starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 00:05:50 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #863] [INTEGRATION] Trying to use LLDAP with etherpad (plus ep_ldapauth_ng plugin) #312

New issue
Open
opened 2026-02-27 08:16:35 +03:00 by kerem · 6 comments
kerem commented 2026-02-27 08:16:35 +03:00
Owner
Copy link

Originally created by @esp13 on GitHub (Mar 11, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/863

Description of the service
I'm a beginner so I have difficulties to configure correctly etherpad + ep_ldapauth_ng plugin (https://github.com/daschr/ep_ldapauth_ng#readme) to use LLDAP authentication.
Adding a working configuration for Etherpad in https://github.com/lldap/lldap/tree/main/example_configs could be usefull for other beginners :)

What you've tried

I tried this without success:

"users": {
    "ldapauth": {
        "url": "ldap://lldapserveraddress:lldapserverport",
        "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "accountPattern": "(&(objectClass=*)(uid={{username}}))",
        "displayNameAttribute": "cn",
        "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory",
        "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org",
        "groupAttribute": "member",
        "groupAttributeIsDN": false,
        "searchScope": "sub",
        "groupSearch": "(&(cn=mylldapgroupforwitchuserscanhaveadminrights)(objectClass=groupOfUniqueNames))",
        "anonymousReadonly": false
    }
},

I'm not sure but this seems to be a valid command to test if an user is member of a group : (&(objectClass=person)(memberof=cn=mylldapgroupforwitchuserscanhaveadminrights,ou=groups,dc=mysubdomain,dc=mydomain,dc=org)) bug no idea how to put this into the configuration

What's not working

In Etherpad logs I get:
Failed authentication from IP myIP
When the password is right (more error messages when the password is wrong)

Working Bonus

I have an other etherpad plugin (ep_mypads: https://www.npmjs.com/package/ep_mypads) that is working great with this configuration:

{
    "url": "ldap://lldapserveraddress:lldapserverport",
    "bindDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org",
    "bindCredentials": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory",
    "searchBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org",
    "searchFilter": "(uid={{username}})",
    "tlsOptions": {
        "rejectUnauthorized": true
    },
    "properties": {
        "login": "uid",
        "email": "mail",
        "firstname": "givenName",
        "lastname": "sn"
    },
    "defaultLang": "fr"
}
Originally created by @esp13 on GitHub (Mar 11, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/863 **Description of the service** I'm a beginner so I have difficulties to configure correctly etherpad + ep_ldapauth_ng plugin (https://github.com/daschr/ep_ldapauth_ng#readme) to use LLDAP authentication. Adding a working configuration for Etherpad in https://github.com/lldap/lldap/tree/main/example_configs could be usefull for other beginners :) **What you've tried** I tried this without success: ``` "users": { "ldapauth": { "url": "ldap://lldapserveraddress:lldapserverport", "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org", "accountPattern": "(&(objectClass=*)(uid={{username}}))", "displayNameAttribute": "cn", "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory", "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org", "groupAttribute": "member", "groupAttributeIsDN": false, "searchScope": "sub", "groupSearch": "(&(cn=mylldapgroupforwitchuserscanhaveadminrights)(objectClass=groupOfUniqueNames))", "anonymousReadonly": false } }, ``` I'm not sure but this seems to be a valid command to test if an user is member of a group : `(&(objectClass=person)(memberof=cn=mylldapgroupforwitchuserscanhaveadminrights,ou=groups,dc=mysubdomain,dc=mydomain,dc=org))` bug no idea how to put this into the configuration **What's not working** In Etherpad logs I get: `Failed authentication from IP myIP` When the password is right (more error messages when the password is wrong) **Working Bonus** I have an other etherpad plugin (ep_mypads: https://www.npmjs.com/package/ep_mypads) that is working great with this configuration: ``` { "url": "ldap://lldapserveraddress:lldapserverport", "bindDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", "bindCredentials": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory", "searchBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org", "searchFilter": "(uid={{username}})", "tlsOptions": { "rejectUnauthorized": true }, "properties": { "login": "uid", "email": "mail", "firstname": "givenName", "lastname": "sn" }, "defaultLang": "fr" } ```
kerem commented 2026-02-27 08:16:35 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 12, 2024):

I think for the admin group you need to set groupSearch to (&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights)).

