starred/lldap-lldap

Fork 0

mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00

[GH-ISSUE #110] Keycloak unable to bind to directory #46

New issue

Closed

opened 2026-02-27 08:14:56 +03:00 by kerem · 12 comments

kerem commented

2026-02-27 08:14:56 +03:00

Owner

Originally created by @nbently on GitHub (Dec 21, 2021).
Original GitHub issue: https://github.com/lldap/lldap/issues/110

Probably doing something wrong, however when I attempt to set up Keycloak to pull users in, I wind up with the following error message when attempting to test authentication with the admin user. I can successfully get Keycloak to connect, however.

ERROR [org.keycloak.services] (default task-28) KC-SERVICES0055: Error when authenticating to LDAP: [LDAP: error code 64 - Not a subtree of the base tree]: javax.naming.InvalidNameException: [LDAP: error code 64 - Not a subtree of the base tree]

Originally created by @nbently on GitHub (Dec 21, 2021). Original GitHub issue: https://github.com/lldap/lldap/issues/110 Probably doing something wrong, however when I attempt to set up Keycloak to pull users in, I wind up with the following error message when attempting to test authentication with the admin user. I can successfully get Keycloak to connect, however. ``` ERROR [org.keycloak.services] (default task-28) KC-SERVICES0055: Error when authenticating to LDAP: [LDAP: error code 64 - Not a subtree of the base tree]: javax.naming.InvalidNameException: [LDAP: error code 64 - Not a subtree of the base tree] ```

kerem closed this issue

2026-02-27 08:14:56 +03:00

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Dec 21, 2021):

Did you have a look at the recommended configuration in https://github.com/nitnelave/lldap/blob/main/example_configs/keycloak.md ?
If that's not working, can you post your config (screenshot for instance)?

@nitnelave commented on GitHub (Dec 21, 2021): Did you have a look at the recommended configuration in https://github.com/nitnelave/lldap/blob/main/example_configs/keycloak.md ? If that's not working, can you post your config (screenshot for instance)?

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Dec 22, 2021):

I did indeed, but perhaps I missed something. Here's a screenshot of the config in Keycloak (actual domain omitted). I used an env variable to modify the port as well so it's the default.

@nbently commented on GitHub (Dec 22, 2021): I did indeed, but perhaps I missed something. Here's a screenshot of the config in Keycloak (actual domain omitted). I used an env variable to modify the port as well so it's the default. ![image](https://user-images.githubusercontent.com/1258614/147021921-24e9a2a8-c122-4755-98c5-37948d4ceaf4.png) ![image](https://user-images.githubusercontent.com/1258614/147021953-29600e42-d80c-4025-8172-f2e71aa878f4.png)

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Dec 22, 2021):

Hmm... Could you start LLDAP with --verbose and paste the logs? Or at least the ldap query that fails and the error message. Feel free to send it to me privately on discord if you don't want to display it publicly.

@nitnelave commented on GitHub (Dec 22, 2021): Hmm... Could you start LLDAP with `--verbose` and paste the logs? Or at least the ldap query that fails and the error message. Feel free to send it to me privately on discord if you don't want to display it publicly.

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Dec 22, 2021):

Sure! What might be the best way to start LLDAP w/the verbose flag when using the container?

@nbently commented on GitHub (Dec 22, 2021): Sure! What might be the best way to start LLDAP w/the verbose flag when using the container?

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Dec 22, 2021):

I'm not at my computer right now, but I think you can just add in the dockerfile command: --verbose.
For a direct docker command, I'm not sure, but something along these lines

@nitnelave commented on GitHub (Dec 22, 2021): I'm not at my computer right now, but I think you can just add in the dockerfile `command: --verbose`. For a direct docker command, I'm not sure, but something along these lines

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Dec 22, 2021):

error: Found argument '--verbose' which wasn't expected, or isn't valid in this context

	Did you mean '--version'?

	If you tried to supply `--verbose` as a value rather than a flag, use `-- --verbose`

USAGE:
    lldap --version

For more information try --help

Hmm it didn't seem to like that. I may be able to build a custom container with verbose logging enabled, I'll look into it.

@nbently commented on GitHub (Dec 22, 2021): ``` error: Found argument '--verbose' which wasn't expected, or isn't valid in this context Did you mean '--version'? If you tried to supply `--verbose` as a value rather than a flag, use `-- --verbose` USAGE: lldap --version For more information try --help ``` Hmm it didn't seem to like that. I may be able to build a custom container with verbose logging enabled, I'll look into it.

