starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #871] [INTEGRATION] AMP by cubecoders #313

New issue
Closed
opened 2026-02-27 08:16:35 +03:00 by kerem · 6 comments
kerem commented 2026-02-27 08:16:35 +03:00
Owner
Copy link

Originally created by @Toylerrr on GitHub (Mar 18, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/871

Checklist

  • [X ] Check if there is already an example config for it.
  • [ X] Try to figure out the configuration values for the new service yourself.
    • You can use other example configs for inspiration.
    • If you're having trouble, you can ask on Discord or create an issue.
    • If you succeed, make sure to contribute an example configuration, or a configuration guide.
  • If you hit a block because of an unimplemented feature, create an issue.

Working on getting LLDAP to work with AMP by cubecoders

This is the config:

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=
Login.MetricsServerPort=0
Login.UseLDAPLogins=True
Login.UseLDAP3=True
Login.AllowLocalUsersWithLDAP=True
Login.LDAPAuthDomain=
Login.LDAP3Host=
Login.LDAP3FilterDN=
Login.LDAP3UserDN=
Login.LDAPGroupPrefix=amp_
Login.LDAPUserDomain=
Login.LDAP3UsesSSL=False
Login.LDAPADPre2000=False
Login.LDAPStripDomainFromFilter=True
Login.LDAPQueryUsername=
Login.LDAPQueryPassword=

This is what Cubecoders states should be the settings

Login.UseLDAPLogins=True                           //Enables LDAP authentication as the preferred provider.
Login.UseLDAP3=True                                //Use the newer LDAP implementation. More flexible and supports more LDAP servers.
Login.LDAP3Host=localhost                          //The hostname/IP of the LDAP server. A hostname is required when using SSL.
Login.LDAP3FilterDN=CN=Users,DC=example,DC=org     //The search filter user to find users.
Login.LDAP3UserDN=User@example.org                 //The DN of the user used by AMP to perform queries. Needs permission to query other users.
Login.LDAPGroupPrefix=AMP_                         //The group name prefix to identify memberOf groups that are to be mapped to AMP roles.
Login.LDAPQueryPassword=correcthorsebatterystaple  //The password of the user that will be performing LDAP lookups. This will be stored encrypted.
Login.LDAPStripDomainFromFilter=False              //If enabled, then logging in with simply "User@Domain" will be changed to be just "User"

This is the function that does the query within AMP

using var de = new DirectoryEntry("LDAP://" + domain, username, password, AuthenticationTypes.Encryption);
using var directorySearcher = new DirectorySearcher(de);

directorySearcher.Filter = $"(&(objectClass=person)(objectCategory=user)(sAMAccountname={username}))";
directorySearcher.PropertiesToLoad.Add("sAMAccountname");
directorySearcher.PropertiesToLoad.Add("memberOf");
SearchResult searchResult = directorySearcher.FindOne();

This is the Error that I am getting in the console in AMP after login


LDAP query filter: (&(objectClass=user)(sAMAccountName=tyler))
LdapException
[0] (LdapException) : Invalid DN Syntax
at DirectoryServices.DirectorySearcher.DoSearch () at DirectoryServices.DirectorySearcher.get_SrchColl () at DirectoryServices.DirectorySearcher.FindOne () at (wrapper remoting-invoke-with-check) DirectoryServices.DirectorySearcher.FindOne() at GSMyAdmin.Authentication.LDAPDSAuth.Authenticate (String username, String password)
LDAP Login failure for tyler: Unable to query LDAP server: Invalid DN Syntax

Am I missing something simple? because I cant seem to get it to work.

