[GH-ISSUE #432] Getting it to work with Rancher on Kubernetes

kerem commented

2026-02-27 08:15:37 +03:00

Owner

Originally created by @Evantage-WS on GitHub (Feb 3, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/432

Hi,

I have created a deployment on Kubernetes with your container and I am able to get it configured in Rancher and on a user level, it is working.

I am not an LDAP expert, so I am lost in what I should enter at a group level, are you able to help me?

This is the config for LDAP in Rancher:

This config works, as long as i do not fill in the group details. when I do fill in ou=people,dc=example,dc=com at the Group Search Base, I do get an:

Failed to get attributes for cn=lldap_admin,ou=groups,dc=example,dc=com

This is the log:

2023-02-03T12:55:31.048352481+00:00 INFO     ┕━ LDAP request [ 136µs | 0.04% / 0.10% ]
2023-02-03T12:55:31.048358606+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 6, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]), attrs: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] }), ctrl: [] }
2023-02-03T12:55:31.048359315+00:00 DEBUG       ┝━ do_search [ 87.5µs | 0.01% / 0.06% ]
2023-02-03T12:55:31.048364731+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=groups,dc=example,dc=com" | scope: Groups
2023-02-03T12:55:31.048365648+00:00 DEBUG       │  ┕━ get_groups_list [ 79.3µs | 0.01% / 0.06% ]
2023-02-03T12:55:31.048367606+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "groupOfNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])])
2023-02-03T12:55:31.048371231+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unknown group attribute ""entrydn"" in filter.\n\
                                To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048373023+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | parsed_filters: And([And([]), Or([Not(And([]))])])
2023-02-03T12:55:31.048373731+00:00 DEBUG       │     ┝━ list_groups [ 50.2µs | 0.04% ]
2023-02-03T12:55:31.048375523+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | filters: Some(And([And([]), Or([Not(And([]))])]))
2023-02-03T12:55:31.048389440+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid", "user_id" FROM "groups" LEFT JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" ORDER BY "display_name" ASC, "user_id" ASC
2023-02-03T12:55:31.048518690+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-03T12:21:50.608339363Z, uuid: Uuid("77d33d14-baef-3775-aa5d-5169b5e7eb98"), users: [UserId("admin")] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-02-03T12:21:50.609732698Z, uuid: Uuid("a272220c-afd7-3942-bfae-7bcb2b7cba18"), users: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-02-03T12:21:50.610242074Z, uuid: Uuid("a34f3888-8a1b-3d18-b5fa-d5ecff35d863"), users: [] }]
2023-02-03T12:55:31.048521106+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 5.46µs | 0.00% ]
2023-02-03T12:55:31.048526606+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"]
2023-02-03T12:55:31.048528273+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048529565+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048530523+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 2.46µs | 0.00% ]
2023-02-03T12:55:31.048532940+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"]
2023-02-03T12:55:31.048533731+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048534606+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048535273+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 2.33µs | 0.00% ]
2023-02-03T12:55:31.048537565+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"]
2023-02-03T12:55:31.048538315+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048538731+00:00 WARN        │     ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-03T12:55:31.048544773+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] })
2023-02-03T12:55:31.048567565+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] })
2023-02-03T12:55:31.048575398+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] })
2023-02-03T12:55:31.048579940+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

Could you be of assistance? Thanks!

Originally created by @Evantage-WS on GitHub (Feb 3, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/432 Hi, I have created a deployment on Kubernetes with your container and I am able to get it configured in Rancher and on a user level, it is working. I am not an LDAP expert, so I am lost in what I should enter at a group level, are you able to help me? This is the config for LDAP in Rancher: ![image](https://user-images.githubusercontent.com/59507751/216608468-acac8986-3a07-4ff2-ba04-9504369ea7dd.png) This config works, as long as i do not fill in the group details. when I do fill in ou=people,dc=example,dc=com at the Group Search Base, I do get an: ``` Failed to get attributes for cn=lldap_admin,ou=groups,dc=example,dc=com ``` This is the log: ``` 2023-02-03T12:55:31.048352481+00:00 INFO ┕━ LDAP request [ 136µs | 0.04% / 0.10% ] 2023-02-03T12:55:31.048358606+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 6, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]), attrs: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] }), ctrl: [] } 2023-02-03T12:55:31.048359315+00:00 DEBUG ┝━ do_search [ 87.5µs | 0.01% / 0.06% ] 2023-02-03T12:55:31.048364731+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups 2023-02-03T12:55:31.048365648+00:00 DEBUG │ ┕━ get_groups_list [ 79.3µs | 0.01% / 0.06% ] 2023-02-03T12:55:31.048367606+00:00 DEBUG │ ┝━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "groupOfNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]) 2023-02-03T12:55:31.048371231+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unknown group attribute ""entrydn"" in filter.\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048373023+00:00 DEBUG │ ┝━ 🐛 [debug]: | parsed_filters: And([And([]), Or([Not(And([]))])]) 2023-02-03T12:55:31.048373731+00:00 DEBUG │ ┝━ list_groups [ 50.2µs | 0.04% ] 2023-02-03T12:55:31.048375523+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: Some(And([And([]), Or([Not(And([]))])])) 2023-02-03T12:55:31.048389440+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid", "user_id" FROM "groups" LEFT JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" ORDER BY "display_name" ASC, "user_id" ASC 2023-02-03T12:55:31.048518690+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-03T12:21:50.608339363Z, uuid: Uuid("77d33d14-baef-3775-aa5d-5169b5e7eb98"), users: [UserId("admin")] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-02-03T12:21:50.609732698Z, uuid: Uuid("a272220c-afd7-3942-bfae-7bcb2b7cba18"), users: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-02-03T12:21:50.610242074Z, uuid: Uuid("a34f3888-8a1b-3d18-b5fa-d5ecff35d863"), users: [] }] 2023-02-03T12:55:31.048521106+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 5.46µs | 0.00% ] 2023-02-03T12:55:31.048526606+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"] 2023-02-03T12:55:31.048528273+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048529565+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048530523+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 2.46µs | 0.00% ] 2023-02-03T12:55:31.048532940+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"] 2023-02-03T12:55:31.048533731+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048534606+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048535273+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 2.33µs | 0.00% ] 2023-02-03T12:55:31.048537565+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn", "cn"] | resolved_attributes: ["entryDN", "objectClass", "groupOfNames", "uid", "cn"] 2023-02-03T12:55:31.048538315+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: entrydn\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048538731+00:00 WARN │ ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofnames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-03T12:55:31.048544773+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] }) 2023-02-03T12:55:31.048567565+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] }) 2023-02-03T12:55:31.048575398+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] }) 2023-02-03T12:55:31.048579940+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ``` Could you be of assistance? Thanks!

kerem

2026-02-27 08:15:37 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 6, 2023):

Hmm, it seems we don't support quite well entryDN for groups.

I'll have a look, it should be fairly easy to add.

@nitnelave commented on GitHub (Feb 6, 2023): Hmm, it seems we don't support quite well `entryDN` for groups. I'll have a look, it should be fairly easy to add.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 6, 2023):

@nitnelave,

Thanks, that would be great.

It is not clear if it is a problem in the code of just a naming thing, this because I can change the values in the LDAP/Group entries in Rancher to something your app supports and can get groups to work?

@Evantage-WS commented on GitHub (Feb 6, 2023): @nitnelave, Thanks, that would be great. It is not clear if it is a problem in the code of just a naming thing, this because I can change the values in the LDAP/Group entries in Rancher to something your app supports and can get groups to work?

