[GH-ISSUE #789] Question: Authelia Config: How to get user groups

kerem commented

2026-02-27 08:16:24 +03:00

Owner

Originally created by @a1730 on GitHub (Jan 12, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/789

Hi!
I am running into issues getting group membership out of LLDAP.
I have tried the following configurations of group query with same blank response

User testauth is a member of group1

(member={dn})
(&(member={dn})(objectClass=groupOfNames))
(&(uniquemember={dn})(objectclass=groupOfUniqueNames))

LLDAP debug show the following
INFO ┕━ LDAP request [ 1.94ms | 0.12% / 1.65% ] DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("member", "uid=authtest,ou=people,dc=example,dc=com"), attrs: ["cn"] }), ctrl: [] } DEBUG ┝━ do_search [ 1.80ms | 0.47% / 1.53% ] DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups DEBUG │ ┝━ get_groups_list [ 1.24ms | 0.03% / 1.06% ] DEBUG │ │ ┝━ 🐛 [debug]: | filters: Member(UserId("authtest")) DEBUG │ │ ┕━ list_groups [ 1.20ms | 1.02% ] filters: Some(Member(UserId("authtest"))) DEBUG │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(4), display_name: "group1", creation_date: 2024-01-11T07:24:57.348001, uuid: Uuid("a75b4c66-f432-3ff7-b970-3f4f8964ec1b"), users: [UserId("attest"), UserId("userone"), UserId("authtest"), UserId("usertwo"), UserId("userthree"), UserId("user4"), UserId("oneuser"), UserId("another")], attributes: [] }, Group { id: GroupId(9), display_name: "group2", creation_date: 2024-01-11T17:21:21.377478, uuid: Uuid("a3d16ac7-153b-3aed-9d5a-00c5d8d492ce"), users: [UserId("attest"), UserId("authtest")], attributes: [] }] DEBUG │ ┝━ expand_attribute_wildcards [ 6.85µs | 0.01% ] ldap_attributes: ["cn"] DEBUG │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["cn"] DEBUG │ ┕━ expand_attribute_wildcards [ 1.78µs | 0.00% ] ldap_attributes: ["cn"] DEBUG │ ┕━ 🐛 [debug]: | resolved_attributes: ["cn"] DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] }) DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group2,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group2"] }] }) DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

What am I doing wrong?

Originally created by @a1730 on GitHub (Jan 12, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/789 Hi! I am running into issues getting group membership out of LLDAP. I have tried the following configurations of group query with same blank response User testauth is a member of group1 > (member={dn}) (&(member={dn})(objectClass=groupOfNames)) (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) LLDAP debug show the following <code> INFO ┕━ LDAP request [ 1.94ms | 0.12% / 1.65% ] DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("member", "uid=authtest,ou=people,dc=example,dc=com"), attrs: ["cn"] }), ctrl: [] } DEBUG ┝━ do_search [ 1.80ms | 0.47% / 1.53% ] DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups DEBUG │ ┝━ get_groups_list [ 1.24ms | 0.03% / 1.06% ] DEBUG │ │ ┝━ 🐛 [debug]: | filters: Member(UserId("authtest")) DEBUG │ │ ┕━ list_groups [ 1.20ms | 1.02% ] filters: Some(Member(UserId("authtest"))) DEBUG │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(4), display_name: "group1", creation_date: 2024-01-11T07:24:57.348001, uuid: Uuid("a75b4c66-f432-3ff7-b970-3f4f8964ec1b"), users: [UserId("attest"), UserId("userone"), UserId("authtest"), UserId("usertwo"), UserId("userthree"), UserId("user4"), UserId("oneuser"), UserId("another")], attributes: [] }, Group { id: GroupId(9), display_name: "group2", creation_date: 2024-01-11T17:21:21.377478, uuid: Uuid("a3d16ac7-153b-3aed-9d5a-00c5d8d492ce"), users: [UserId("attest"), UserId("authtest")], attributes: [] }] DEBUG │ ┝━ expand_attribute_wildcards [ 6.85µs | 0.01% ] ldap_attributes: ["cn"] DEBUG │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["cn"] DEBUG │ ┕━ expand_attribute_wildcards [ 1.78µs | 0.00% ] ldap_attributes: ["cn"] DEBUG │ ┕━ 🐛 [debug]: | resolved_attributes: ["cn"] DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] }) DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group2,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group2"] }] }) DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) </code> What am I doing wrong?