This is my config that lead to the LDAP exception

Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=http://IPADDRESS:8080/
Login.MetricsServerPort=0
Login.UseLDAPLogins=True
Login.UseLDAP3=True
Login.AllowLocalUsersWithLDAP=True
Login.LDAPAuthDomain=DC=DOMAIN,DC=xyz
Login.LDAP3Host=IPADDRESS:3890/OU=people
Login.LDAP3FilterDN=OU=people,DC=DOMAIN,DC=xyz
Login.LDAP3UserDN=cn=query,ou=people,dc=DOMAIN,dc=xyz
Login.LDAPGroupPrefix=amp_
Login.LDAPUserDomain=DOMAIN.xyz
Login.LDAP3UsesSSL=False
Login.LDAPADPre2000=True
Login.LDAPStripDomainFromFilter=True
Login.LDAPQueryUsername=query
Login.LDAPQueryPassword=PASSWORD
Originally created by @Toylerrr on GitHub (Mar 18, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/871 **Checklist** - [X ] Check if there is already an [example config](https://github.com/lldap/lldap/tree/main/example_configs) for it. - [ X] Try to figure out the configuration values for the new service yourself. - You can use other example configs for inspiration. - If you're having trouble, you can ask on [Discord](https://discord.gg/h5PEdRMNyP) or create an issue. - If you succeed, make sure to contribute an example configuration, or a configuration guide. - If you hit a block because of an unimplemented feature, create an issue. Working on getting LLDAP to work with AMP by cubecoders This is the config: ``` ################################ # Login ################################ Login.UseAuthServer=False # Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer Login.AuthServerURL= Login.MetricsServerPort=0 Login.UseLDAPLogins=True Login.UseLDAP3=True Login.AllowLocalUsersWithLDAP=True Login.LDAPAuthDomain= Login.LDAP3Host= Login.LDAP3FilterDN= Login.LDAP3UserDN= Login.LDAPGroupPrefix=amp_ Login.LDAPUserDomain= Login.LDAP3UsesSSL=False Login.LDAPADPre2000=False Login.LDAPStripDomainFromFilter=True Login.LDAPQueryUsername= Login.LDAPQueryPassword= ``` This is what Cubecoders states should be the settings ``` Login.UseLDAPLogins=True //Enables LDAP authentication as the preferred provider. Login.UseLDAP3=True //Use the newer LDAP implementation. More flexible and supports more LDAP servers. Login.LDAP3Host=localhost //The hostname/IP of the LDAP server. A hostname is required when using SSL. Login.LDAP3FilterDN=CN=Users,DC=example,DC=org //The search filter user to find users. Login.LDAP3UserDN=User@example.org //The DN of the user used by AMP to perform queries. Needs permission to query other users. Login.LDAPGroupPrefix=AMP_ //The group name prefix to identify memberOf groups that are to be mapped to AMP roles. Login.LDAPQueryPassword=correcthorsebatterystaple //The password of the user that will be performing LDAP lookups. This will be stored encrypted. Login.LDAPStripDomainFromFilter=False //If enabled, then logging in with simply "User@Domain" will be changed to be just "User" ``` This is the function that does the query within AMP ``` using var de = new DirectoryEntry("LDAP://" + domain, username, password, AuthenticationTypes.Encryption); using var directorySearcher = new DirectorySearcher(de); directorySearcher.Filter = $"(&(objectClass=person)(objectCategory=user)(sAMAccountname={username}))"; directorySearcher.PropertiesToLoad.Add("sAMAccountname"); directorySearcher.PropertiesToLoad.Add("memberOf"); SearchResult searchResult = directorySearcher.FindOne(); ``` This is the Error that I am getting in the console in AMP after login ``` LDAP query filter: (&(objectClass=user)(sAMAccountName=tyler)) LdapException [0] (LdapException) : Invalid DN Syntax at DirectoryServices.DirectorySearcher.DoSearch () at DirectoryServices.DirectorySearcher.get_SrchColl () at DirectoryServices.DirectorySearcher.FindOne () at (wrapper remoting-invoke-with-check) DirectoryServices.DirectorySearcher.FindOne() at GSMyAdmin.Authentication.LDAPDSAuth.Authenticate (String username, String password) LDAP Login failure for tyler: Unable to query LDAP server: Invalid DN Syntax ``` Am I missing something simple? because I cant seem to get it to work. This is my config that lead to the LDAP exception ``` Login.UseAuthServer=False # Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer Login.AuthServerURL=http://IPADDRESS:8080/ Login.MetricsServerPort=0 Login.UseLDAPLogins=True Login.UseLDAP3=True Login.AllowLocalUsersWithLDAP=True Login.LDAPAuthDomain=DC=DOMAIN,DC=xyz Login.LDAP3Host=IPADDRESS:3890/OU=people Login.LDAP3FilterDN=OU=people,DC=DOMAIN,DC=xyz Login.LDAP3UserDN=cn=query,ou=people,dc=DOMAIN,dc=xyz Login.LDAPGroupPrefix=amp_ Login.LDAPUserDomain=DOMAIN.xyz Login.LDAP3UsesSSL=False Login.LDAPADPre2000=True Login.LDAPStripDomainFromFilter=True Login.LDAPQueryUsername=query Login.LDAPQueryPassword=PASSWORD ```
kerem 2026-02-27 08:16:35 +03:00
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 18, 2024):