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 6, 2023):

Yeah, actually, can you try with just dn instead of entryDN ?

A small note: object class should be groupOfUniqueNames (a bit pedantic maybe but more future-proof)

@nitnelave commented on GitHub (Feb 6, 2023): Yeah, actually, can you try with just `dn` instead of `entryDN` ? A small note: object class should be `groupOfUniqueNames` (a bit pedantic maybe but more future-proof)

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 6, 2023):

Hi @nitnelave, done, it is accepting the config and but still errors in the log, also with groupOfUniqueNames, it is complaining about it and no group info in Rancher. Could you please look at this?

Current config:

2023-02-06T13:20:56.724614908+00:00 DEBUG    │  │     ┝━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "wilco")])
2023-02-06T13:20:56.724618491+00:00 DEBUG    │  │     ┝━ 🐛 [debug]:  | parsed_filters: And([And([]), UserId(UserId("wilco"))])
2023-02-06T13:20:56.724618950+00:00 DEBUG    │  │     ┝━ expand_attribute_wildcards [ 6.29µs | 0.00% ]
2023-02-06T13:20:56.724625116+00:00 DEBUG    │  │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["1.1", "+", "*"] | resolved_attributes: ["1.1", "+", "objectclass", "uid", "mail", "givenname", "sn", "cn", "jpegPhoto", "createtimestamp"]
2023-02-06T13:20:56.724627158+00:00 DEBUG    │  │     ┕━ list_users [ 48.3µs | 0.03% ]
2023-02-06T13:20:56.724628866+00:00 DEBUG    │  │        ┝━ 🐛 [debug]:  | filters: Some(And([And([]), UserId(UserId("wilco"))])) | get_groups: false
2023-02-06T13:20:56.724644866+00:00 DEBUG    │  │        ┝━ 🐛 [debug]:  | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid" FROM "users" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC
2023-02-06T13:20:56.724764784+00:00 DEBUG    │  │        ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("wilco"), email: "wilco@test.com", display_name: "Wilco", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-06T13:05:21.659162166Z, uuid: Uuid("b935ca5a-2fb7-3fa7-a499-342d7248570c") }, groups: None }]
2023-02-06T13:20:56.724783159+00:00 DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=wilco,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectclass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[119, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "mail", vals: [[119, 105, 108, 99, 111, 64, 116, 101, 115, 116, 46, 99, 111, 109]] }, LdapPartialAttribute { atype: "cn", vals: [[87, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "createtimestamp", vals: [[50, 48, 50, 51, 45, 48, 50, 45, 48, 54, 84, 49, 51, 58, 48, 53, 58, 50, 49, 46, 54, 53, 57, 49, 54, 50, 49, 54, 54, 43, 48, 48, 58, 48, 48]] }] })
2023-02-06T13:20:56.724811159+00:00 DEBUG    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-02-06T13:20:56.771077781+00:00 INFO     ┝━ LDAP request [ 44.0ms | 0.04% / 31.55% ]
2023-02-06T13:20:56.771087989+00:00 DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 5, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-02-06T13:20:56.771089948+00:00 DEBUG    │  ┝━ do_bind [ 43.9ms | 0.02% / 31.52% ]
2023-02-06T13:20:56.771091906+00:00 DEBUG    │  │  ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com
2023-02-06T13:20:56.771099073+00:00 DEBUG    │  │  ┝━ bind [ 43.8ms | 0.05% / 31.43% ]
2023-02-06T13:20:56.771256948+00:00 DEBUG    │  │  │  ┕━ passwords_match [ 43.7ms | 31.39% ]
2023-02-06T13:20:56.815020893+00:00 DEBUG    │  │  ┝━ get_user_groups [ 97.8µs | 0.07% ]
2023-02-06T13:20:56.815027684+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | user_id: UserId("admin")
2023-02-06T13:20:56.815052643+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ?
2023-02-06T13:20:56.815248060+00:00 DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-06T12:21:27.587222346Z, uuid: Uuid("0c0972b3-7a20-3414-a090-419daa125f86") }}
2023-02-06T13:20:56.815250727+00:00 DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-02-06T13:20:56.815255811+00:00 DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-02-06T13:20:56.815472270+00:00 INFO     ┕━ LDAP request [ 152µs | 0.04% / 0.11% ]
2023-02-06T13:20:56.815479395+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 6, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfUniqueNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]), attrs: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] }), ctrl: [] }
2023-02-06T13:20:56.815480145+00:00 DEBUG       ┝━ do_search [ 93.2µs | 0.01% / 0.07% ]
2023-02-06T13:20:56.815486312+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=groups,dc=example,dc=com" | scope: Groups
2023-02-06T13:20:56.815487145+00:00 DEBUG       │  ┕━ get_groups_list [ 84.6µs | 0.01% / 0.06% ]
2023-02-06T13:20:56.815489187+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "groupOfUniqueNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])])
2023-02-06T13:20:56.815493270+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unknown group attribute ""entrydn"" in filter.\n\
                                To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-06T13:20:56.815495228+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | parsed_filters: And([And([]), Or([Not(And([]))])])
2023-02-06T13:20:56.815495770+00:00 DEBUG       │     ┝━ list_groups [ 55.3µs | 0.04% ]
2023-02-06T13:20:56.815497520+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | filters: Some(And([And([]), Or([Not(And([]))])]))
2023-02-06T13:20:56.815516978+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid", "user_id" FROM "groups" LEFT JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" ORDER BY "display_name" ASC, "user_id" ASC
2023-02-06T13:20:56.815676646+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-06T12:21:27.587222346Z, uuid: Uuid("0c0972b3-7a20-3414-a090-419daa125f86"), users: [UserId("admin"), UserId("wilco")] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-02-06T12:21:28.389946768Z, uuid: Uuid("ddf488c9-b49d-3e9a-954b-b4527725a661"), users: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-02-06T12:21:28.587090575Z, uuid: Uuid("47980d5d-fd9a-3cb1-8a76-96714a697802"), users: [] }]
2023-02-06T13:20:56.815679104+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 5.46µs | 0.00% ]
2023-02-06T13:20:56.815684687+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"]
2023-02-06T13:20:56.815687437+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-06T13:20:56.815688437+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 2.62µs | 0.00% ]
2023-02-06T13:20:56.815691021+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"]
2023-02-06T13:20:56.815692062+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-06T13:20:56.815692729+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 2.42µs | 0.00% ]
2023-02-06T13:20:56.815695146+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"]
2023-02-06T13:20:56.815696271+00:00 WARN        │     ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-06T13:20:56.815703021+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] })
2023-02-06T13:20:56.815732354+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] })
2023-02-06T13:20:56.815740688+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] })
2023-02-06T13:20:56.815745646+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

