[GH-ISSUE #120] nginx-auth-ldap client #51

New issue

Closed

opened 2026-02-27 08:14:57 +03:00 by kerem · 18 comments

kerem commented 2026-02-27 08:14:57 +03:00

Owner

Copy link

Originally created by @Cyrix126 on GitHub (Feb 20, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/120

Trying to get https://github.com/kvspb/nginx-auth-ldap to work.

Here's my block in nginx.conf, I think I'm getting close.
domain name replaced. I should add that the domain name has a dash like this: nom-domaine

ldap_server ldaplocal {
        url ldap://localhost:389/dc=domain,dc=com?(&(uid=${admin})&(objectClass=people));
        binddn "cn=admin,ou=people,dc=domain,dc=com";
        binddn_passwd "nottruepassword";
        group_attribute lldap_admin;
        group_attribute_is_dn on;
        require valid_user;
        referral off;
      }

error in log/nginx/error.log

2022/02/20 19:29:46 [notice] 4051002#4051002: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:63
2022/02/20 19:29:47 [notice] 4051003#4051003: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:63
2022/02/20 19:29:47 [error] 4051006#4051006: http_auth_ldap: Could not connect
2022/02/20 19:29:47 [error] 4051012#4051012: http_auth_ldap: Could not connect
2022/02/20 19:29:57 [error] 4051006#4051006: http_auth_ldap: Could not connect
2022/02/20 19:30:07 [error] 4051006#4051006: http_auth_ldap: Could not connect

log in lldap (for some reason the date time is -1h, not getting the local timezone ?)

2022-02-20T18:29:47.217439Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=domain,dc=com", cred: Simple("********") }), ctrl: [] }    
2022-02-20T18:29:47.217556Z DEBUG lldap::infra::ldap_handler: Received bind request for "cn=admin,ou=people,dc=domain,dc=com"    
2022-02-20T18:29:47.217696Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })

Originally created by @Cyrix126 on GitHub (Feb 20, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/120 Trying to get https://github.com/kvspb/nginx-auth-ldap to work. Here's my block in nginx.conf, I think I'm getting close. domain name replaced. I should add that the domain name has a dash like this: nom-domaine ``` ldap_server ldaplocal { url ldap://localhost:389/dc=domain,dc=com?(&(uid=${admin})&(objectClass=people)); binddn "cn=admin,ou=people,dc=domain,dc=com"; binddn_passwd "nottruepassword"; group_attribute lldap_admin; group_attribute_is_dn on; require valid_user; referral off; } ``` error in log/nginx/error.log ``` 2022/02/20 19:29:46 [notice] 4051002#4051002: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:63 2022/02/20 19:29:47 [notice] 4051003#4051003: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:63 2022/02/20 19:29:47 [error] 4051006#4051006: http_auth_ldap: Could not connect 2022/02/20 19:29:47 [error] 4051012#4051012: http_auth_ldap: Could not connect 2022/02/20 19:29:57 [error] 4051006#4051006: http_auth_ldap: Could not connect 2022/02/20 19:30:07 [error] 4051006#4051006: http_auth_ldap: Could not connect ``` log in lldap (for some reason the date time is -1h, not getting the local timezone ?) ``` 2022-02-20T18:29:47.217439Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=domain,dc=com", cred: Simple("********") }), ctrl: [] } 2022-02-20T18:29:47.217556Z DEBUG lldap::infra::ldap_handler: Received bind request for "cn=admin,ou=people,dc=domain,dc=com" 2022-02-20T18:29:47.217696Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) ```

kerem closed this issue 2026-02-27 08:14:57 +03:00

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Feb 20, 2022):

Hmm, that's weird. It seems that LLDAP is replying as expected, but nginx (or the plugin) doesn't get or cannot read the response? I'd capture the traffic to/from nginx on that port with tcpdump and talk to the plugin owner. You can link to this issue for conversation as well, or if there's actually something wrong with the LLDAP answer.

<!-- gh-comment-id:1046338630 --> @nitnelave commented on GitHub (Feb 20, 2022): Hmm, that's weird. It seems that LLDAP is replying as expected, but nginx (or the plugin) doesn't get or cannot read the response? I'd capture the traffic to/from nginx on that port with tcpdump and talk to the plugin owner. You can link to this issue for conversation as well, or if there's actually something wrong with the LLDAP answer.