kerem closed this issue

2026-02-27 08:16:24 +03:00

kerem commented

2026-02-27 08:16:24 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2024):

It looks like a simple syntax error: you're missing (| at the beginning, and authelia is not helping you see that. Filters are s-expressions, so of the form (function arg1 arg2 arg3) where each arg can be an s-expression itself. You're just missing the top-level OR, the function |.

@nitnelave commented on GitHub (Jan 12, 2024): It looks like a simple syntax error: you're missing `(|` at the beginning, and authelia is not helping you see that. Filters are s-expressions, so of the form `(function arg1 arg2 arg3)` where each arg can be an s-expression itself. You're just missing the top-level OR, the function `|`.

kerem commented

2026-02-27 08:16:24 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

S-what!? 6-001 again!? Unfortunately I bummed through that class 😊

Anyway, guessing your meaning, I tried groups_filter: (|(member={dn})(&(member={dn})(objectClass=groupOfNames))(&(uniquemember={dn})(objectclass=groupOfUniqueNames))) and met with natural failure of lack of understanding.

I am too beat up by the authelia/LLDAP combo that I will appreciate an expression that I can paste in authelia configuration.
Can you do that for me please? Provide an S-expression to cut&paste into Authelia. The information in the LLDAP example_config does not work.

Thank you.

@a1730 commented on GitHub (Jan 12, 2024): S-what!? 6-001 again!? Unfortunately I bummed through that class 😊 Anyway, guessing your meaning, I tried `groups_filter: (|(member={dn})(&(member={dn})(objectClass=groupOfNames))(&(uniquemember={dn})(objectclass=groupOfUniqueNames)))` and met with natural failure of lack of understanding. I am too beat up by the authelia/LLDAP combo that I will appreciate an expression that I can paste in authelia configuration. Can you do that for me please? Provide an S-expression to cut&paste into Authelia. The information in the LLDAP [example_config](https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml) does not work. Thank you.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2024):

Hmm, it seems I was carried away by an early diagnosis (I still stand by my explanation about the syntax error, but now I see that it doesn't change anything).

Your more complex query doesn't change anything, it will return the same thing as the one in the example config, which is correct. Looking at the LLDAP logs, I see that it returns the 2 groups that contain authtest. So the error must be somewhere else. Can I see your authelia config, and any relevant authelia logs?

@nitnelave commented on GitHub (Jan 12, 2024): Hmm, it seems I was carried away by an early diagnosis (I still stand by my explanation about the syntax error, but now I see that it doesn't change anything). Your more complex query doesn't change anything, it will return the same thing as the one in the example config, which is correct. Looking at the LLDAP logs, I see that it returns the 2 groups that contain authtest. So the error must be somewhere else. Can I see your authelia config, and any relevant authelia logs?