@Evantage-WS commented on GitHub (Feb 6, 2023): Hi @nitnelave, done, it is accepting the config and but still errors in the log, also with groupOfUniqueNames, it is complaining about it and no group info in Rancher. Could you please look at this? Current config: ![image](https://user-images.githubusercontent.com/59507751/216981666-3a52309a-67d7-4b24-9ce5-d84d93952801.png) ``` 2023-02-06T13:20:56.724614908+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "wilco")]) 2023-02-06T13:20:56.724618491+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | parsed_filters: And([And([]), UserId(UserId("wilco"))]) 2023-02-06T13:20:56.724618950+00:00 DEBUG │ │ ┝━ expand_attribute_wildcards [ 6.29µs | 0.00% ] 2023-02-06T13:20:56.724625116+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["1.1", "+", "*"] | resolved_attributes: ["1.1", "+", "objectclass", "uid", "mail", "givenname", "sn", "cn", "jpegPhoto", "createtimestamp"] 2023-02-06T13:20:56.724627158+00:00 DEBUG │ │ ┕━ list_users [ 48.3µs | 0.03% ] 2023-02-06T13:20:56.724628866+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: Some(And([And([]), UserId(UserId("wilco"))])) | get_groups: false 2023-02-06T13:20:56.724644866+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid" FROM "users" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC 2023-02-06T13:20:56.724764784+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("wilco"), email: "wilco@test.com", display_name: "Wilco", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-06T13:05:21.659162166Z, uuid: Uuid("b935ca5a-2fb7-3fa7-a499-342d7248570c") }, groups: None }] 2023-02-06T13:20:56.724783159+00:00 DEBUG │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=wilco,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectclass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[119, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "mail", vals: [[119, 105, 108, 99, 111, 64, 116, 101, 115, 116, 46, 99, 111, 109]] }, LdapPartialAttribute { atype: "cn", vals: [[87, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "createtimestamp", vals: [[50, 48, 50, 51, 45, 48, 50, 45, 48, 54, 84, 49, 51, 58, 48, 53, 58, 50, 49, 46, 54, 53, 57, 49, 54, 50, 49, 54, 54, 43, 48, 48, 58, 48, 48]] }] }) 2023-02-06T13:20:56.724811159+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) 2023-02-06T13:20:56.771077781+00:00 INFO ┝━ LDAP request [ 44.0ms | 0.04% / 31.55% ] 2023-02-06T13:20:56.771087989+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 5, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] } 2023-02-06T13:20:56.771089948+00:00 DEBUG │ ┝━ do_bind [ 43.9ms | 0.02% / 31.52% ] 2023-02-06T13:20:56.771091906+00:00 DEBUG │ │ ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com 2023-02-06T13:20:56.771099073+00:00 DEBUG │ │ ┝━ bind [ 43.8ms | 0.05% / 31.43% ] 2023-02-06T13:20:56.771256948+00:00 DEBUG │ │ │ ┕━ passwords_match [ 43.7ms | 31.39% ] 2023-02-06T13:20:56.815020893+00:00 DEBUG │ │ ┝━ get_user_groups [ 97.8µs | 0.07% ] 2023-02-06T13:20:56.815027684+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | user_id: UserId("admin") 2023-02-06T13:20:56.815052643+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ? 2023-02-06T13:20:56.815248060+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-06T12:21:27.587222346Z, uuid: Uuid("0c0972b3-7a20-3414-a090-419daa125f86") }} 2023-02-06T13:20:56.815250727+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-02-06T13:20:56.815255811+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-02-06T13:20:56.815472270+00:00 INFO ┕━ LDAP request [ 152µs | 0.04% / 0.11% ] 2023-02-06T13:20:56.815479395+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 6, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfUniqueNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]), attrs: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] }), ctrl: [] } 2023-02-06T13:20:56.815480145+00:00 DEBUG ┝━ do_search [ 93.2µs | 0.01% / 0.07% ] 2023-02-06T13:20:56.815486312+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups 2023-02-06T13:20:56.815487145+00:00 DEBUG │ ┕━ get_groups_list [ 84.6µs | 0.01% / 0.06% ] 2023-02-06T13:20:56.815489187+00:00 DEBUG │ ┝━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "groupOfUniqueNames"), Or([Equality("entryDN", "uid=lldap_admin,ou=groups,dc=example,dc=com")])]) 2023-02-06T13:20:56.815493270+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unknown group attribute ""entrydn"" in filter.\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-06T13:20:56.815495228+00:00 DEBUG │ ┝━ 🐛 [debug]: | parsed_filters: And([And([]), Or([Not(And([]))])]) 2023-02-06T13:20:56.815495770+00:00 DEBUG │ ┝━ list_groups [ 55.3µs | 0.04% ] 2023-02-06T13:20:56.815497520+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: Some(And([And([]), Or([Not(And([]))])])) 2023-02-06T13:20:56.815516978+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid", "user_id" FROM "groups" LEFT JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" ORDER BY "display_name" ASC, "user_id" ASC 2023-02-06T13:20:56.815676646+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-06T12:21:27.587222346Z, uuid: Uuid("0c0972b3-7a20-3414-a090-419daa125f86"), users: [UserId("admin"), UserId("wilco")] }, Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-02-06T12:21:28.389946768Z, uuid: Uuid("ddf488c9-b49d-3e9a-954b-b4527725a661"), users: [] }, Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2023-02-06T12:21:28.587090575Z, uuid: Uuid("47980d5d-fd9a-3cb1-8a76-96714a697802"), users: [] }] 2023-02-06T13:20:56.815679104+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 5.46µs | 0.00% ] 2023-02-06T13:20:56.815684687+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"] 2023-02-06T13:20:56.815687437+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-06T13:20:56.815688437+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 2.62µs | 0.00% ] 2023-02-06T13:20:56.815691021+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"] 2023-02-06T13:20:56.815692062+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-06T13:20:56.815692729+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 2.42µs | 0.00% ] 2023-02-06T13:20:56.815695146+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"] 2023-02-06T13:20:56.815696271+00:00 WARN │ ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-06T13:20:56.815703021+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] }) 2023-02-06T13:20:56.815732354+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] }) 2023-02-06T13:20:56.815740688+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] }) 2023-02-06T13:20:56.815745646+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ```

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 6, 2023):

The groupDNAttribute at the bottom should also be dn

@nitnelave commented on GitHub (Feb 6, 2023): The `groupDNAttribute` at the bottom should also be `dn`

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 6, 2023):

Done, but no luck.

The lldap log:

┕━ LDAP request [ 143µs | 0.07% / 0.24% ]
2023-02-06T13:51:27.356987594+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "uid=wilco,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("objectClass", "inetOrgPerson"), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] }
2023-02-06T13:51:27.356988428+00:00 DEBUG       ┝━ do_search [ 99.9µs | 0.02% / 0.16% ]
2023-02-06T13:51:27.356995303+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "uid=wilco,ou=people,dc=example,dc=com" | scope: User(Equality("uid", "wilco"))
2023-02-06T13:51:27.356996136+00:00 DEBUG       │  ┕━ get_user_list [ 89.8µs | 0.03% / 0.15% ]
2023-02-06T13:51:27.356997844+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "wilco")])
2023-02-06T13:51:27.357001219+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | parsed_filters: And([And([]), UserId(UserId("wilco"))])
2023-02-06T13:51:27.357001719+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 6.04µs | 0.01% ]
2023-02-06T13:51:27.357007678+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] | resolved_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""]
2023-02-06T13:51:27.357009386+00:00 DEBUG       │     ┝━ list_users [ 67.5µs | 0.11% ]
2023-02-06T13:51:27.357011344+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | filters: Some(And([And([]), UserId(UserId("wilco"))])) | get_groups: true
2023-02-06T13:51:27.357042136+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid", "groups"."group_id", "groups"."display_name" AS "group_display_name", "groups"."creation_date" AS "group_creation_date", "groups"."uuid" AS "group_uuid" FROM "users" LEFT JOIN "memberships" ON "users"."user_id" = "memberships"."user_id" LEFT JOIN "groups" ON "memberships"."group_id" = "groups"."group_id" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC, "group_display_name" ASC
2023-02-06T13:51:27.357174053+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("wilco"), email: "wilco@test.com", display_name: "Wilco", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-06T13:05:21.659162166Z, uuid: Uuid("b935ca5a-2fb7-3fa7-a499-342d7248570c") }, groups: Some([GroupDetails { group_id: GroupId(4), display_name: "rancher", creation_date: 2023-02-06T13:44:37.981066098Z, uuid: Uuid("1863af6f-aca4-3a3c-93b8-dfd0539f4ac8") }]) }]
2023-02-06T13:51:27.357179470+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: inetorgperson\n\
                      To disable this warning, add it to "ignored_user_attributes" in the config.
2023-02-06T13:51:27.357180970+00:00 WARN        │     ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: \n\
                      To disable this warning, add it to "ignored_user_attributes" in the config.
2023-02-06T13:51:27.357191095+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=wilco,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "memberOf", vals: [[117, 105, 100, 61, 114, 97, 110, 99, 104, 101, 114, 44, 111, 117, 61, 103, 114, 111, 117, 112, 115, 44, 100, 99, 61, 101, 120, 97, 109, 112, 108, 101, 44, 100, 99, 61, 99, 111, 109]] }, LdapPartialAttribute { atype: "objectClass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[119, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "cn", vals: [[87, 105, 108, 99, 111]] }] })
2023-02-06T13:51:27.357216595+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