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Feb 26, 2022):

Actually the connection is fine, I just had to restart nginx to get those error log disappear, reload wasn't sufficient.

Now with debug in nginx log I understand that the line posing issue is the filter.
The filter (&(uid=${admin})&(objectClass=people)) generate those lines in nginx log:

http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))"
http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com"

If I use ?uid?sub?(objectClass=posixAccount) and post a request with user test, lldap respond:

2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] }    
2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }    
2022-02-26T08:35:37.555156Z  INFO sqlx::query: SELECT `users`.`user_id`, `email`, `users`.`display_name`, …; rows: 1, elapsed: 447.427µs

SELECT
  `users`.`user_id`,
  `email`,
  `users`.`display_name`,
  `first_name`,
  `last_name`,
  `avatar`,
  `creation_date`
FROM
  `users`
WHERE
  TRUE
  AND (`users`.`user_id` = 'test')
ORDER BY
  `users`.`user_id` ASC
  
2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] })

I'm not sure how to solve this issue, what's wrong with my filter ?

<!-- gh-comment-id:1051862909 --> @Cyrix126 commented on GitHub (Feb 26, 2022): Actually the connection is fine, I just had to restart nginx to get those error log disappear, reload wasn't sufficient. Now with debug in nginx log I understand that the line posing issue is the filter. The filter `(&(uid=${admin})&(objectClass=people))` generate those lines in nginx log: ``` http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))" http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com" ``` If I use `?uid?sub?(objectClass=posixAccount)` and post a request with user test, lldap respond: ``` 2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] } 2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] } 2022-02-26T08:35:37.555156Z INFO sqlx::query: SELECT `users`.`user_id`, `email`, `users`.`display_name`, …; rows: 1, elapsed: 447.427µs SELECT `users`.`user_id`, `email`, `users`.`display_name`, `first_name`, `last_name`, `avatar`, `creation_date` FROM `users` WHERE TRUE AND (`users`.`user_id` = 'test') ORDER BY `users`.`user_id` ASC 2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] }) ``` I'm not sure how to solve this issue, what's wrong with my filter ?

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Feb 26, 2022):

I think you might have an extra "&" in your filter. The syntax for a and b
and c is: (&(a)(b)(c)).

If that doesn't work, post the LLDAP logs with verbose enabled.

On Sat, 26 Feb 2022, 09:59 Cyrix126, @.***> wrote:

Actually the connection is fine, I just had to restart nginx to get those
error log disappear, reload wasn't sufficient.

Now with debug in nginx log I understand that the line posing issue is the
filter.
The filter (&(uid=${admin})&(objectClass=people)) generate those lines in
nginx log:

http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))"

http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com"

If I use ?uid?sub?(objectClass=posixAccount) and post a request with user
test, lldap respond:

2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] }

2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }

2022-02-26T08:35:37.555156Z INFO sqlx::query: SELECT users.user_id, email, users.display_name, …; rows: 1, elapsed: 447.427µs

SELECT

users.user_id,

email,

users.display_name,

first_name,

last_name,

avatar,

creation_date

FROM

users

WHERE

TRUE

AND (users.user_id = 'test')

ORDER BY

users.user_id ASC

2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] })

I'm not sure how to solve this issue, what's wrong with my filter ?

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/120#issuecomment-1051862909,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWOCBBWC3N35IMBVZILU5CJALANCNFSM5O4YJA2A
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1051936667 --> @nitnelave commented on GitHub (Feb 26, 2022): I think you might have an extra "&" in your filter. The syntax for a and b and c is: (&(a)(b)(c)). If that doesn't work, post the LLDAP logs with verbose enabled. On Sat, 26 Feb 2022, 09:59 Cyrix126, ***@***.***> wrote: > Actually the connection is fine, I just had to restart nginx to get those > error log disappear, reload wasn't sufficient. > > Now with debug in nginx log I understand that the line posing issue is the > filter. > The filter (&(uid=${admin})&(objectClass=people)) generate those lines in > nginx log: > > http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))" > > http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com" > > > If I use ?uid?sub?(objectClass=posixAccount) and post a request with user > test, lldap respond: > > 2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] } > > 2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] } > > 2022-02-26T08:35:37.555156Z INFO sqlx::query: SELECT `users`.`user_id`, `email`, `users`.`display_name`, …; rows: 1, elapsed: 447.427µs > > > > SELECT > > `users`.`user_id`, > > `email`, > > `users`.`display_name`, > > `first_name`, > > `last_name`, > > `avatar`, > > `creation_date` > > FROM > > `users` > > WHERE > > TRUE > > AND (`users`.`user_id` = 'test') > > ORDER BY > > `users`.`user_id` ASC > > > > 2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] }) > > > I'm not sure how to solve this issue, what's wrong with my filter ? > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/120#issuecomment-1051862909>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWOCBBWC3N35IMBVZILU5CJALANCNFSM5O4YJA2A> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Feb 26, 2022):