Hey! It would help to have the LLDAP verbose logs, so we can see the query that was made, how it was interpreted, and why it returned an error (I try to have good error message, but clients don't always surface them).

Off the top of my head, things that I see that might be causing problems:

  • Login.LDAP3Host=IPADDRESS:3890/OU=people : Why /OU=people? You already limit it below. I'm not sure how well that parameter is supported, I haven't seen it used much.
  • Login.LDAPUserDomain=DOMAIN.xyz : Do you know if that's supposed to be a domain or a DC=DOMAIN,DC=xyz?
  • Login.LDAPADPre2000=True and Login.LDAPStripDomainFromFilter=True: No idea what these do.
  • directorySearcher.Filter = $"(&(objectClass=person)(objectCategory=user)(sAMAccountname={username}))"; : the sAMAccountname attribute is not built-in. You can add it as a custom attribute and set it (manually) for every user, but that's not ideal. Ideally, AMP would allow you to set another attribute as the used id, like uid.
<!-- gh-comment-id:2004845289 --> @nitnelave commented on GitHub (Mar 18, 2024): Hey! It would help to have the LLDAP verbose logs, so we can see the query that was made, how it was interpreted, and why it returned an error (I try to have good error message, but clients don't always surface them). Off the top of my head, things that I see that might be causing problems: - `Login.LDAP3Host=IPADDRESS:3890/OU=people` : Why `/OU=people`? You already limit it below. I'm not sure how well that parameter is supported, I haven't seen it used much. - `Login.LDAPUserDomain=DOMAIN.xyz` : Do you know if that's supposed to be a domain or a `DC=DOMAIN,DC=xyz`? - `Login.LDAPADPre2000=True` and `Login.LDAPStripDomainFromFilter=True`: No idea what these do. - `directorySearcher.Filter = $"(&(objectClass=person)(objectCategory=user)(sAMAccountname={username}))";` : the `sAMAccountname` attribute is not built-in. You can add it as a custom attribute and set it (manually) for every user, but that's not ideal. Ideally, AMP would allow you to set another attribute as the used id, like `uid`.
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@Toylerrr commented on GitHub (Mar 18, 2024):

Thanks for the quick response
How would I go about setting LLDAP to have verbose logs

To answer your questions:
Login.LDAP3Host=IPADDRESS:3890/OU=people This was set during my testing just trying to get things working in reading this

Login.LDAPUserDomain=DOMAIN.xyz from their documentation it seems like it wants a url it seems to be used for the old LDAP implementation that was left over after a rewrite

Login.LDAPUserDomain=example.org //The server to authenticate against. Requires that the hostname of the server and the query DN match, and that the DNS server has appropriate records to identify the server.

Login.LDAPADPre2000=True and Login.LDAPStripDomainFromFilter=True: This is more testing stuff on my end.