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

This is the current state.

ldap:
  implementation: custom
  address: 'ldap://127.0.0.1:389'
  timeout: 5s
  base_dn: dc=example,dc=com

  attributes:
    display_name: displayName
    group_name: cn
    mail: mail
    username: uid

  additional_users_dn: ou=people
  users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
  additional_groups_dn: ou=groups

  # NoWork groups_filter: (&(member={dn})(objectClass=groupOfNames))
  # NoWork groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
  # https://www.reddit.com/r/selfhosted/comments/158quyz/comment/jtdjpuj/
  ## (&(member={dn})(objectclass=group)) --> groups_filter: (&(member={dn})(objectclass=groupOfUniqueNames))

  # Only this filter is supported right now
  # https://raw.githubusercontent.com/lldap/lldap/main/example_configs/authelia_config.yml
  # groups_filter: "(member={dn})"
  groups_filter: "(member={dn})"

  # permit_referrals: false
  permit_unauthenticated_bind: false

@a1730 commented on GitHub (Jan 12, 2024): This is the current state. ```yaml ldap: implementation: custom address: 'ldap://127.0.0.1:389' timeout: 5s base_dn: dc=example,dc=com attributes: display_name: displayName group_name: cn mail: mail username: uid additional_users_dn: ou=people users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) additional_groups_dn: ou=groups # NoWork groups_filter: (&(member={dn})(objectClass=groupOfNames)) # NoWork groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) # https://www.reddit.com/r/selfhosted/comments/158quyz/comment/jtdjpuj/ ## (&(member={dn})(objectclass=group)) --> groups_filter: (&(member={dn})(objectclass=groupOfUniqueNames)) # Only this filter is supported right now # https://raw.githubusercontent.com/lldap/lldap/main/example_configs/authelia_config.yml # groups_filter: "(member={dn})" groups_filter: "(member={dn})" # permit_referrals: false permit_unauthenticated_bind: false

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

I need to add that I am currently on a released version v0.5.0.

I am working to deploy a newver build from here https://github.com/lldap/lldap/actions/runs/7449328497

@a1730 commented on GitHub (Jan 12, 2024): I need to add that I am currently on a released version v0.5.0. I am working to deploy a newver build from here [https://github.com/lldap/lldap/actions/runs/7449328497](https://github.com/lldap/lldap/actions/runs/7449328497)

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2024):

That looks fine, and seems to yield the correct response from LLDAP. I wonder what's going on on authelia's side. Any interesting logs?

@nitnelave commented on GitHub (Jan 12, 2024): That looks fine, and seems to yield the correct response from LLDAP. I wonder what's going on on authelia's side. Any interesting logs?

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

I know nothing about LDAP but it seems the query is wrong but please indulge me.
What group search query should I send with any LDAP client to LLDAP to return 'group1' from the following result?
response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] })
I would like to hard code that query into authelia config, and see whathappens. Then, I can then start playing with the ors and ands.

@a1730 commented on GitHub (Jan 12, 2024): I know nothing about LDAP but it seems the query is wrong but please indulge me. What group search query should I send with any LDAP client to LLDAP to return 'group1' from the following result? <code> response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] }) </code> I would like to hard code that query into authelia config, and see whathappens. Then, I can then start playing with the ors and ands.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2024):

That would be (cn="group1") or the even more explicit (dn="uid=group1,ou=groups,dc=...")

But I don't think that's necessary. The query as it is is "give me all the groups that contain the user authtest", and it returns group1 and group2.

Look, I have experience debugging integrations with LLDAP, and in this case it's not an LLDAP problem: the query and the response over LDAP look fine. I'm guessing there's something wrong on the authelia side, so I'll ask once more: are there any relevant Authelia logs?

@nitnelave commented on GitHub (Jan 12, 2024): That would be `(cn="group1")` or the even more explicit `(dn="uid=group1,ou=groups,dc=...")` But I don't think that's necessary. The query as it is is "give me all the groups that contain the user authtest", and it returns group1 and group2. Look, I have experience debugging integrations with LLDAP, and in this case it's not an LLDAP problem: the query and the response over LDAP look fine. I'm guessing there's something wrong on the authelia side, so I'll ask once more: are there any relevant Authelia logs?