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Dec 23, 2021):

Ah, maybe it replaces the entire command line? In that case it would be:
command: run --config_file /data/lldap_config.toml --verbose

Or wait, there should be an option in the config to set verbosity, that's maybe the simplest.

@nitnelave commented on GitHub (Dec 23, 2021): Ah, maybe it replaces the entire command line? In that case it would be: `command: run --config_file /data/lldap_config.toml --verbose` Or wait, there should be an option in the config to set verbosity, that's maybe the simplest.

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Jan 2, 2022):

That worked! I have some more logs, but not sure how helpful they'll be. This is all of the log lines that are generated when I attempt to "Test authentication" in Keycloak.

2022-01-02T19:08:58.433187Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=domain,dc=tld", cred: Simple("********") }), ctrl: [] }    
2022-01-02T19:08:58.433220Z DEBUG lldap::infra::ldap_handler: Received bind request for "cn=admin,ou=people,dc=domain,dc=tld"    
2022-01-02T19:08:58.433228Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: NamingViolation, matcheddn: "", message: "Not a subtree of the base tree", referral: [] }, saslcreds: None })

Edit: test authentication not connection.

@nbently commented on GitHub (Jan 2, 2022): That worked! I have some more logs, but not sure how helpful they'll be. This is all of the log lines that are generated when I attempt to "Test authentication" in Keycloak. ``` 2022-01-02T19:08:58.433187Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=domain,dc=tld", cred: Simple("********") }), ctrl: [] } 2022-01-02T19:08:58.433220Z DEBUG lldap::infra::ldap_handler: Received bind request for "cn=admin,ou=people,dc=domain,dc=tld" 2022-01-02T19:08:58.433228Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: NamingViolation, matcheddn: "", message: "Not a subtree of the base tree", referral: [] }, saslcreds: None }) ``` Edit: test authentication not connection.

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 2, 2022):

Thanks for the logs.
Silly question, but did you replace the "dc=domain,dc=tld" with your actual domain and tld? The ones configured in LLDAP?

@nitnelave commented on GitHub (Jan 2, 2022): Thanks for the logs. Silly question, but did you replace the "dc=domain,dc=tld" with your actual domain and tld? The ones configured in LLDAP?

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Jan 2, 2022):

I did apologies for not mentioning that. I removed them from the log lines I posted.

@nbently commented on GitHub (Jan 2, 2022): I did apologies for not mentioning that. I removed them from the log lines I posted.

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 2, 2022):

Can you check the "ldap_base_dn" in the lldap_config.toml ? Make sure it matches exactly the one in the bind request, e.g.:

ldap_base_dn = "dc=example,dc=com"
Admin dn: cn=admin,ou=people,dc=example,dc=com

Sorry to insist like that, but the code looks right, and I can't make sure you don't have a typo in there because the domain is replaced in your snippets.

Can you make any other service work with LLDAP?

@nitnelave commented on GitHub (Jan 2, 2022): Can you check the "ldap_base_dn" in the lldap_config.toml ? Make sure it matches exactly the one in the bind request, e.g.: `ldap_base_dn = "dc=example,dc=com"` Admin dn: `cn=admin,ou=people,dc=example,dc=com` Sorry to insist like that, but the code looks right, and I can't make sure you don't have a typo in there because the domain is replaced in your snippets. Can you make any other service work with LLDAP?

kerem commented

2026-02-27 08:14:57 +03:00

Author

Owner

@nbently commented on GitHub (Jan 5, 2022):

🤦‍♂️ I rechecked the config again & as you suspected, I messed up the first part of my domain name (forgot part of it) in one of the container environment variables. It was right everywhere else; can't believe I missed it! So sorry to have wasted your time.

I can't thank you enough for creating this project & will certainly help add to the example configs as I play around with connecting it to other services, if you'll allow!

@nbently commented on GitHub (Jan 5, 2022): 🤦‍♂️ I rechecked the config again & as you suspected, I messed up the first part of my domain name (forgot part of it) in one of the container environment variables. It was right everywhere else; can't believe I missed it! So sorry to have wasted your time. I can't thank you enough for creating this project & will certainly help add to the example configs as I play around with connecting it to other services, if you'll allow!

kerem referenced this issue

2026-02-27 08:17:48 +03:00

[PR #46] [MERGED] Add support for memberOf in LDAP interface #509