If you want to have another group to control access to the directory, you can plug that in the accountPattern: (&(objectClass=person)(uid={{username}})(memberOf=uid=mylldapgroupforwitchuserscanaccess,ou=groups,dc=example,dc=com))

I think you also want groupAttributeIsDN to be true.

I don't know why you'd get an authentication error, though. Can you post the verbose LLDAP logs from trying to log in?

<!-- gh-comment-id:1990918974 --> @nitnelave commented on GitHub (Mar 12, 2024): I think for the admin group you need to set `groupSearch` to `(&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights))`. If you want to have another group to control access to the directory, you can plug that in the `accountPattern`: `(&(objectClass=person)(uid={{username}})(memberOf=uid=mylldapgroupforwitchuserscanaccess,ou=groups,dc=example,dc=com))` I think you also want `groupAttributeIsDN` to be true. I don't know why you'd get an authentication error, though. Can you post the verbose LLDAP logs from trying to log in?
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@esp13 commented on GitHub (Mar 12, 2024):

Thank you for your answer.

I think for the admin group you need to set groupSearch to (&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights)).

If you want to have another group to control access to the directory, you can plug that in the accountPattern: (&(objectClass=person)(uid={{username}})(memberOf=uid=mylldapgroupforwitchuserscanaccess,ou=groups,dc=example,dc=com))

I think you also want groupAttributeIsDN to be true.

I don't know why you'd get an authentication error, though. Can you post the verbose LLDAP logs from trying to log in?

With this configuration: (I didn't add the other group to control access for now (step by step :) )so each user should be able to get standard access)

"users": {
    "ldapauth": {
        "url": "ldap://lldapserveraddress:lldapserverport",
        "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "accountPattern": "(&(objectClass=*)(uid={{username}}))",
        "displayNameAttribute": "cn",
        "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory",
        "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org",
        "groupAttribute": "member",
        "groupAttributeIsDN": true,
        "searchScope": "sub",
        "groupSearch": "(&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights))",
        "anonymousReadonly": false
    }
},

With an user test that is not part of the group mylldapgroupforwitchuserscanhaveadminrights I get this in LLDAP logs:


LDAP session [ 148ms | 0.06% / 100.00% ]
    ┝━ LDAP request [ 148ms | 0.06% / 99.93% ]
    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] }
    │  ┝━ do_bind [ 148ms | 0.03% / 99.87% ] dn: uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org
    │  │  ┝━ bind [ 148ms | 0.01% / 99.68% ]
    │  │  │  ┝━ get_password_file_for_user [ 90.8µs | 0.06% ] user_id: UserId("test")
    │  │  │  ┕━ passwords_match [ 148ms | 99.61% ] username: test
    │  │  ┝━ get_user_groups [ 249µs | 0.17% ] user_id: "test"
    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }}
    │  │  ┕━ 🐛 [debug]: Success!
    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
    ┕━ LDAP request [ 10.3µs | 0.01% ]
       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }
    LDAP session [ 138ms | 0.09% / 100.00% ]
    ┝━ LDAP request [ 137ms | 0.07% / 99.38% ]
    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] }
    │  ┝━ do_bind [ 137ms | 0.03% / 99.31% ] dn: uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org
    │  │  ┝━ bind [ 137ms | 0.01% / 99.07% ]
    │  │  │  ┝━ get_password_file_for_user [ 147µs | 0.11% ] user_id: UserId("mylldapuserthathaspermissionstoreadhtedirectory")
    │  │  │  ┕━ passwords_match [ 137ms | 98.95% ] username: mylldapuserthathaspermissionstoreadhtedirectory
    │  │  ┝━ get_user_groups [ 296µs | 0.21% ] user_id: "mylldapuserthathaspermissionstoreadhtedirectory"
    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }}
    │  │  ┕━ 🐛 [debug]: Success!
    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
    ┝━ LDAP request [ 720µs | 0.09% / 0.52% ]
    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people, dc=mysubdomain, dc=mydomain, dc=org", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 10, typesonly: false, filter: And([Present("objectClass"), Equality("uid", "test")]), attrs: [] }), ctrl: [] }
    │  ┝━ do_search [ 596µs | 0.14% / 0.43% ]
    │  │  ┝━ 🐛 [debug]:  | request.base: "ou=people, dc=mysubdomain, dc=mydomain, dc=org" | scope: Users
    │  │  ┝━ get_user_list [ 388µs | 0.02% / 0.28% ]
    │  │  │  ┝━ 🐛 [debug]:  | filters: And([And([]), UserId(UserId("test"))])
    │  │  │  ┕━ list_users [ 363µs | 0.26% ] filters: Some(And([And([]), UserId(UserId("test"))])) | _get_groups: false
    │  │  │     ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("test"), email: "test@test.test", display_name: Some("testDN"), creation_date: 2024-02-11T16:16:19.264620212, uuid: Uuid("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"), attributes: [AttributeValue { name: "first_name", value: Serialized("testFN") }, AttributeValue { name: "last_name", value: Serialized("testLN") }] }, groups: Some([GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }]) }]
    │  │  ┕━ expand_attribute_wildcards [ 12.1µs | 0.01% ] ldap_attributes: []
    │  │     ┕━ 🐛 [debug]:  | resolved_attributes: ["objectclass", "uid", "mail", "givenname", "sn", "cn", "jpegPhoto", "createtimestamp", "entryuuid"]
    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org", attributes: [LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "uid", vals: ["test"] }, LdapPartialAttribute { atype: "mail", vals: ["test@test.test"] }, LdapPartialAttribute { atype: "givenname", vals: ["testFN"] }, LdapPartialAttribute { atype: "sn", vals: ["testLN"] }, LdapPartialAttribute { atype: "cn", vals: ["testDN"] }, LdapPartialAttribute { atype: "createtimestamp", vals: ["2024-02-11T16:16:19.264620212+00:00"] }, LdapPartialAttribute { atype: "entryuuid", vals: ["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] }] })
    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
    ┕━ LDAP request [ 8.43µs | 0.01% ]
       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] }
    LDAP session [ 138ms | 0.09% / 100.00% ]
    ┝━ LDAP request [ 137ms | 0.06% / 99.47% ]