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

@nitnelave
It feels like I have exhausted your patience. I am very sorry for this, and i will move along shortly.
FWIW, I tried (cn="group1"), and go this result:
INFO ┕━ LDAP request [ 2.08ms | 0.10% / 1.79% ] DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("cn", ""group1""), attrs: ["cn"] }), ctrl: [] } DEBUG ┝━ do_search [ 1.96ms | 0.66% / 1.69% ] DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups DEBUG │ ┕━ get_groups_list [ 1.19ms | 0.04% / 1.03% ] DEBUG │ ┝━ 🐛 [debug]: | filters: DisplayName(GroupName(""group1"")) DEBUG │ ┕━ list_groups [ 1.15ms | 0.99% ] filters: Some(DisplayName(GroupName(""group1""))) DEBUG │ ┕━ 🐛 [debug]: | return: [] DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

I keep thinking it has to do with LLDAP because I see 🐛 [debug]: | return: [] but you are right, I don't know what I am talking about. BTW, I have installed ldapsearch so I can "learn to fish."

Thank you for sharing a better part of your day with me. I truly appreciate the timely support.
Moving right along ...

@a1730 commented on GitHub (Jan 12, 2024): @nitnelave It feels like I have exhausted your patience. I am very sorry for this, and i will move along shortly. FWIW, I tried (cn="group1"), and go this result: <code> INFO ┕━ LDAP request [ 2.08ms | 0.10% / 1.79% ] DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("cn", "\"group1\""), attrs: ["cn"] }), ctrl: [] } DEBUG ┝━ do_search [ 1.96ms | 0.66% / 1.69% ] DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups DEBUG │ ┕━ get_groups_list [ 1.19ms | 0.04% / 1.03% ] DEBUG │ ┝━ 🐛 [debug]: | filters: DisplayName(GroupName("\"group1\"")) DEBUG │ ┕━ list_groups [ 1.15ms | 0.99% ] filters: Some(DisplayName(GroupName("\"group1\""))) DEBUG │ ┕━ 🐛 [debug]: | return: [] DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) </code> I keep thinking it has to do with LLDAP because I see `🐛 [debug]: | return: []` but you are right, I don't know what I am talking about. BTW, I have installed ldapsearch so I can "learn to fish." Thank you for sharing a better part of your day with me. I truly appreciate the timely support. Moving right along ...

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2024):

Aha, don't worry, you haven't exhausted my patience! Btw, the filter I gave you was wrong, you don't need the quotes so it should be (cn=group1).

It's just that I don't have access to your system, and all the information you give me points to a misinterpretation of the LDAP response by Authelia. Which is why I'm once more asking you to look at the authelia logs.

@nitnelave commented on GitHub (Jan 12, 2024): Aha, don't worry, you haven't exhausted my patience! Btw, the filter I gave you was wrong, you don't need the quotes so it should be `(cn=group1)`. It's just that I don't have access to your system, and all the information you give me points to a misinterpretation of the LDAP response by Authelia. Which is why I'm once more asking you to look at the authelia logs.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 12, 2024):

Thanks for your compassion, and the gentle push back.
I looked carefully at Authelia ... lo and behold it was stripping out the groups, before returning the profile.
time="2024-01-12T19:58:31Z" level=trace msg="Profile details for user 'authtest' => groups: [group1 group2], emails [authtest@accounts.example.com]" method=POST path=/api/firstfactor remote_ip=0.0.0.0

It would seem that it was NOT LLDAP's fault (this time around 😏) The issue is between the chair and the computer.

Thanks again for your support.
I will close the issue if you wish.

@a1730 commented on GitHub (Jan 12, 2024): Thanks for your compassion, and the gentle push back. I looked carefully at Authelia ... lo and behold it was stripping out the groups, before returning the profile. `time="2024-01-12T19:58:31Z" level=trace msg="Profile details for user 'authtest' => groups: [group1 group2], emails [authtest@accounts.example.com]" method=POST path=/api/firstfactor remote_ip=0.0.0.0` It would seem that it was NOT LLDAP's fault (this time around 😏) The issue is between the chair and the computer. Thanks again for your support. I will close the issue if you wish.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 13, 2024):

I am very very sorry to have wasted your time yesterday. However, in case sopomeone else comes around asking for them groups, I found out from Authelia devs that Authelia does not expose user groups at this time

Thank you for your time.