@Evantage-WS commented on GitHub (Feb 6, 2023): Done, but no luck. The lldap log: ``` ┕━ LDAP request [ 143µs | 0.07% / 0.24% ] 2023-02-06T13:51:27.356987594+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "uid=wilco,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("objectClass", "inetOrgPerson"), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] } 2023-02-06T13:51:27.356988428+00:00 DEBUG ┝━ do_search [ 99.9µs | 0.02% / 0.16% ] 2023-02-06T13:51:27.356995303+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "uid=wilco,ou=people,dc=example,dc=com" | scope: User(Equality("uid", "wilco")) 2023-02-06T13:51:27.356996136+00:00 DEBUG │ ┕━ get_user_list [ 89.8µs | 0.03% / 0.15% ] 2023-02-06T13:51:27.356997844+00:00 DEBUG │ ┝━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "wilco")]) 2023-02-06T13:51:27.357001219+00:00 DEBUG │ ┝━ 🐛 [debug]: | parsed_filters: And([And([]), UserId(UserId("wilco"))]) 2023-02-06T13:51:27.357001719+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 6.04µs | 0.01% ] 2023-02-06T13:51:27.357007678+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] | resolved_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] 2023-02-06T13:51:27.357009386+00:00 DEBUG │ ┝━ list_users [ 67.5µs | 0.11% ] 2023-02-06T13:51:27.357011344+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: Some(And([And([]), UserId(UserId("wilco"))])) | get_groups: true 2023-02-06T13:51:27.357042136+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid", "groups"."group_id", "groups"."display_name" AS "group_display_name", "groups"."creation_date" AS "group_creation_date", "groups"."uuid" AS "group_uuid" FROM "users" LEFT JOIN "memberships" ON "users"."user_id" = "memberships"."user_id" LEFT JOIN "groups" ON "memberships"."group_id" = "groups"."group_id" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC, "group_display_name" ASC 2023-02-06T13:51:27.357174053+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("wilco"), email: "wilco@test.com", display_name: "Wilco", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-06T13:05:21.659162166Z, uuid: Uuid("b935ca5a-2fb7-3fa7-a499-342d7248570c") }, groups: Some([GroupDetails { group_id: GroupId(4), display_name: "rancher", creation_date: 2023-02-06T13:44:37.981066098Z, uuid: Uuid("1863af6f-aca4-3a3c-93b8-dfd0539f4ac8") }]) }] 2023-02-06T13:51:27.357179470+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: inetorgperson\n\ To disable this warning, add it to "ignored_user_attributes" in the config. 2023-02-06T13:51:27.357180970+00:00 WARN │ ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: \n\ To disable this warning, add it to "ignored_user_attributes" in the config. 2023-02-06T13:51:27.357191095+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=wilco,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "memberOf", vals: [[117, 105, 100, 61, 114, 97, 110, 99, 104, 101, 114, 44, 111, 117, 61, 103, 114, 111, 117, 112, 115, 44, 100, 99, 61, 101, 120, 97, 109, 112, 108, 101, 44, 100, 99, 61, 99, 111, 109]] }, LdapPartialAttribute { atype: "objectClass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[119, 105, 108, 99, 111]] }, LdapPartialAttribute { atype: "cn", vals: [[87, 105, 108, 99, 111]] }] }) 2023-02-06T13:51:27.357216595+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ```

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 6, 2023):

Hmm, that's the log from the login, not the group search

@nitnelave commented on GitHub (Feb 6, 2023): Hmm, that's the log from the login, not the group search

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 9, 2023):

Hi @nitnelave, I did a reinstall of the Kubernetes cluster and installed lldap again. The weird thing is that the user lookup is also failing now with this config:

2023-02-09T09:11:56.075901487+00:00 INFO     ┕━ LDAP request [ 48.1µs | 0.05% / 0.07% ]
2023-02-09T09:11:56.075909070+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] }
2023-02-09T09:11:56.075909945+00:00 DEBUG       ┝━ do_search [ 14.4µs | 0.01% / 0.02% ]
2023-02-09T09:11:56.075915320+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=example,dc=com" | scope: Users
2023-02-09T09:11:56.075916153+00:00 DEBUG       │  ┕━ get_user_list [ 7.12µs | 0.01% ]
2023-02-09T09:11:56.075918695+00:00 DEBUG       │     ┕━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })])])
2023-02-09T09:11:56.075929445+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"test\"), any: [], final_: None })", referral: [] })

@Evantage-WS commented on GitHub (Feb 9, 2023): Hi @nitnelave, I did a reinstall of the Kubernetes cluster and installed lldap again. The weird thing is that the user lookup is also failing now with this config: ![image](https://user-images.githubusercontent.com/59507751/217768590-2b8036bb-0e96-4e58-a9fa-94e7485a13eb.png) ``` 2023-02-09T09:11:56.075901487+00:00 INFO ┕━ LDAP request [ 48.1µs | 0.05% / 0.07% ] 2023-02-09T09:11:56.075909070+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] } 2023-02-09T09:11:56.075909945+00:00 DEBUG ┝━ do_search [ 14.4µs | 0.01% / 0.02% ] 2023-02-09T09:11:56.075915320+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=people,dc=example,dc=com" | scope: Users 2023-02-09T09:11:56.075916153+00:00 DEBUG │ ┕━ get_user_list [ 7.12µs | 0.01% ] 2023-02-09T09:11:56.075918695+00:00 DEBUG │ ┕━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })])]) 2023-02-09T09:11:56.075929445+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"test\"), any: [], final_: None })", referral: [] }) ```

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 9, 2023):

That's weird, now it's using SubString to search for users instead of exact matches. Did you change anything else related to that?

Otherwise, you can try to remove the Search Attribute and add a Search Filter instead:
(|(uid=%s)(sn=%s)(givenName=%s)) or whatever placeholder they use instead of %s.

@nitnelave commented on GitHub (Feb 9, 2023): That's weird, now it's using `SubString` to search for users instead of exact matches. Did you change anything else related to that? Otherwise, you can try to remove the Search Attribute and add a Search Filter instead: `(|(uid=%s)(sn=%s)(givenName=%s))` or whatever placeholder they use instead of `%s`.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 9, 2023):

No, did not change anything. All is the same version and entered exactly as in the screenprint. Unfortunally, when I empty the Search Attribute field, it will come back with "uid|sn|givenName" value. I did add "(|(uid=%s)(sn=%s)(givenName=%s))", but still the same error.

