starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #975] [BUG] Authelia integration fails with error="user not found" #354

New issue
Closed
opened 2026-02-27 08:16:49 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 08:16:49 +03:00
Owner
Copy link

Originally created by @kelvtech-co-uk on GitHub (Sep 11, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/975

Sorry...me again!

I'd really appreciate you casting your eyes over this to help spot my mistake...yes I'm starting from the position of I know its me this time.

Authelia is connecting successfully to lldap and I can actually complete a 1FA challenge if I use the bind account credentials I created for Authelia <--> lldap. However I cannot get any other accounts to work and Authelia just complains "user not found".

I have been following your example config here.

My authelia config...

  ldap:
    address: ldap://lldap.mydomain.local:3890
    implementation: lldap
    timeout: 5s
    base_dn: dc=mydomain,dc=local
    additional_users_dn: ou=people
    users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    group_search_mode: filter
    permit_referrals: false
    permit_unauthenticated_bind: false
    permit_feature_detection_failure: false
    user: uid=authelia_bind,ou=people,dc=mydomain,dc=local
    password:
    attributes:
      member_of: memberOf
      distinguished_name: distinguishedName
      username: uid
      display_name: displayName
      mail: mail
      group_name: cn

lldap debug log extract...

2024-09-11T17:15:47.534158331+00:00  INFO     LDAP session [ 33.1ms | 0.16% / 100.00% ]
2024-09-11T17:15:47.534176528+00:00  INFO     ┝━ LDAP request [ 32.6ms | 0.11% / 98.76% ]
2024-09-11T17:15:47.534184955+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=authelia_bind,ou=people,dc=mydomain,dc=local", cred: LdapBindCred::Simple }), ctrl: [] }
2024-09-11T17:15:47.534186861+00:00  DEBUG    │  ┝━ do_bind [ 32.6ms | 0.05% / 98.65% ] dn: uid=authelia_bind,ou=people,dc=mydomain,dc=local
2024-09-11T17:15:47.534191950+00:00  DEBUG    │  │  ┝━ bind [ 32.4ms | 0.03% / 97.92% ]
2024-09-11T17:15:47.534195119+00:00  DEBUG    │  │  │  ┝━ get_password_file_for_user [ 125µs | 0.38% ] user_id: UserId("authelia_bind")
2024-09-11T17:15:47.534722867+00:00  DEBUG    │  │  │  ┕━ passwords_match [ 32.2ms | 97.51% ] username: authelia_bind
2024-09-11T17:15:47.566964205+00:00  DEBUG    │  │  ┝━ get_user_groups [ 223µs | 0.67% ] user_id: "authelia_bind"
2024-09-11T17:15:47.568038686+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {}
2024-09-11T17:15:47.568041621+00:00  DEBUG    │  │  ┕━ 🐛 [debug]: Success!
2024-09-11T17:15:47.568047717+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
2024-09-11T17:15:47.568425282+00:00  INFO     ┕━ LDAP request [ 357µs | 0.08% / 1.08% ]
2024-09-11T17:15:47.568434204+00:00  DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=mydomain,dc=local", scope: Subtree, aliases: Never, sizelimit: 1, timelimit: 0, typesonly: false, filter: And([Or([Equality("uid", "myuser"), Equality("mail", "myuser")]), Equality("objectClass", "person")]), attrs: ["uid", "mail", "displayName", "memberOf"] }), ctrl: [] }
2024-09-11T17:15:47.568435152+00:00  DEBUG       ┝━ do_search [ 331µs | 0.31% / 1.00% ]
2024-09-11T17:15:47.568436349+00:00  INFO        │  ┝━ i [info]: Unprivileged search, limiting results
2024-09-11T17:15:47.568441120+00:00  DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=mydomain,dc=local" | scope: Users
2024-09-11T17:15:47.568442384+00:00  DEBUG       │  ┕━ get_user_list [ 227µs | 0.04% / 0.69% ]
2024-09-11T17:15:47.568448181+00:00  DEBUG       │     ┝━ 🐛 [debug]:  | filters: And([Or([UserId(UserId("myuser")), Equality(Email, "myuser")]), And([])])
2024-09-11T17:15:47.568453323+00:00  DEBUG       │     ┕━ list_users [ 213µs | 0.65% ] filters: Some(And([And([Or([UserId(UserId("myuser")), Equality(Email, "myuser")]), And([])]), UserId(UserId("authelia_bind"))])) | _get_groups: true
2024-09-11T17:15:47.569168177+00:00  DEBUG       │        ┕━ 🐛 [debug]:  | return: []
2024-09-11T17:15:47.569570932+00:00  DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })

Matching authelia debug log extract...

authelia  | time="2024-09-11T17:15:47Z" level=trace msg="Performing user search" attr="[uid mail displayName memberOf]" base_dn="ou=people,dc=mydomain,dc=local" caller="github.com/authelia/authelia/v4/internal/authentication/ldap_user_provider.go:318 (*LDAPUserProvider).getUserProfile" deref=0 filter="(&(|(uid=myuser)(mail=myuser))(objectClass=person))" scope=2
authelia  | time="2024-09-11T17:15:47Z" level=debug msg="Mark 1FA authentication attempt made by user 'myuser'" caller="github.com/authelia/authelia/v4/internal/handlers/response.go:249 markAuthenticationAttempt" method=POST path=/api/firstfactor remote_ip=192.168.1.1
authelia  | time="2024-09-11T17:15:47Z" level=error msg="Unsuccessful 1FA authentication attempt by user 'myuser'" caller="github.com/authelia/authelia/v4/internal/handlers/response.go:275 markAuthenticationAttempt" error="user not found" method=POST path=/api/firstfactor remote_ip=192.168.1.1 stack="github.com/authelia/authelia/v4/internal/handlers/response.go:275           markAuthenticationAttempt\ngithub.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go:52 handleRouter.FirstFactorPOST.func10\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54           handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65          SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91          SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30          SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441
                    (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14      handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38           RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379
                (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224
            (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196
             (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695
               goexit"

By contrast I've successfully integrated lldap with Jellyfin, again by following your examples.

FWIW, I've googled plenty and am sure my lack of familiarity with ldap in general is a big part of this. However I can see that authelia supports an alternative search mode which they discourage as experimental. I bring it up because the syntax looks very similar to that used in the Jellyfin integration, however I'm cautious to attempt this given my inexperience and the fact that if lldap has a written example of this working with non-experimental config then this would be my prefence.

Any pointers here would be appreicated, thank you.