@a1730 commented on GitHub (Jan 13, 2024): I am very very sorry to have wasted your time yesterday. However, in case sopomeone else comes around asking for them groups, I found out from Authelia devs that Authelia [does not expose user groups at this time](https://github.com/authelia/authelia/discussions/6534#discussioncomment-8115818) Thank you for your time.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 13, 2024):

Hey, don't be so hard on yourself, it was reasonable to suspect LLDAP, it's the less well-established player here, and I've had my share of reports where indeed we weren't responding with the expected info.

To help the next person, do you think you could make a small PR to drop a note in the authelia config explaining that the groups don't show up?

@nitnelave commented on GitHub (Jan 13, 2024): Hey, don't be so hard on yourself, it was reasonable to suspect LLDAP, it's the less well-established player here, and I've had my share of reports where indeed we weren't responding with the expected info. To help the next person, do you think you could make a small PR to drop a note in the authelia config explaining that the groups don't show up?

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@a1730 commented on GitHub (Jan 13, 2024):

I would love to create a PR but don't do GIT. I tried to add the information directly to your repo yesterday but Github told me that I do not have write access so, I moved right along.
Thank you.

@a1730 commented on GitHub (Jan 13, 2024): I would love to create a PR but don't do GIT. I tried to add the information directly to your repo yesterday but Github told me that I do not have write access so, I moved right along. Thank you.

kerem commented

2026-02-27 08:16:25 +03:00

Author

Owner

@james-d-elliott commented on GitHub (Jan 14, 2024):

To clarify for anyone else looking at this, Authelia absolutely does provide identity information to third parties which includes user groups. We support two practical and relatively standard methods for doing this via Response Headers (which can be securely and transparently added to Request Headers via our proxy integrations) and as an OpenID Connect 1.0 provider.

The issue in this instance was assuming what was returned at a particular API endpoint instead of checking the OpenAPI 3.0 documentation of the endpoints; I don't think LLDAP documenting these endpoints and usages when they are intended for usage with the Authelia portal would be too helpful unless I'm misunderstanding something?

It should also be noted we have a coming implementation template that includes several attribute values, filters, etc. which will ease integration of LLDAP with Authelia (we would also welcome any contributions or feedback via appropriate channels, also these values can mostly be used with the current release as a great starting point):

https://authelia-next.netlify.app/reference/guides/ldap/

Want to also say I appreciate all the troubleshooting nitnelave performed.

@james-d-elliott commented on GitHub (Jan 14, 2024): To clarify for anyone else looking at this, _Authelia absolutely does provide identity information to third parties which includes user groups_. We support two practical and relatively standard methods for doing this via Response Headers (which can be securely and transparently added to Request Headers via our proxy integrations) and as an OpenID Connect 1.0 provider. The issue in this instance was assuming what was returned at a particular API endpoint instead of checking the OpenAPI 3.0 documentation of the endpoints; I don't think LLDAP documenting these endpoints and usages when they are intended for usage with the Authelia portal would be too helpful unless I'm misunderstanding something? It should also be noted we have a coming implementation template that includes several attribute values, filters, etc. which will ease integration of LLDAP with Authelia (we would also welcome any contributions or feedback via appropriate channels, also these values can mostly be used with the current release as a great starting point): https://authelia-next.netlify.app/reference/guides/ldap/ Want to also say I appreciate all the troubleshooting nitnelave performed.

kerem referenced this issue

2026-02-27 08:18:21 +03:00

[PR #286] [MERGED] fixed typo on jitsi #660

Rows
Columns

[GH-ISSUE #789] Question: Authelia Config: How to get user groups #286