Login.LDAPADPre2000=False //When enabled, uses \ instead of @ to separate the user and domain and uses the opposing order. E.g. "User@Example.org" becomes "Example.org\User"
and
Login.LDAPStripDomainFromFilter=False //If enabled, then logging in with simply "User@Domain" will be changed to be just "User"

Seems like I cant change the attribute it searches so might have to set sAMAccountname manually to work

<!-- gh-comment-id:2004966336 --> @Toylerrr commented on GitHub (Mar 18, 2024): Thanks for the quick response How would I go about setting LLDAP to have verbose logs To answer your questions: `Login.LDAP3Host=IPADDRESS:3890/OU=people` This was set during my testing just trying to get things working in reading [this](https://discourse.cubecoders.com/t/amp-ldap-integration-non-functional-linux/4204/2) `Login.LDAPUserDomain=DOMAIN.xyz` from their [documentation ](https://discourse.cubecoders.com/t/using-ldap-sso-authentication-with-amp/2309)it seems like it wants a url it seems to be used for the old LDAP implementation that was left over after a rewrite `Login.LDAPUserDomain=example.org //The server to authenticate against. Requires that the hostname of the server and the query DN match, and that the DNS server has appropriate records to identify the server.` `Login.LDAPADPre2000=True` and `Login.LDAPStripDomainFromFilter=True`: This is more testing stuff on my end. `Login.LDAPADPre2000=False //When enabled, uses \ instead of @ to separate the user and domain and uses the opposing order. E.g. "User@Example.org" becomes "Example.org\User"` and `Login.LDAPStripDomainFromFilter=False //If enabled, then logging in with simply "User@Domain" will be changed to be just "User"` Seems like I cant change the attribute it searches so might have to set sAMAccountname manually to work
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 18, 2024):

For setting verbose mode, you can change the verbose setting in the LLDAP config, or set the LLDAP_VERBOSE=true env variable.

Regarding Login.LDAP3Host=IPADDRESS:3890/OU=people, I honestly don't know how it gets translated into an LDAP query... but thankfully, that's where the verbose logs come in!

<!-- gh-comment-id:2004975644 --> @nitnelave commented on GitHub (Mar 18, 2024): For setting verbose mode, you can change the `verbose` setting in the LLDAP config, or set the `LLDAP_VERBOSE=true` env variable. Regarding `Login.LDAP3Host=IPADDRESS:3890/OU=people`, I honestly don't know how it gets translated into an LDAP query... but thankfully, that's where the verbose logs come in!
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@Toylerrr commented on GitHub (Mar 18, 2024):

Getting tired of sanitizing my logs and config so imma stop lol

Log:

2024-03-18T21:06:39.353604746+00:00  INFO     LDAP session [ 47.6ms | 0.26% / 100.00% ]
2024-03-18T21:06:39.364894581+00:00  INFO     ┝━ LDAP request [ 46.8ms | 0.19% / 98.32% ]
2024-03-18T21:06:39.364905903+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "CN=query,OU=people,DC=adler,DC=xyz", cred: LdapBindCred::Simple }), ctrl: [] }
2024-03-18T21:06:39.364908769+00:00  DEBUG    │  ┝━ do_bind [ 46.7ms | 0.05% / 98.14% ] dn: CN=query,OU=people,DC=adler,DC=xyz
2024-03-18T21:06:39.364915963+00:00  DEBUG    │  │  ┝━ bind [ 46.4ms | 0.03% / 97.62% ]
2024-03-18T21:06:39.364919861+00:00  DEBUG    │  │  │  ┝━ get_password_file_for_user [ 120µs | 0.25% ] user_id: UserId(CaseInsensitiveString("query"))
2024-03-18T21:06:39.365122721+00:00  DEBUG    │  │  │  ┕━ passwords_match [ 46.3ms | 97.34% ] username: query
2024-03-18T21:06:39.411445874+00:00  DEBUG    │  │  ┝━ get_user_groups [ 218µs | 0.46% ] user_id: "query"
2024-03-18T21:06:39.411837186+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(2), display_name: GroupName("lldap_password_manager"), creation_date: 2022-11-03T17:47:26.262301070, uuid: Uuid("de1dc106-4eaa-3198-9dac-d703a78a61d5"), attributes: [] }}
2024-03-18T21:06:39.411842417+00:00  DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2024-03-18T21:06:39.411849420+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2024-03-18T21:06:39.420010853+00:00  INFO     ┝━ LDAP request [ 672µs | 0.16% / 1.41% ]
2024-03-18T21:06:39.420026844+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "OU=people,DC=adler,DC=xyz", scope: Subtree, aliases: Never, sizelimit: 1000, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "user"), Equality("sAMAccountName", "tyler")]), attrs: ["sAMAccountName", "memberOf", "distinguishedName", "dn", "cn"] }), ctrl: [] }
2024-03-18T21:06:39.420028918+00:00  DEBUG    │  ┝━ do_search [ 597µs | 0.48% / 1.26% ]
2024-03-18T21:06:39.420409840+00:00  DEBUG    │  │  ┝━ 🐛 [debug]:  | request.base: "OU=people,DC=adler,DC=xyz" | scope: Users
2024-03-18T21:06:39.420411974+00:00  DEBUG    │  │  ┕━ get_user_list [ 367µs | 0.03% / 0.77% ]
2024-03-18T21:06:39.420418427+00:00  DEBUG    │  │     ┝━ 🐛 [debug]:  | filters: And([Not(And([])), Not(And([]))])
2024-03-18T21:06:39.420422856+00:00  DEBUG    │  │     ┕━ list_users [ 352µs | 0.74% ] filters: Some(And([Not(And([])), Not(And([]))])) | _get_groups: true
2024-03-18T21:06:39.421200059+00:00  DEBUG    │  │        ┕━ 🐛 [debug]:  | return: []
2024-03-18T21:06:39.421215049+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
2024-03-18T21:06:39.424227181+00:00  INFO     ┕━ LDAP request [ 3.97µs | 0.01% ]
2024-03-18T21:06:39.424230959+00:00  DEBUG       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] }
2024-03-18T21:06:46.358207435+00:00  DEBUG    HTTP request [ 7.36µs | 100.00% ] method: "GET" | uri: "/health"
2024-03-18T21:06:46.358215621+00:00  DEBUG    ┕━ 🐛 [debug]:  | status_code: 200
2024-03-18T21:06:46.358027450+00:00  INFO     LDAP session [ 130µs | 30.98% / 100.00% ]
2024-03-18T21:06:46.358076597+00:00  INFO     ┕━ LDAP request [ 89.7µs | 69.02% ]
2024-03-18T21:06:46.358087348+00:00  DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] }
2024-03-18T21:06:46.358089923+00:00  DEBUG       ┝━ 🐛 [debug]: rootDSE request
2024-03-18T21:06:46.358108790+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: ["top"] }, LdapPartialAttribute { atype: "vendorName", vals: ["LLDAP"] }, LdapPartialAttribute { atype: "vendorVersion", vals: ["lldap_0.5.1-alpha"] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: ["3"] }, LdapPartialAttribute { atype: "supportedExtension", vals: ["1.3.6.1.4.1.4203.1.11.1"] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: ["1.3.6.1.4.1.4203.1.5.1"] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: ["dc=adler,dc=xyz"] }, LdapPartialAttribute { atype: "namingContexts", vals: ["dc=adler,dc=xyz"] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: ["false"] }] })
2024-03-18T21:06:46.358151063+00:00  DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

Config:

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=http://192.168.0.200:8080/
Login.MetricsServerPort=0
Login.UseLDAPLogins=True
Login.UseLDAP3=True
Login.AllowLocalUsersWithLDAP=True
Login.LDAPAuthDomain=DC=adler,DC=xyz
Login.LDAP3Host=192.168.0.200:3890
Login.LDAP3FilterDN=OU=people,DC=adler,DC=xyz
Login.LDAP3UserDN=CN=query,OU=people,DC=adler,DC=xyz
Login.LDAPGroupPrefix=amp_
Login.LDAPUserDomain=adler.xyz
Login.LDAP3UsesSSL=False
Login.LDAPADPre2000=True
Login.LDAPStripDomainFromFilter=True
Login.LDAPQueryUsername=query
Login.LDAPQueryPassword=

Amp Error:

LDAP query filter: (&(objectClass=user)(sAMAccountName=tyler))
LDAP Login failure for tyler: Invalid username
Login failed for tyler - Failure : LDAP failure - check logs -

I removed the /OU=people from the url so that changed the error message.