I am unable to find out about the placeholder and the Rancher server is logging nothing when contacting the LLDAP server.

I got it all working with OpenLDAP, users and groups, I really would like to get this working with LLDAP, because OpenLDAP is huge and I just need a simple, fast working LDAP server.

@Evantage-WS commented on GitHub (Feb 9, 2023): No, did not change anything. All is the same version and entered exactly as in the screenprint. Unfortunally, when I empty the Search Attribute field, it will come back with "uid|sn|givenName" value. I did add "(|(uid=%s)(sn=%s)(givenName=%s))", but still the same error. I am unable to find out about the placeholder and the Rancher server is logging nothing when contacting the LLDAP server. I got it all working with OpenLDAP, users and groups, I really would like to get this working with LLDAP, because OpenLDAP is huge and I just need a simple, fast working LDAP server.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 9, 2023):

I had a look at their docs (and the code), and it seems that we can't get around the SubString filter. However, it's just when adding users/groups, not when logging in. Logging in should still work, normally. Can you post a full clean LLDAP log with a single login attempt?

In the meantime, you can open an issue to add support for SubString.

@nitnelave commented on GitHub (Feb 9, 2023): I had a look at their docs (and the code), and it seems that we can't get around the `SubString` filter. However, it's just when adding users/groups, not when logging in. Logging in should still work, normally. Can you post a full clean LLDAP log with a single login attempt? In the meantime, you can open an issue to add support for `SubString`.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 9, 2023):

Hi @nitnelave, I can configure it with the admin user and that connection is working. This is the log from the succesful login into Rancher with the admin user from lldap.

2023-02-09T13:14:53.896271675+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 2.33µs | 0.00% ]
2023-02-09T13:14:53.896273967+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"]
2023-02-09T13:14:53.896275133+00:00 WARN        │     ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\
                      To disable this warning, add it to "ignored_group_attributes" in the config.
2023-02-09T13:14:53.896282050+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] })
2023-02-09T13:14:53.896317883+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] })
2023-02-09T13:14:53.896326550+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] })
2023-02-09T13:14:53.896331842+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2023-02-09T13:14:54.062977748+00:00 INFO     LDAP session [ 59.4ms | 0.11% / 100.00% ]
2023-02-09T13:14:54.063044039+00:00 INFO     ┝━ LDAP request [ 59.1ms | 0.09% / 99.49% ]
2023-02-09T13:14:54.063052039+00:00 DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-02-09T13:14:54.063054039+00:00 DEBUG    │  ┝━ do_bind [ 59.1ms | 0.03% / 99.40% ]
2023-02-09T13:14:54.063056206+00:00 DEBUG    │  │  ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com
2023-02-09T13:14:54.063060623+00:00 DEBUG    │  │  ┝━ bind [ 58.9ms | 0.11% / 99.12% ]
2023-02-09T13:14:54.063169831+00:00 DEBUG    │  │  │  ┕━ passwords_match [ 58.8ms | 99.01% ]
2023-02-09T13:14:54.122003467+00:00 DEBUG    │  │  ┝━ get_user_groups [ 150µs | 0.25% ]
2023-02-09T13:14:54.122011425+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | user_id: UserId("admin")
2023-02-09T13:14:54.122040842+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ?
2023-02-09T13:14:54.122154424+00:00 DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }}
2023-02-09T13:14:54.122156758+00:00 DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-02-09T13:14:54.122162508+00:00 DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-02-09T13:14:54.122961838+00:00 INFO     ┕━ LDAP request [ 235µs | 0.09% / 0.40% ]
2023-02-09T13:14:54.122973254+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "uid=admin,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("objectClass", "inetOrgPerson"), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] }
2023-02-09T13:14:54.122975213+00:00 DEBUG       ┝━ do_search [ 182µs | 0.02% / 0.31% ]
2023-02-09T13:14:54.122983754+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "uid=admin,ou=people,dc=example,dc=com" | scope: User(Equality("uid", "admin"))
2023-02-09T13:14:54.122984796+00:00 DEBUG       │  ┕━ get_user_list [ 171µs | 0.03% / 0.29% ]
2023-02-09T13:14:54.122986296+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "admin")])
2023-02-09T13:14:54.122990921+00:00 DEBUG       │     ┝━ 🐛 [debug]:  | parsed_filters: And([And([]), UserId(UserId("admin"))])
2023-02-09T13:14:54.122991379+00:00 DEBUG       │     ┝━ expand_attribute_wildcards [ 7.12µs | 0.01% ]
2023-02-09T13:14:54.122997838+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | ldap_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] | resolved_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""]
2023-02-09T13:14:54.123001129+00:00 DEBUG       │     ┝━ list_users [ 147µs | 0.25% ]
2023-02-09T13:14:54.123003171+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | filters: Some(And([And([]), UserId(UserId("admin"))])) | get_groups: true
2023-02-09T13:14:54.123042671+00:00 DEBUG       │     │  ┝━ 🐛 [debug]:  | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid", "groups"."group_id", "groups"."display_name" AS "group_display_name", "groups"."creation_date" AS "group_creation_date", "groups"."uuid" AS "group_uuid" FROM "users" LEFT JOIN "memberships" ON "users"."user_id" = "memberships"."user_id" LEFT JOIN "groups" ON "memberships"."group_id" = "groups"."group_id" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC, "group_display_name" ASC
2023-02-09T13:14:54.123146795+00:00 DEBUG       │     │  ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("admin"), email: "", display_name: "Administrator", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-09T08:52:04.966829213Z, uuid: Uuid("998f574a-9c27-3823-952a-6e20a1c08bfb") }, groups: Some([GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }]) }]
2023-02-09T13:14:54.123153129+00:00 WARN        │     ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: inetorgperson\n\
                      To disable this warning, add it to "ignored_user_attributes" in the config.
2023-02-09T13:14:54.123154337+00:00 WARN        │     ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: \n\
                      To disable this warning, add it to "ignored_user_attributes" in the config.
2023-02-09T13:14:54.123164795+00:00 DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=admin,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "memberOf", vals: [[117, 105, 100, 61, 108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110, 44, 111, 117, 61, 103, 114, 111, 117, 112, 115, 44, 100, 99, 61, 101, 120, 97, 109, 112, 108, 101, 44, 100, 99, 61, 99, 111, 109]] }, LdapPartialAttribute { atype: "objectClass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[65, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 111, 114]] }] })
2023-02-09T13:14:54.123195004+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

I created a second user, called testuser and In Rancher I did a search for it, which fails. This is the log:

2023-02-09T13:17:07.809316229+00:00 INFO     LDAP session [ 54.9ms | 0.14% / 100.00% ]
2023-02-09T13:17:07.809381062+00:00 INFO     ┝━ LDAP request [ 54.8ms | 0.23% / 99.77% ]
2023-02-09T13:17:07.809426062+00:00 DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-02-09T13:17:07.809431395+00:00 DEBUG    │  ┝━ do_bind [ 54.7ms | 0.05% / 99.54% ]
2023-02-09T13:17:07.809435937+00:00 DEBUG    │  │  ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com
2023-02-09T13:17:07.809448145+00:00 DEBUG    │  │  ┝━ bind [ 54.6ms | 0.30% / 99.31% ]
2023-02-09T13:17:07.809811853+00:00 DEBUG    │  │  │  ┕━ passwords_match [ 54.4ms | 99.01% ]
2023-02-09T13:17:07.864215420+00:00 DEBUG    │  │  ┝━ get_user_groups [ 98.4µs | 0.18% ]
2023-02-09T13:17:07.864221670+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | user_id: UserId("admin")
2023-02-09T13:17:07.864247170+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ?
2023-02-09T13:17:07.864451627+00:00 DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }}
2023-02-09T13:17:07.864453794+00:00 DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-02-09T13:17:07.864458544+00:00 DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-02-09T13:17:07.864670960+00:00 INFO     ┕━ LDAP request [ 45.7µs | 0.06% / 0.08% ]
2023-02-09T13:17:07.864678877+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] }
2023-02-09T13:17:07.864679585+00:00 DEBUG       ┝━ do_search [ 15.5µs | 0.01% / 0.03% ]
2023-02-09T13:17:07.864685293+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=example,dc=com" | scope: Users
2023-02-09T13:17:07.864685960+00:00 DEBUG       │  ┕━ get_user_list [ 7.67µs | 0.01% ]
2023-02-09T13:17:07.864688752+00:00 DEBUG       │     ┕━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])])
2023-02-09T13:17:07.864700002+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"tes\"), any: [], final_: None })", referral: [] })
2023-02-09T13:17:08.300759330+00:00 INFO     LDAP session [ 42.2ms | 0.11% / 100.00% ]
2023-02-09T13:17:08.300784913+00:00 INFO     ┝━ LDAP request [ 42.1ms | 0.22% / 99.78% ]
2023-02-09T13:17:08.300792913+00:00 DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-02-09T13:17:08.300794538+00:00 DEBUG    │  ┝━ do_bind [ 42.0ms | 0.04% / 99.55% ]
2023-02-09T13:17:08.300796747+00:00 DEBUG    │  │  ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com
2023-02-09T13:17:08.300801038+00:00 DEBUG    │  │  ┝━ bind [ 41.9ms | 0.15% / 99.27% ]
2023-02-09T13:17:08.300965246+00:00 DEBUG    │  │  │  ┕━ passwords_match [ 41.8ms | 99.12% ]
2023-02-09T13:17:08.342778439+00:00 DEBUG    │  │  ┝━ get_user_groups [ 101µs | 0.24% ]
2023-02-09T13:17:08.342785772+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | user_id: UserId("admin")
2023-02-09T13:17:08.342811647+00:00 DEBUG    │  │  │  ┝━ 🐛 [debug]:  | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ?
2023-02-09T13:17:08.342994188+00:00 DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }}
2023-02-09T13:17:08.342996647+00:00 DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2023-02-09T13:17:08.343001022+00:00 DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2023-02-09T13:17:08.343202396+00:00 INFO     ┕━ LDAP request [ 47.3µs | 0.07% / 0.11% ]
2023-02-09T13:17:08.343211271+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] }
2023-02-09T13:17:08.343212188+00:00 DEBUG       ┝━ do_search [ 15.8µs | 0.02% / 0.04% ]
2023-02-09T13:17:08.343218563+00:00 DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=example,dc=com" | scope: Users
2023-02-09T13:17:08.343219396+00:00 DEBUG       │  ┕━ get_user_list [ 7.29µs | 0.02% ]
2023-02-09T13:17:08.343222313+00:00 DEBUG       │     ┕━ 🐛 [debug]:  | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])])
2023-02-09T13:17:08.343233354+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"test\"), any: [], final_: None })", referral: [] })
Logs from 09/02/2023, 11:41:23

The entry field in Rancher does search for users and groups, I do not get either.

I do not use Rancher to create users in LLDAP, only searching in LLDAP. I will raise an issue for support for SubString. Can you tell me an estimate? I do have a demo in about a week. If that is not possible I have to go with OpenLDAP :-(

Thanks sofar, I hope the logs will help to solve this.

BTW, you can run Rancher in Docker, maybe this helps you to get this working? See https://ranchermanager.docs.rancher.com/reference-guides/single-node-rancher-in-docker/http-proxy-configuration

Thanks!