Originally created by @kelvtech-co-uk on GitHub (Sep 11, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/975 Sorry...me again! I'd really appreciate you casting your eyes over this to help spot my mistake...yes I'm starting from the position of I know its me this time. Authelia is connecting successfully to lldap and I can actually complete a 1FA challenge if I use the bind account credentials I created for Authelia <--> lldap. However I cannot get any other accounts to work and Authelia just complains "user not found". I have been following your example config [here](https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml). My authelia config... ``` ldap: address: ldap://lldap.mydomain.local:3890 implementation: lldap timeout: 5s base_dn: dc=mydomain,dc=local additional_users_dn: ou=people users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))" additional_groups_dn: ou=groups groups_filter: "(member={dn})" group_search_mode: filter permit_referrals: false permit_unauthenticated_bind: false permit_feature_detection_failure: false user: uid=authelia_bind,ou=people,dc=mydomain,dc=local password: attributes: member_of: memberOf distinguished_name: distinguishedName username: uid display_name: displayName mail: mail group_name: cn ``` lldap debug log extract... ``` 2024-09-11T17:15:47.534158331+00:00 INFO LDAP session [ 33.1ms | 0.16% / 100.00% ] 2024-09-11T17:15:47.534176528+00:00 INFO ┝━ LDAP request [ 32.6ms | 0.11% / 98.76% ] 2024-09-11T17:15:47.534184955+00:00 DEBUG │ ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=authelia_bind,ou=people,dc=mydomain,dc=local", cred: LdapBindCred::Simple }), ctrl: [] } 2024-09-11T17:15:47.534186861+00:00 DEBUG │ ┝━ do_bind [ 32.6ms | 0.05% / 98.65% ] dn: uid=authelia_bind,ou=people,dc=mydomain,dc=local 2024-09-11T17:15:47.534191950+00:00 DEBUG │ │ ┝━ bind [ 32.4ms | 0.03% / 97.92% ] 2024-09-11T17:15:47.534195119+00:00 DEBUG │ │ │ ┝━ get_password_file_for_user [ 125µs | 0.38% ] user_id: UserId("authelia_bind") 2024-09-11T17:15:47.534722867+00:00 DEBUG │ │ │ ┕━ passwords_match [ 32.2ms | 97.51% ] username: authelia_bind 2024-09-11T17:15:47.566964205+00:00 DEBUG │ │ ┝━ get_user_groups [ 223µs | 0.67% ] user_id: "authelia_bind" 2024-09-11T17:15:47.568038686+00:00 DEBUG │ │ │ ┕━ 🐛 [debug]: | return: {} 2024-09-11T17:15:47.568041621+00:00 DEBUG │ │ ┕━ 🐛 [debug]: Success! 2024-09-11T17:15:47.568047717+00:00 DEBUG │ ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) 2024-09-11T17:15:47.568425282+00:00 INFO ┕━ LDAP request [ 357µs | 0.08% / 1.08% ] 2024-09-11T17:15:47.568434204+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=mydomain,dc=local", scope: Subtree, aliases: Never, sizelimit: 1, timelimit: 0, typesonly: false, filter: And([Or([Equality("uid", "myuser"), Equality("mail", "myuser")]), Equality("objectClass", "person")]), attrs: ["uid", "mail", "displayName", "memberOf"] }), ctrl: [] } 2024-09-11T17:15:47.568435152+00:00 DEBUG ┝━ do_search [ 331µs | 0.31% / 1.00% ] 2024-09-11T17:15:47.568436349+00:00 INFO │ ┝━ i [info]: Unprivileged search, limiting results 2024-09-11T17:15:47.568441120+00:00 DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=people,dc=mydomain,dc=local" | scope: Users 2024-09-11T17:15:47.568442384+00:00 DEBUG │ ┕━ get_user_list [ 227µs | 0.04% / 0.69% ] 2024-09-11T17:15:47.568448181+00:00 DEBUG │ ┝━ 🐛 [debug]: | filters: And([Or([UserId(UserId("myuser")), Equality(Email, "myuser")]), And([])]) 2024-09-11T17:15:47.568453323+00:00 DEBUG │ ┕━ list_users [ 213µs | 0.65% ] filters: Some(And([And([Or([UserId(UserId("myuser")), Equality(Email, "myuser")]), And([])]), UserId(UserId("authelia_bind"))])) | _get_groups: true 2024-09-11T17:15:47.569168177+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: [] 2024-09-11T17:15:47.569570932+00:00 DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] }) ``` Matching authelia debug log extract... ``` authelia | time="2024-09-11T17:15:47Z" level=trace msg="Performing user search" attr="[uid mail displayName memberOf]" base_dn="ou=people,dc=mydomain,dc=local" caller="github.com/authelia/authelia/v4/internal/authentication/ldap_user_provider.go:318 (*LDAPUserProvider).getUserProfile" deref=0 filter="(&(|(uid=myuser)(mail=myuser))(objectClass=person))" scope=2 authelia | time="2024-09-11T17:15:47Z" level=debug msg="Mark 1FA authentication attempt made by user 'myuser'" caller="github.com/authelia/authelia/v4/internal/handlers/response.go:249 markAuthenticationAttempt" method=POST path=/api/firstfactor remote_ip=192.168.1.1 authelia | time="2024-09-11T17:15:47Z" level=error msg="Unsuccessful 1FA authentication attempt by user 'myuser'" caller="github.com/authelia/authelia/v4/internal/handlers/response.go:275 markAuthenticationAttempt" error="user not found" method=POST path=/api/firstfactor remote_ip=192.168.1.1 stack="github.com/authelia/authelia/v4/internal/handlers/response.go:275 markAuthenticationAttempt\ngithub.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go:52 handleRouter.FirstFactorPOST.func10\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 handleRouter.(*BridgeBuilder).Build.func5.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:65 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30 SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.2/router.go:441 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38 RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.55.0/server.go:2379 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.55.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695 goexit" ``` By contrast I've successfully integrated lldap with Jellyfin, again by following your examples. FWIW, I've googled plenty and am sure my lack of familiarity with ldap in general is a big part of this. However I can see that authelia supports an alternative [search mode](https://www.authelia.com/reference/guides/ldap/#search-mode-memberof) which they discourage as experimental. I bring it up because the syntax looks very similar to that used in the Jellyfin integration, however I'm cautious to attempt this given my inexperience and the fact that if lldap has a written example of this working with non-experimental config then this would be my prefence. Any pointers here would be appreicated, thank you.
kerem 2026-02-27 08:16:49 +03:00
  • closed this issue
  • added the
    bug
         label
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#354
No description provided.