<!-- gh-comment-id:2004997398 --> @Toylerrr commented on GitHub (Mar 18, 2024): Getting tired of sanitizing my logs and config so imma stop lol Log: ``` 2024-03-18T21:06:39.353604746+00:00 INFO LDAP session [ 47.6ms | 0.26% / 100.00% ] 2024-03-18T21:06:39.364894581+00:00 INFO ┝━ LDAP request [ 46.8ms | 0.19% / 98.32% ] 2024-03-18T21:06:39.364905903+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "CN=query,OU=people,DC=adler,DC=xyz", cred: LdapBindCred::Simple }), ctrl: [] } 2024-03-18T21:06:39.364908769+00:00 DEBUG │ ┝━ do_bind [ 46.7ms | 0.05% / 98.14% ] dn: CN=query,OU=people,DC=adler,DC=xyz 2024-03-18T21:06:39.364915963+00:00 DEBUG │ │ ┝━ bind [ 46.4ms | 0.03% / 97.62% ] 2024-03-18T21:06:39.364919861+00:00 DEBUG │ │ │ ┝━ get_password_file_for_user [ 120µs | 0.25% ] user_id: UserId(CaseInsensitiveString("query")) 2024-03-18T21:06:39.365122721+00:00 DEBUG │ │ │ ┕━ passwords_match [ 46.3ms | 97.34% ] username: query 2024-03-18T21:06:39.411445874+00:00 DEBUG │ │ ┝━ get_user_groups [ 218µs | 0.46% ] user_id: "query" 2024-03-18T21:06:39.411837186+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(2), display_name: GroupName("lldap_password_manager"), creation_date: 2022-11-03T17:47:26.262301070, uuid: Uuid("de1dc106-4eaa-3198-9dac-d703a78a61d5"), attributes: [] }} 2024-03-18T21:06:39.411842417+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2024-03-18T21:06:39.411849420+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2024-03-18T21:06:39.420010853+00:00 INFO ┝━ LDAP request [ 672µs | 0.16% / 1.41% ] 2024-03-18T21:06:39.420026844+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "OU=people,DC=adler,DC=xyz", scope: Subtree, aliases: Never, sizelimit: 1000, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "user"), Equality("sAMAccountName", "tyler")]), attrs: ["sAMAccountName", "memberOf", "distinguishedName", "dn", "cn"] }), ctrl: [] } 2024-03-18T21:06:39.420028918+00:00 DEBUG │ ┝━ do_search [ 597µs | 0.48% / 1.26% ] 2024-03-18T21:06:39.420409840+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | request.base: "OU=people,DC=adler,DC=xyz" | scope: Users 2024-03-18T21:06:39.420411974+00:00 DEBUG │ │ ┕━ get_user_list [ 367µs | 0.03% / 0.77% ] 2024-03-18T21:06:39.420418427+00:00 DEBUG │ │ ┝━ 🐛 [debug]: | filters: And([Not(And([])), Not(And([]))]) 2024-03-18T21:06:39.420422856+00:00 DEBUG │ │ ┕━ list_users [ 352µs | 0.74% ] filters: Some(And([Not(And([])), Not(And([]))])) | _get_groups: true 2024-03-18T21:06:39.421200059+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: [] 2024-03-18T21:06:39.421215049+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) 2024-03-18T21:06:39.424227181+00:00 INFO ┕━ LDAP request [ 3.97µs | 0.01% ] 2024-03-18T21:06:39.424230959+00:00 DEBUG ┕━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [] } 2024-03-18T21:06:46.358207435+00:00 DEBUG HTTP request [ 7.36µs | 100.00% ] method: "GET" | uri: "/health" 2024-03-18T21:06:46.358215621+00:00 DEBUG ┕━ 🐛 [debug]: | status_code: 200 2024-03-18T21:06:46.358027450+00:00 INFO LDAP session [ 130µs | 30.98% / 100.00% ] 2024-03-18T21:06:46.358076597+00:00 INFO ┕━ LDAP request [ 89.7µs | 69.02% ] 2024-03-18T21:06:46.358087348+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 0, op: SearchRequest(LdapSearchRequest { base: "", scope: Base, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Present("objectClass"), attrs: ["supportedExtension"] }), ctrl: [] } 2024-03-18T21:06:46.358089923+00:00 DEBUG ┝━ 🐛 [debug]: rootDSE request 2024-03-18T21:06:46.358108790+00:00 DEBUG ┝━ 🐛 [debug]: | response: SearchResultEntry(LdapSearchResultEntry { dn: "", attributes: [LdapPartialAttribute { atype: "objectClass", vals: ["top"] }, LdapPartialAttribute { atype: "vendorName", vals: ["LLDAP"] }, LdapPartialAttribute { atype: "vendorVersion", vals: ["lldap_0.5.1-alpha"] }, LdapPartialAttribute { atype: "supportedLDAPVersion", vals: ["3"] }, LdapPartialAttribute { atype: "supportedExtension", vals: ["1.3.6.1.4.1.4203.1.11.1"] }, LdapPartialAttribute { atype: "supportedControl", vals: [] }, LdapPartialAttribute { atype: "supportedFeatures", vals: ["1.3.6.1.4.1.4203.1.5.1"] }, LdapPartialAttribute { atype: "defaultNamingContext", vals: ["dc=adler,dc=xyz"] }, LdapPartialAttribute { atype: "namingContexts", vals: ["dc=adler,dc=xyz"] }, LdapPartialAttribute { atype: "isGlobalCatalogReady", vals: ["false"] }] }) 2024-03-18T21:06:46.358151063+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ``` Config: ``` ################################ # Login ################################ Login.UseAuthServer=False # Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer Login.AuthServerURL=http://192.168.0.200:8080/ Login.MetricsServerPort=0 Login.UseLDAPLogins=True Login.UseLDAP3=True Login.AllowLocalUsersWithLDAP=True Login.LDAPAuthDomain=DC=adler,DC=xyz Login.LDAP3Host=192.168.0.200:3890 Login.LDAP3FilterDN=OU=people,DC=adler,DC=xyz Login.LDAP3UserDN=CN=query,OU=people,DC=adler,DC=xyz Login.LDAPGroupPrefix=amp_ Login.LDAPUserDomain=adler.xyz Login.LDAP3UsesSSL=False Login.LDAPADPre2000=True Login.LDAPStripDomainFromFilter=True Login.LDAPQueryUsername=query Login.LDAPQueryPassword= ``` Amp Error: ``` LDAP query filter: (&(objectClass=user)(sAMAccountName=tyler)) LDAP Login failure for tyler: Invalid username Login failed for tyler - Failure : LDAP failure - check logs - ``` I removed the /OU=people from the url so that changed the error message.
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Mar 18, 2024):