@Evantage-WS commented on GitHub (Feb 9, 2023): Hi @nitnelave, I can configure it with the admin user and that connection is working. This is the log from the succesful login into Rancher with the admin user from lldap. ``` 2023-02-09T13:14:53.896271675+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 2.33µs | 0.00% ] 2023-02-09T13:14:53.896273967+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn", "cn"] | resolved_attributes: ["dn", "objectClass", "groupOfUniqueNames", "uid", "cn"] 2023-02-09T13:14:53.896275133+00:00 WARN │ ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: groupofuniquenames\n\ To disable this warning, add it to "ignored_group_attributes" in the config. 2023-02-09T13:14:53.896282050+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_admin,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110]] }] }) 2023-02-09T13:14:53.896317883+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_password_manager,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 112, 97, 115, 115, 119, 111, 114, 100, 95, 109, 97, 110, 97, 103, 101, 114]] }] }) 2023-02-09T13:14:53.896326550+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=lldap_strict_readonly,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "objectClass", vals: [[103, 114, 111, 117, 112, 79, 102, 85, 110, 105, 113, 117, 101, 78, 97, 109, 101, 115]] }, LdapPartialAttribute { atype: "uid", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }, LdapPartialAttribute { atype: "cn", vals: [[108, 108, 100, 97, 112, 95, 115, 116, 114, 105, 99, 116, 95, 114, 101, 97, 100, 111, 110, 108, 121]] }] }) 2023-02-09T13:14:53.896331842+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) 2023-02-09T13:14:54.062977748+00:00 INFO LDAP session [ 59.4ms | 0.11% / 100.00% ] 2023-02-09T13:14:54.063044039+00:00 INFO ┝━ LDAP request [ 59.1ms | 0.09% / 99.49% ] 2023-02-09T13:14:54.063052039+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] } 2023-02-09T13:14:54.063054039+00:00 DEBUG │ ┝━ do_bind [ 59.1ms | 0.03% / 99.40% ] 2023-02-09T13:14:54.063056206+00:00 DEBUG │ │ ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com 2023-02-09T13:14:54.063060623+00:00 DEBUG │ │ ┝━ bind [ 58.9ms | 0.11% / 99.12% ] 2023-02-09T13:14:54.063169831+00:00 DEBUG │ │ │ ┕━ passwords_match [ 58.8ms | 99.01% ] 2023-02-09T13:14:54.122003467+00:00 DEBUG │ │ ┝━ get_user_groups [ 150µs | 0.25% ] 2023-02-09T13:14:54.122011425+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | user_id: UserId("admin") 2023-02-09T13:14:54.122040842+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ? 2023-02-09T13:14:54.122154424+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }} 2023-02-09T13:14:54.122156758+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-02-09T13:14:54.122162508+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-02-09T13:14:54.122961838+00:00 INFO ┕━ LDAP request [ 235µs | 0.09% / 0.40% ] 2023-02-09T13:14:54.122973254+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "uid=admin,ou=people,dc=example,dc=com", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("objectClass", "inetOrgPerson"), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] } 2023-02-09T13:14:54.122975213+00:00 DEBUG ┝━ do_search [ 182µs | 0.02% / 0.31% ] 2023-02-09T13:14:54.122983754+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "uid=admin,ou=people,dc=example,dc=com" | scope: User(Equality("uid", "admin")) 2023-02-09T13:14:54.122984796+00:00 DEBUG │ ┕━ get_user_list [ 171µs | 0.03% / 0.29% ] 2023-02-09T13:14:54.122986296+00:00 DEBUG │ ┝━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Equality("uid", "admin")]) 2023-02-09T13:14:54.122990921+00:00 DEBUG │ ┝━ 🐛 [debug]: | parsed_filters: And([And([]), UserId(UserId("admin"))]) 2023-02-09T13:14:54.122991379+00:00 DEBUG │ ┝━ expand_attribute_wildcards [ 7.12µs | 0.01% ] 2023-02-09T13:14:54.122997838+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | ldap_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] | resolved_attributes: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] 2023-02-09T13:14:54.123001129+00:00 DEBUG │ ┝━ list_users [ 147µs | 0.25% ] 2023-02-09T13:14:54.123003171+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: Some(And([And([]), UserId(UserId("admin"))])) | get_groups: true 2023-02-09T13:14:54.123042671+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | query: SELECT "users"."user_id", "email", "users"."display_name", "first_name", "last_name", "avatar", "users"."creation_date", "users"."uuid", "groups"."group_id", "groups"."display_name" AS "group_display_name", "groups"."creation_date" AS "group_creation_date", "groups"."uuid" AS "group_uuid" FROM "users" LEFT JOIN "memberships" ON "users"."user_id" = "memberships"."user_id" LEFT JOIN "groups" ON "memberships"."group_id" = "groups"."group_id" WHERE "users"."user_id" = ? ORDER BY "users"."user_id" ASC, "group_display_name" ASC 2023-02-09T13:14:54.123146795+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("admin"), email: "", display_name: "Administrator", first_name: "", last_name: "", avatar: JpegPhoto([]), creation_date: 2023-02-09T08:52:04.966829213Z, uuid: Uuid("998f574a-9c27-3823-952a-6e20a1c08bfb") }, groups: Some([GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }]) }] 2023-02-09T13:14:54.123153129+00:00 WARN │ ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: inetorgperson\n\ To disable this warning, add it to "ignored_user_attributes" in the config. 2023-02-09T13:14:54.123154337+00:00 WARN │ ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: \n\ To disable this warning, add it to "ignored_user_attributes" in the config. 2023-02-09T13:14:54.123164795+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=admin,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "memberOf", vals: [[117, 105, 100, 61, 108, 108, 100, 97, 112, 95, 97, 100, 109, 105, 110, 44, 111, 117, 61, 103, 114, 111, 117, 112, 115, 44, 100, 99, 61, 101, 120, 97, 109, 112, 108, 101, 44, 100, 99, 61, 99, 111, 109]] }, LdapPartialAttribute { atype: "objectClass", vals: [[105, 110, 101, 116, 79, 114, 103, 80, 101, 114, 115, 111, 110], [112, 111, 115, 105, 120, 65, 99, 99, 111, 117, 110, 116], [109, 97, 105, 108, 65, 99, 99, 111, 117, 110, 116], [112, 101, 114, 115, 111, 110]] }, LdapPartialAttribute { atype: "uid", vals: [[97, 100, 109, 105, 110]] }, LdapPartialAttribute { atype: "cn", vals: [[65, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 111, 114]] }] }) 2023-02-09T13:14:54.123195004+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ``` I created a second user, called testuser and In Rancher I did a search for it, which fails. This is the log: ``` 2023-02-09T13:17:07.809316229+00:00 INFO LDAP session [ 54.9ms | 0.14% / 100.00% ] 2023-02-09T13:17:07.809381062+00:00 INFO ┝━ LDAP request [ 54.8ms | 0.23% / 99.77% ] 2023-02-09T13:17:07.809426062+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] } 2023-02-09T13:17:07.809431395+00:00 DEBUG │ ┝━ do_bind [ 54.7ms | 0.05% / 99.54% ] 2023-02-09T13:17:07.809435937+00:00 DEBUG │ │ ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com 2023-02-09T13:17:07.809448145+00:00 DEBUG │ │ ┝━ bind [ 54.6ms | 0.30% / 99.31% ] 2023-02-09T13:17:07.809811853+00:00 DEBUG │ │ │ ┕━ passwords_match [ 54.4ms | 99.01% ] 2023-02-09T13:17:07.864215420+00:00 DEBUG │ │ ┝━ get_user_groups [ 98.4µs | 0.18% ] 2023-02-09T13:17:07.864221670+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | user_id: UserId("admin") 2023-02-09T13:17:07.864247170+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ? 2023-02-09T13:17:07.864451627+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }} 2023-02-09T13:17:07.864453794+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-02-09T13:17:07.864458544+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-02-09T13:17:07.864670960+00:00 INFO ┕━ LDAP request [ 45.7µs | 0.06% / 0.08% ] 2023-02-09T13:17:07.864678877+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] } 2023-02-09T13:17:07.864679585+00:00 DEBUG ┝━ do_search [ 15.5µs | 0.01% / 0.03% ] 2023-02-09T13:17:07.864685293+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=people,dc=example,dc=com" | scope: Users 2023-02-09T13:17:07.864685960+00:00 DEBUG │ ┕━ get_user_list [ 7.67µs | 0.01% ] 2023-02-09T13:17:07.864688752+00:00 DEBUG │ ┕━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("tes"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]) 2023-02-09T13:17:07.864700002+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"tes\"), any: [], final_: None })", referral: [] }) 2023-02-09T13:17:08.300759330+00:00 INFO LDAP session [ 42.2ms | 0.11% / 100.00% ] 2023-02-09T13:17:08.300784913+00:00 INFO ┝━ LDAP request [ 42.1ms | 0.22% / 99.78% ] 2023-02-09T13:17:08.300792913+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=example,dc=com", cred: Simple("********") }), ctrl: [] } 2023-02-09T13:17:08.300794538+00:00 DEBUG │ ┝━ do_bind [ 42.0ms | 0.04% / 99.55% ] 2023-02-09T13:17:08.300796747+00:00 DEBUG │ │ ┝━ 🐛 [debug]: DN: cn=admin,ou=people,dc=example,dc=com 2023-02-09T13:17:08.300801038+00:00 DEBUG │ │ ┝━ bind [ 41.9ms | 0.15% / 99.27% ] 2023-02-09T13:17:08.300965246+00:00 DEBUG │ │ │ ┕━ passwords_match [ 41.8ms | 99.12% ] 2023-02-09T13:17:08.342778439+00:00 DEBUG │ │ ┝━ get_user_groups [ 101µs | 0.24% ] 2023-02-09T13:17:08.342785772+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | user_id: UserId("admin") 2023-02-09T13:17:08.342811647+00:00 DEBUG │ │ │ ┝━ 🐛 [debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid" FROM "groups" INNER JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE "user_id" = ? 2023-02-09T13:17:08.342994188+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2023-02-09T08:52:05.019774311Z, uuid: Uuid("a92dd3f8-dfbb-3c57-8fd6-46c93a5021e2") }} 2023-02-09T13:17:08.342996647+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2023-02-09T13:17:08.343001022+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2023-02-09T13:17:08.343202396+00:00 INFO ┕━ LDAP request [ 47.3µs | 0.07% / 0.11% ] 2023-02-09T13:17:08.343211271+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]), attrs: ["dn", "memberOf", "objectClass", "inetOrgPerson", "uid", "cn", ""] }), ctrl: [] } 2023-02-09T13:17:08.343212188+00:00 DEBUG ┝━ do_search [ 15.8µs | 0.02% / 0.04% ] 2023-02-09T13:17:08.343218563+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=people,dc=example,dc=com" | scope: Users 2023-02-09T13:17:08.343219396+00:00 DEBUG │ ┕━ get_user_list [ 7.29µs | 0.02% ] 2023-02-09T13:17:08.343222313+00:00 DEBUG │ ┕━ 🐛 [debug]: | ldap_filter: And([Equality("objectClass", "inetOrgPerson"), Or([Substring("uid", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("sn", LdapSubstringFilter { initial: Some("test"), any: [], final_: None }), Substring("givenName", LdapSubstringFilter { initial: Some("test"), any: [], final_: None })]), Or([Equality("uid", "%s"), Equality("sn", "%s"), Equality("givenName", "%s")])]) 2023-02-09T13:17:08.343233354+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: Some(\"test\"), any: [], final_: None })", referral: [] }) Logs from 09/02/2023, 11:41:23 ``` The entry field in Rancher does search for users and groups, I do not get either. I do not use Rancher to create users in LLDAP, only searching in LLDAP. I will raise an issue for support for SubString. Can you tell me an estimate? I do have a demo in about a week. If that is not possible I have to go with OpenLDAP :-( Thanks sofar, I hope the logs will help to solve this. BTW, you can run Rancher in Docker, maybe this helps you to get this working? See https://ranchermanager.docs.rancher.com/reference-guides/single-node-rancher-in-docker/http-proxy-configuration Thanks!

