so it shows up as "password is wrong" even > though it's actually a redirect to the Authelia login page. > > I guess the cleanest way to handle that would be to add support for the > Authelia cookies (so if you're logged in to Authelia you're logged in to > LLDAP), and check the LLDAP log in response to see if Authelia highjacked > it. > > Would it be preferred to use trusted header auth over the authelia cookie? > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/373#issuecomment-1355621760>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWK42REH7DGZJWORU4LWNTMCJANCNFSM6AAAAAASEDTRDI> > . > You are receiving this because you commented.Message ID: > ***@***.***> >
kerem commented 2026-02-27 08:15:30 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 21, 2023):

Related: #352

<!-- gh-comment-id:1477825850 --> @nitnelave commented on GitHub (Mar 21, 2023): Related: #352
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#142
No description provided.