    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] }
    │  ┝━ do_bind [ 137ms | 0.03% / 99.41% ] dn: uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org
    │  │  ┝━ bind [ 136ms | 0.01% / 99.24% ]
    │  │  │  ┝━ get_password_file_for_user [ 74.2µs | 0.05% ] user_id: UserId("mylldapuserthathaspermissionstoreadhtedirectory")
    │  │  │  ┕━ passwords_match [ 136ms | 99.18% ] username: mylldapuserthathaspermissionstoreadhtedirectory
    │  │  ┝━ get_user_groups [ 200µs | 0.15% ] user_id: "mylldapuserthathaspermissionstoreadhtedirectory"
    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }}
    │  │  ┕━ 🐛 [debug]: Success!
    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
    ┝━ LDAP request [ 581µs | 0.08% / 0.42% ]
    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=groups, dc=mysubdomain, dc=mydomain, dc=org", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 10, typesonly: false, filter: And([Equality("objectClass", "groupOfUniqueNames"), Equality("uid", "mylldapgroupforwitchuserscanhaveadminrights")]), attrs: [] }), ctrl: [] }
    │  ┝━ do_search [ 467µs | 0.11% / 0.34% ]
    │  │  ┝━ 🐛 [debug]:  | request.base: "ou=groups, dc=mysubdomain, dc=mydomain, dc=org" | scope: Groups
    │  │  ┝━ get_groups_list [ 308µs | 0.01% / 0.22% ]
    │  │  │  ┝━ 🐛 [debug]:  | filters: And([And([]), DisplayName("mylldapgroupforwitchuserscanhaveadminrights")])
    │  │  │  ┕━ list_groups [ 289µs | 0.21% ] filters: Some(And([And([]), DisplayName("mylldapgroupforwitchuserscanhaveadminrights")]))
    │  │  │     ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(4), display_name: "mylldapgroupforwitchuserscanhaveadminrights", creation_date: 2024-03-11T12:41:49.627889976, uuid: Uuid("yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"), users: [UserId("mylldapuserthatisinthegroupthatcanhaveadminrights")], attributes: [] }]
    │  │  ┕━ expand_attribute_wildcards [ 9.27µs | 0.01% ] ldap_attributes: []
    │  │     ┕━ 🐛 [debug]:  | resolved_attributes: ["objectclass", "uid", "cn", "member", "uniquemember", "entryuuid"]
    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=mylldapgroupforwitchuserscanhaveadminrights,ou=groups,dc=mysubdomain,dc=mydomain,dc=org", attributes: [LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }, LdapPartialAttribute { atype: "uid", vals: ["mylldapgroupforwitchuserscanhaveadminrights"] }, LdapPartialAttribute { atype: "cn", vals: ["mylldapgroupforwitchuserscanhaveadminrights"] }, LdapPartialAttribute { atype: "member", vals: ["uid=mylldapuserthatisinthegroupthatcanhaveadminrights,ou=people,dc=mysubdomain,dc=mydomain,dc=org"] }, LdapPartialAttribute { atype: "uniquemember", vals: ["uid=mylldapuserthatisinthegroupthatcanhaveadminrights,ou=people,dc=mysubdomain,dc=mydomain,dc=org"] }, LdapPartialAttribute { atype: "entryuuid", vals: ["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] }] })
    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
    ┕━ LDAP request [ 12.3µs | 0.01% ]
       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] }
<!-- gh-comment-id:1992656225 --> @esp13 commented on GitHub (Mar 12, 2024): Thank you for your answer. > I think for the admin group you need to set `groupSearch` to `(&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights))`. > > If you want to have another group to control access to the directory, you can plug that in the `accountPattern`: `(&(objectClass=person)(uid={{username}})(memberOf=uid=mylldapgroupforwitchuserscanaccess,ou=groups,dc=example,dc=com))` > > I think you also want `groupAttributeIsDN` to be true. > > I don't know why you'd get an authentication error, though. Can you post the verbose LLDAP logs from trying to log in? With this configuration: (I didn't add the other group to control access for now (step by step :) )so each user should be able