Also, for the second query, it seems that you're somehow querying the "1.1"
attribute for users, do you know why?

On Sat, 26 Feb 2022, 10:59 Valentin Tolmer, @.***> wrote:

I think you might have an extra "&" in your filter. The syntax for a and b
and c is: (&(a)(b)(c)).

If that doesn't work, post the LLDAP logs with verbose enabled.

On Sat, 26 Feb 2022, 09:59 Cyrix126, @.***> wrote:

Actually the connection is fine, I just had to restart nginx to get those
error log disappear, reload wasn't sufficient.

Now with debug in nginx log I understand that the line posing issue is
the filter.
The filter (&(uid=${admin})&(objectClass=people)) generate those lines
in nginx log:

http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))"

http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com"

If I use ?uid?sub?(objectClass=posixAccount) and post a request with
user test, lldap respond:

2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] }

2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }

2022-02-26T08:35:37.555156Z INFO sqlx::query: SELECT users.user_id, email, users.display_name, …; rows: 1, elapsed: 447.427µs

SELECT

users.user_id,

email,

users.display_name,

first_name,

last_name,

avatar,

creation_date

FROM

users

WHERE

TRUE

AND (users.user_id = 'test')

ORDER BY

users.user_id ASC

2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] })

I'm not sure how to solve this issue, what's wrong with my filter ?

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/120#issuecomment-1051862909,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWOCBBWC3N35IMBVZILU5CJALANCNFSM5O4YJA2A
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1051938200 --> @nitnelave commented on GitHub (Feb 26, 2022): Also, for the second query, it seems that you're somehow querying the "1.1" attribute for users, do you know why? On Sat, 26 Feb 2022, 10:59 Valentin Tolmer, ***@***.***> wrote: > I think you might have an extra "&" in your filter. The syntax for a and b > and c is: (&(a)(b)(c)). > > If that doesn't work, post the LLDAP logs with verbose enabled. > > On Sat, 26 Feb 2022, 09:59 Cyrix126, ***@***.***> wrote: > >> Actually the connection is fine, I just had to restart nginx to get those >> error log disappear, reload wasn't sufficient. >> >> Now with debug in nginx log I understand that the line posing issue is >> the filter. >> The filter (&(uid=${admin})&(objectClass=people)) generate those lines >> in nginx log: >> >> http_auth_ldap: Search filter is "(&(objectClass=*)((&(uid=${admin})&(objectClass=people))=test))" >> >> http_auth_ldap: ldap_search_ext() failed (-7, Bad search filter), client: 192.168.1.1, server: domain.com, request: " GET / HTTP/1.0", host: "domain.com" >> >> >> If I use ?uid?sub?(objectClass=posixAccount) and post a request with >> user test, lldap respond: >> >> 2022-02-26T08:35:37.553782Z DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] }), ctrl: [] } >> >> 2022-02-26T08:35:37.553896Z DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=people,dc=domain,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "posixAccount"), Equality("uid", "test")]), attrs: ["1.1"] } >> >> 2022-02-26T08:35:37.555156Z INFO sqlx::query: SELECT `users`.`user_id`, `email`, `users`.`display_name`, …; rows: 1, elapsed: 447.427µs >> >> >> >> SELECT >> >> `users`.`user_id`, >> >> `email`, >> >> `users`.`display_name`, >> >> `first_name`, >> >> `last_name`, >> >> `avatar`, >> >> `creation_date` >> >> FROM >> >> `users` >> >> WHERE >> >> TRUE >> >> AND (`users`.`user_id` = 'test') >> >> ORDER BY >> >> `users`.`user_id` ASC >> >> >> >> 2022-02-26T08:35:37.555298Z DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: NoSuchAttribute, matcheddn: "", message: "Unsupported user attribute: 1.1", referral: [] }) >> >> >> I'm not sure how to solve this issue, what's wrong with my filter ? >> >> — >> Reply to this email directly, view it on GitHub >> <https://github.com/nitnelave/lldap/issues/120#issuecomment-1051862909>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AAGCPWOCBBWC3N35IMBVZILU5CJALANCNFSM5O4YJA2A> >> . >> You are receiving this because you commented.Message ID: >> ***@***.***> >> >