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 9, 2023):

Yeah, searching for users will not work without substring.

I can't really give you an estimate of when I'll implement it, because I don't know in general how much time I'll spend on this free, open source project :)
And this issue is not my top priority either. If you want to help by adding support for it yourself, I'd help by reviewing the PR! In that case things can go pretty fast.
Otherwise, a week is not realistic.

If you want another simple LDAP server, you can try kanidm as well.

@nitnelave commented on GitHub (Feb 9, 2023): Yeah, searching for users will not work without substring. I can't really give you an estimate of when I'll implement it, because I don't know in general how much time I'll spend on this free, open source project :) And this issue is not my top priority either. If you want to help by adding support for it yourself, I'd help by reviewing the PR! In that case things can go pretty fast. Otherwise, a week is not realistic. If you want another simple LDAP server, you can try kanidm as well.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 9, 2023):

I completely understand, appreciate all your work and support. I will wait for your fix, no rush.

I will take a look at kanidm as well, thanks!

@Evantage-WS commented on GitHub (Feb 9, 2023): I completely understand, appreciate all your work and support. I will wait for your fix, no rush. I will take a look at kanidm as well, thanks!

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@martadinata666 commented on GitHub (Feb 9, 2023):

Pretty curious about this so im trying, and it working? not really sure, instead openldap, this is freeipa. Should be pretty much alike? not realy sure about the differences.

I must fill search filter or i get found '=', expected: !, identifier, or 'end of string'
Also im not really sure Username Attributes from the docs it about display name.

Rancher OpenLDAP docs

@martadinata666 commented on GitHub (Feb 9, 2023): Pretty curious about this so im trying, and it working? `not really sure`, instead openldap, this is freeipa. Should be pretty much alike? not realy sure about the differences. * I must fill `search filter` or i get `found '=', expected: !, identifier, or 'end of string'` * Also im not really sure `Username Attributes` from the docs it about display name. Rancher [OpenLDAP docs](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-openldap/openldap-config-reference) ![2023-02-09-215640_1727x924_scrot](https://user-images.githubusercontent.com/2433562/217848156-d99a1c74-70bb-42a5-99ea-3c69245c49a9.png)

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 9, 2023):

What if you put uid|cn in the search attributes? Does that break it?

@nitnelave commented on GitHub (Feb 9, 2023): What if you put `uid|cn` in the search attributes? Does that break it?

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@martadinata666 commented on GitHub (Feb 9, 2023):

Also works. Im trying with openLDAP auth type, also works.

@martadinata666 commented on GitHub (Feb 9, 2023): Also works. Im trying with openLDAP auth type, also works. ![2023-02-09-232733_1739x827_scrot](https://user-images.githubusercontent.com/2433562/217876267-e9a0262d-fdd2-416a-a6f5-046643b921de.png)

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 9, 2023):

And just checking, searching for users also works?

@nitnelave commented on GitHub (Feb 9, 2023): And just checking, searching for users also works?

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@martadinata666 commented on GitHub (Feb 9, 2023):

I don't know how to trigger it. , or I don't find it in rancher UI literally just deploy a few hours out of curiosity 🤔 But I can log in with a few different UID as long as it is in one group. Looking for OP to test it out, it seems OP is more proficient using rancher ☕

@martadinata666 commented on GitHub (Feb 9, 2023): I don't know how to trigger it. , or I don't find it in rancher UI `literally just deploy a few hours out of curiosity` 🤔 But I can log in with a few different UID as long as it is in one group. Looking for OP to test it out, it seems OP is more proficient using rancher ☕

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 10, 2023):

@martadinata666, thanks for adding this, but unfortunally, it has the same problem as I have, Searching does not work with this example. I tried it without the group as well in the searchfilter.

@Evantage-WS commented on GitHub (Feb 10, 2023): @martadinata666, thanks for adding this, but unfortunally, it has the same problem as I have, Searching does not work with this example. I tried it without the group as well in the searchfilter.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@martadinata666 commented on GitHub (Feb 10, 2023):

I created a second user, called testuser and In Rancher I did a search for it, which fails. This is the log:

confused with this searching, where do I trigger it? or what should I do? 🤔

@martadinata666 commented on GitHub (Feb 10, 2023): > I created a second user, called testuser and In Rancher I did a search for it, which fails. This is the log: confused with this `searching`, where do I trigger it? or what should I do? 🤔

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 10, 2023):

In Rancher, at the OpenLDAP authentication provider, change the field on the left to the second choice and on the right, at Add member, you can do a search for an user or group. You only see this screen when the OpenLDAP has a succesful connection.

@Evantage-WS commented on GitHub (Feb 10, 2023): In Rancher, at the OpenLDAP authentication provider, change the field on the left to the second choice and on the right, at Add member, you can do a search for an user or group. You only see this screen when the OpenLDAP has a succesful connection. ![image](https://user-images.githubusercontent.com/59507751/218059981-27a98693-27d0-46da-aadf-7a1176bdaa02.png)

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 13, 2023):

@Evantage-WS Can you try again with the latest image? It has support for SubString.

@nitnelave commented on GitHub (Feb 13, 2023): @Evantage-WS Can you try again with the latest image? It has support for SubString.

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 14, 2023):

Hi @nitnelave, nice, it is working. I can search for users and groups. I can login as a member of a new created group. Thanks!

@Evantage-WS commented on GitHub (Feb 14, 2023): Hi @nitnelave, nice, it is working. I can search for users and groups. I can login as a member of a new created group. Thanks!

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@nitnelave commented on GitHub (Feb 14, 2023):

Do you want to submit a PR sharing your config?

@nitnelave commented on GitHub (Feb 14, 2023): Do you want to submit a PR sharing your config?

kerem commented

2026-02-27 08:15:38 +03:00

Author

Owner

@Evantage-WS commented on GitHub (Feb 16, 2023):

Hi, I will certainly do that, present Corona hit me, so give me a few days.

@Evantage-WS commented on GitHub (Feb 16, 2023): Hi, I will certainly do that, present Corona hit me, so give me a few days.

kerem referenced this issue

2026-02-27 08:18:05 +03:00

[PR #164] [MERGED] Improve Authentik Support by handlign wildcards + DN #585

Rows
Columns

[GH-ISSUE #432] Getting it to work with Rancher on Kubernetes #164