to get standard access) ``` "users": { "ldapauth": { "url": "ldap://lldapserveraddress:lldapserverport", "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org", "accountPattern": "(&(objectClass=*)(uid={{username}}))", "displayNameAttribute": "cn", "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory", "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org", "groupAttribute": "member", "groupAttributeIsDN": true, "searchScope": "sub", "groupSearch": "(&(objectClass=groupOfUniqueNames)(uid=mylldapgroupforwitchuserscanhaveadminrights))", "anonymousReadonly": false } }, ``` With an user **test** that is **not** part of the group **mylldapgroupforwitchuserscanhaveadminrights** I get this in LLDAP logs: ``` LDAP session [ 148ms | 0.06% / 100.00% ] ┝━ LDAP request [ 148ms | 0.06% / 99.93% ] │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] } │ ┝━ do_bind [ 148ms | 0.03% / 99.87% ] dn: uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org │ │ ┝━ bind [ 148ms | 0.01% / 99.68% ] │ │ │ ┝━ get_password_file_for_user [ 90.8µs | 0.06% ] user_id: UserId("test") │ │ │ ┕━ passwords_match [ 148ms | 99.61% ] username: test │ │ ┝━ get_user_groups [ 249µs | 0.17% ] user_id: "test" │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }} │ │ ┕━ 🐛 [debug]: Success! │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) ┕━ LDAP request [ 10.3µs | 0.01% ] ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] } LDAP session [ 138ms | 0.09% / 100.00% ] ┝━ LDAP request [ 137ms | 0.07% / 99.38% ] │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] } │ ┝━ do_bind [ 137ms | 0.03% / 99.31% ] dn: uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org │ │ ┝━ bind [ 137ms | 0.01% / 99.07% ] │ │ │ ┝━ get_password_file_for_user [ 147µs | 0.11% ] user_id: UserId("mylldapuserthathaspermissionstoreadhtedirectory") │ │ │ ┕━ passwords_match [ 137ms | 98.95% ] username: mylldapuserthathaspermissionstoreadhtedirectory │ │ ┝━ get_user_groups [ 296µs | 0.21% ] user_id: "mylldapuserthathaspermissionstoreadhtedirectory" │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }} │ │ ┕━ 🐛 [debug]: Success! │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) ┝━ LDAP request [ 720µs | 0.09% / 0.52% ] │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people, dc=mysubdomain, dc=mydomain, dc=org", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 10, typesonly: false, filter: And([Present("objectClass"), Equality("uid", "test")]), attrs: [] }), ctrl: [] } │ ┝━ do_search [ 596µs | 0.14% / 0.43% ] │ │ ┝━ 🐛 [debug]: | request.base: "ou=people, dc=mysubdomain, dc=mydomain, dc=org" | scope: Users │ │ ┝━ get_user_list [ 388µs | 0.02% / 0.28% ] │ │ │ ┝━ 🐛 [debug]: | filters: And([And([]), UserId(UserId("test"))]) │ │ │ ┕━ list_users [ 363µs | 0.26% ] filters: Some(And([And([]), UserId(UserId("test"))])) | _get_groups: false │ │ │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("test"), email: "test@test.test", display_name: Some("testDN"), creation_date: 2024-02-11T16:16:19.264620212, uuid: Uuid("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"), attributes: [AttributeValue { name: "first_name", value: Serialized("testFN") }, AttributeValue { name: "last_name", value: Serialized("testLN") }] }, groups: Some([GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }]) }] │ │ ┕━ expand_attribute_wildcards [ 12.1µs | 0.01% ] ldap_attributes: [] │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["objectclass", "uid", "mail", "givenname", "sn", "cn", "jpegPhoto", "createtimestamp", "entryuuid"] │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=test,ou=people,dc=mysubdomain,dc=mydomain,dc=org", attributes: [LdapPartialAttribute { atype: "objectclass", vals: ["inetOrgPerson", "posixAccount", "mailAccount", "person"] }, LdapPartialAttribute { atype: "uid", vals: ["test"] }, LdapPartialAttribute { atype: "mail", vals: ["test@test.test"] }, LdapPartialAttribute { atype: "givenname", vals: ["testFN"] }, LdapPartialAttribute { atype: "sn", vals: ["testLN"] }, LdapPartialAttribute { atype: "cn", vals: ["testDN"] }, LdapPartialAttribute { atype: "createtimestamp", vals: ["2024-02-11T16:16:19.264620212+00:00"] }, LdapPartialAttribute { atype: "entryuuid", vals: ["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] }] }) │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ┕━ LDAP request [ 8.43µs | 0.01% ] ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] } LDAP session [ 138ms | 0.09% / 100.00% ] ┝━ LDAP request [ 137ms | 0.06% / 99.47% ] │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", cred: LdapBindCred::Simple }), ctrl: [] } │ ┝━ do_bind [ 137ms | 0.03% / 99.41% ] dn: uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org │ │ ┝━ bind [ 136ms | 0.01% / 99.24% ] │ │ │ ┝━ get_password_file_for_user [ 74.2µs | 0.05% ] user_id: UserId("mylldapuserthathaspermissionstoreadhtedirectory") │ │ │ ┕━ passwords_match [ 136ms | 99.18% ] username: mylldapuserthathaspermissionstoreadhtedirectory │ │ ┝━ get_user_groups [ 200µs | 0.15% ] user_id: "mylldapuserthathaspermissionstoreadhtedirectory" │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-02-11T16:08:43.151252775, uuid: Uuid("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"), attributes: [] }} │ │ ┕━ 🐛 [debug]: Success! │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) ┝━ LDAP request [ 581µs | 0.08% / 0.42% ] │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=groups, dc=mysubdomain, dc=mydomain, dc=org", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 10, typesonly: false, filter: And([Equality("objectClass", "groupOfUniqueNames"), Equality("uid", "mylldapgroupforwitchuserscanhaveadminrights")]), attrs: [] }), ctrl: [] } │ ┝━ do_search [ 467µs | 0.11% / 0.34% ] │ │ ┝━ 🐛 [debug]: | request.base: "ou=groups, dc=mysubdomain, dc=mydomain, dc=org" | scope: Groups │ │ ┝━ get_groups_list [ 308µs | 0.01% / 0.22% ] │ │ │ ┝━ 🐛 [debug]: | filters: And([And([]), DisplayName("mylldapgroupforwitchuserscanhaveadminrights")]) │ │ │ ┕━ list_groups [ 289µs | 0.21% ] filters: Some(And([And([]), DisplayName("mylldapgroupforwitchuserscanhaveadminrights")])) │ │ │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(4), display_name: "mylldapgroupforwitchuserscanhaveadminrights", creation_date: 2024-03-11T12:41:49.627889976, uuid: Uuid("yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"), users: [UserId("mylldapuserthatisinthegroupthatcanhaveadminrights")], attributes: [] }] │ │ ┕━ expand_attribute_wildcards [ 9.27µs | 0.01% ] ldap_attributes: [] │ │ ┕━ 🐛 [debug]: | resolved_attributes: ["objectclass", "uid", "cn", "member", "uniquemember", "entryuuid"] │ ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=mylldapgroupforwitchuserscanhaveadminrights,ou=groups,dc=mysubdomain,dc=mydomain,dc=org", attributes: [LdapPartialAttribute { atype: "objectclass", vals: ["groupOfUniqueNames"] }, LdapPartialAttribute { atype: "uid", vals: ["mylldapgroupforwitchuserscanhaveadminrights"] }, LdapPartialAttribute { atype: "cn", vals: ["mylldapgroupforwitchuserscanhaveadminrights"] }, LdapPartialAttribute { atype: "member", vals: ["uid=mylldapuserthatisinthegroupthatcanhaveadminrights,ou=people,dc=mysubdomain,dc=mydomain,dc=org"] }, LdapPartialAttribute { atype: "uniquemember", vals: ["uid=mylldapuserthatisinthegroupthatcanhaveadminrights,ou=people,dc=mysubdomain,dc=mydomain,dc=org"] }, LdapPartialAttribute { atype: "entryuuid", vals: ["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] }] }) │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ┕━ LDAP request [ 12.3µs | 0.01% ] ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] } ```
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 12, 2024):