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Feb 26, 2022):

Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap (-7, Bad search filter).
the log:
https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt

Also, for the second query, it seems that you're somehow querying the "1.1" attribute for users, do you know why?

I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized" with 1.1 ?

<!-- gh-comment-id:1052125878 --> @Cyrix126 commented on GitHub (Feb 26, 2022): Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap (-7, Bad search filter). the log: https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt > Also, for the second query, it seems that you're somehow querying the "1.1" attribute for users, do you know why? I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized" with 1.1 ?

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Feb 26, 2022):

That's the nginx logs, can I get the LLDAP ones?

As for the 1.1, it's a special LDAP attribute meaning "don't return
attributes". It's not supported yet, but it's easy to do.

On Sat, 26 Feb 2022, 14:33 Cyrix126, @.***> wrote:

Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap
(-7, Bad search filter).
the log:
https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt

Also, for the second query, it seems that you're somehow querying the
"1.1" attribute for users, do you know why?

I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized"
with 1.1 ?

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/120#issuecomment-1052125878,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWLUXRCTNQSZMBER5ITU5DJBLANCNFSM5O4YJA2A
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1052483246 --> @nitnelave commented on GitHub (Feb 26, 2022): That's the nginx logs, can I get the LLDAP ones? As for the 1.1, it's a special LDAP attribute meaning "don't return attributes". It's not supported yet, but it's easy to do. On Sat, 26 Feb 2022, 14:33 Cyrix126, ***@***.***> wrote: > Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap > (-7, Bad search filter). > the log: > https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt > > Also, for the second query, it seems that you're somehow querying the > "1.1" attribute for users, do you know why? > > I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized" > with 1.1 ? > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/120#issuecomment-1052125878>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWLUXRCTNQSZMBER5ITU5DJBLANCNFSM5O4YJA2A> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Feb 26, 2022):

https://share.libre-depanne.fr/selif/lldaplogdebug.txt

For the first query with "-7, Bad search filter" as error, there is no activity from nginx to lldap when trying to log.

Le 26/02/2022 à 20:16, nitnelave a écrit :

That's the nginx logs, can I get the LLDAP ones?

As for the 1.1, it's a special LDAP attribute meaning "don't return
attributes". It's not supported yet, but it's easy to do.

On Sat, 26 Feb 2022, 14:33 Cyrix126, @.***> wrote:

Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap
(-7, Bad search filter).
the log:
https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt

Also, for the second query, it seems that you're somehow querying the
"1.1" attribute for users, do you know why?

I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized"
with 1.1 ?

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/120#issuecomment-1052125878,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWLUXRCTNQSZMBER5ITU5DJBLANCNFSM5O4YJA2A
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1052494516 --> @Cyrix126 commented on GitHub (Feb 26, 2022): https://share.libre-depanne.fr/selif/lldaplogdebug.txt For the first query with "-7, Bad search filter" as error, there is no activity from nginx to lldap when trying to log. Le 26/02/2022 à 20:16, nitnelave a écrit : > That's the nginx logs, can I get the LLDAP ones? > > As for the 1.1, it's a special LDAP attribute meaning "don't return > attributes". It's not supported yet, but it's easy to do. > > On Sat, 26 Feb 2022, 14:33 Cyrix126, ***@***.***> wrote: > >> Tried with (&(uid=${admin})(objectClass=people)) but same error from ldap >> (-7, Bad search filter). >> the log: >> https://share.libre-depanne.fr/selif/nginxlogdebugldap.txt >> >> Also, for the second query, it seems that you're somehow querying the >> "1.1" attribute for users, do you know why? >> >> I have no clue. The only suspect would be the "HTTP/1.1 401 Unauthorized" >> with 1.1 ? >> >> — >> Reply to this email directly, view it on GitHub >> <https://github.com/nitnelave/lldap/issues/120#issuecomment-1052125878>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AAGCPWLUXRCTNQSZMBER5ITU5DJBLANCNFSM5O4YJA2A> >> . >> You are receiving this because you commented.Message ID: >> ***@***.***> >> > >