Well, I'm not sure how you got that, but the query filter contains a objectClass=user instead of person, so that won't match anything.

And then, trying to match on the samacountname also fails (because the attribute doesn't exist).

Thankfully, with the recent versions you can fix both problems: you can add a custom object class to users (the "user" class) and you can create the custom attribute for samacountname. Just make sure you're using a version from at least march, so latest or one of the daily docker images.

As for actually setting the attributes, check out lldap-cli by Zepmann https://github.com/Zepmann/lldap-cli
The web UI is not complete yet.

<!-- gh-comment-id:2005014887 --> @nitnelave commented on GitHub (Mar 18, 2024): Well, I'm not sure how you got that, but the query filter contains a `objectClass=user` instead of person, so that won't match anything. And then, trying to match on the samacountname also fails (because the attribute doesn't exist). Thankfully, with the recent versions you can fix both problems: you can add a custom object class to users (the "user" class) and you can create the custom attribute for samacountname. Just make sure you're using a version from at least march, so latest or one of the daily docker images. As for actually setting the attributes, check out lldap-cli by Zepmann https://github.com/Zepmann/lldap-cli The web UI is not complete yet.
kerem commented 2026-02-27 08:16:36 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Aug 16, 2024):

Are you still blocked here?

<!-- gh-comment-id:2294371483 --> @nitnelave commented on GitHub (Aug 16, 2024): Are you still blocked here?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#313
No description provided.