That all looks correct: it first tries to bind as "test", to check the password, and that works. Then it connects as your read-only bind user to get the "test" user details, and the admin group details (which does not contain test).

What issues are you facing?

<!-- gh-comment-id:1992747783 --> @nitnelave commented on GitHub (Mar 12, 2024): That all looks correct: it first tries to bind as "test", to check the password, and that works. Then it connects as your read-only bind user to get the "test" user details, and the admin group details (which does not contain test). What issues are you facing?
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@esp13 commented on GitHub (Mar 13, 2024):

That all looks correct: it first tries to bind as "test", to check the password, and that works. Then it connects as your read-only bind user to get the "test" user details, and the admin group details (which does not contain test).

What issues are you facing?

Etherpad doesn't grant access (it ask for login one more time) and in Etherpad logs I get:
Failed authentication from IP myIP

Edit: I'm asking myself if I am wasting a lot of time for a plugin issue or if I misunderstood the doc. https://github.com/daschr/ep_ldapauth_ng/ I thought I could connect through ldap directly OR through ldap + OIDC but maybe I'm wrong.

<!-- gh-comment-id:1993713558 --> @esp13 commented on GitHub (Mar 13, 2024): > That all looks correct: it first tries to bind as "test", to check the password, and that works. Then it connects as your read-only bind user to get the "test" user details, and the admin group details (which does not contain test). > > What issues are you facing? Etherpad doesn't grant access (it ask for login one more time) and in Etherpad logs I get: `Failed authentication from IP myIP` Edit: I'm asking myself if I am wasting a lot of time for a plugin issue or if I misunderstood the doc. https://github.com/daschr/ep_ldapauth_ng/ I thought I could connect through ldap directly OR through ldap + OIDC but maybe I'm wrong.
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 14, 2024):

Hmm, I can help you debug the LDAP part, but it seems to be working well. At this point, you'll be better served by asking the etherpad community (or the plugin author) for help. Maybe also looking at the etherpad logs.

<!-- gh-comment-id:1996847680 --> @nitnelave commented on GitHub (Mar 14, 2024): Hmm, I can help you debug the LDAP part, but it seems to be working well. At this point, you'll be better served by asking the etherpad community (or the plugin author) for help. Maybe also looking at the etherpad logs.
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@esp13 commented on GitHub (Mar 29, 2024):

Hmm, I can help you debug the LDAP part, but it seems to be working well. At this point, you'll be better served by asking the etherpad community (or the plugin author) for help. Maybe also looking at the etherpad logs.

I think the main problem is that this ep_ldapauth_ng plugin (https://github.com/daschr/ep_ldapauth_ng#readme) isn't working with last etherpad version anymore.
Curious, I tried the older one ep_ldapauth (non _ng) plugin (https://github.com/tykeal/ep_ldapauth#readme) with this configuration :

"users": {
    "ldapauth": {
        "url": "ldap://lldapserveraddress:lldapserverport",
        "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "accountPattern": "(&(objectClass=*)(uid={{username}}))",
        "displayNameAttribute": "cn",
        "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org",
        "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory",
        "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org",
        "groupAttribute": "member",
        "groupAttributeIsDN": true,
        "searchScope": "sub",
        "groupSearch": "(&(objectClass=groupOfUniqueNames)(cn=mylldapgroupforwitchuserscanhaveadminrights))",
        "anonymousReadonly": false
    }
},

It worked for regular users. But doesn't work for users from the mylldapgroupforwitchuserscanhaveadminrights group that don't get etherpad admin permission.
Maybe the etherpad admin login mechanism has been modified since last plugin update.

<!-- gh-comment-id:2026887006 --> @esp13 commented on GitHub (Mar 29, 2024): > Hmm, I can help you debug the LDAP part, but it seems to be working well. At this point, you'll be better served by asking the etherpad community (or the plugin author) for help. Maybe also looking at the etherpad logs. I think the main problem is that this ep_ldapauth_ng plugin (https://github.com/daschr/ep_ldapauth_ng#readme) isn't working with last etherpad version anymore. Curious, I tried the older one ep_ldapauth (non **_ng**) plugin (https://github.com/tykeal/ep_ldapauth#readme) with this configuration : ``` "users": { "ldapauth": { "url": "ldap://lldapserveraddress:lldapserverport", "accountBase": "ou=people,dc=mysubdomain,dc=mydomain,dc=org", "accountPattern": "(&(objectClass=*)(uid={{username}}))", "displayNameAttribute": "cn", "searchDN": "uid=mylldapuserthathaspermissionstoreadhtedirectory,ou=people,dc=mysubdomain,dc=mydomain,dc=org", "searchPWD": "thepasswordofmylldapuserthathaspermissionstoreadhtedirectory", "groupSearchBase": "ou=groups,dc=mysubdomain,dc=mydomain,dc=org", "groupAttribute": "member", "groupAttributeIsDN": true, "searchScope": "sub", "groupSearch": "(&(objectClass=groupOfUniqueNames)(cn=mylldapgroupforwitchuserscanhaveadminrights))", "anonymousReadonly": false } }, ``` It worked for regular users. But doesn't work for users from the mylldapgroupforwitchuserscanhaveadminrights group that don't get etherpad admin permission. Maybe the etherpad admin login mechanism has been modified since last plugin update.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#312
No description provided.