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 17, 2022):

Sorry for the delay, I didn't do much on LLDAP the past month. With #138 it should work for the 1.1 attribute.

From the nginx logs, I see that your search query is (&(objectClass=*)((&(uid=${admin})(objectClass=people))=test)).
I think you want something simpler, like: (&(objectClass=*)(uid=${admin})(objectClass=person)) (I'm not sure what the =test is).

Can you paste your nginx config (the relevant parts) so I can help you configure it?

<!-- gh-comment-id:1100952502 --> @nitnelave commented on GitHub (Apr 17, 2022): Sorry for the delay, I didn't do much on LLDAP the past month. With #138 it should work for the 1.1 attribute. From the nginx logs, I see that your search query is `(&(objectClass=*)((&(uid=${admin})(objectClass=people))=test))`. I think you want something simpler, like: `(&(objectClass=*)(uid=${admin})(objectClass=person))` (I'm not sure what the `=test` is). Can you paste your nginx config (the relevant parts) so I can help you configure it?

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

Hey @Cyrix126 did you manage to make nginx work? Can you share your config?

<!-- gh-comment-id:1113004924 --> @nitnelave commented on GitHub (Apr 29, 2022): Hey @Cyrix126 did you manage to make nginx work? Can you share your config?

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Apr 29, 2022):

Hey @Cyrix126 did you manage to make nginx work? Can you share your config?

I tried with recent changes. I've got passed the 1.1 error but now I'm getting:

With filter: (example from https://github.com/kvspb/nginx-auth-ldap)
url ldap://localhost:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=person);

DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported group filter: Unknown field: objectClass", referral: [] })

And with the filter:
url ldap://localhost:389/dc=domain,dc=com?(&(objectClass=*)(uid=${admin})(objectClass=person))

I do not get any interaction with lldap when trying to log in.

Can you paste your nginx config (the relevant parts) so I can help you configure it?

The nginx block for ldap:

ldap_server ldaplocal {
        url ldap://localhost:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=person);
        binddn "cn=admin,ou=people,dc=domain,dc=com";
        binddn_passwd "secret";
        require valid_user;
        referral off;
      }

and for the website

auth_ldap "Forbidden";
        auth_ldap_servers ldaplocal;

<!-- gh-comment-id:1113360180 --> @Cyrix126 commented on GitHub (Apr 29, 2022): > Hey @Cyrix126 did you manage to make nginx work? Can you share your config? I tried with recent changes. I've got passed the 1.1 error but now I'm getting: With filter: (example from https://github.com/kvspb/nginx-auth-ldap) `url ldap://localhost:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=person);` `DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported group filter: Unknown field: objectClass", referral: [] }) ` And with the filter: `url ldap://localhost:389/dc=domain,dc=com?(&(objectClass=*)(uid=${admin})(objectClass=person))` I do not get any interaction with lldap when trying to log in. > Can you paste your nginx config (the relevant parts) so I can help you configure it? The nginx block for ldap: ``` ldap_server ldaplocal { url ldap://localhost:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=person); binddn "cn=admin,ou=people,dc=domain,dc=com"; binddn_passwd "secret"; require valid_user; referral off; } ``` and for the website ``` auth_ldap "Forbidden"; auth_ldap_servers ldaplocal; ```

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

Hmm, can you try with ou=people,dc=domain,dc=com maybe?

EDIT: the first error is definitely my fault, I'll have a look.

<!-- gh-comment-id:1113383171 --> @nitnelave commented on GitHub (Apr 29, 2022): Hmm, can you try with `ou=people,dc=domain,dc=com` maybe? EDIT: the first error is definitely my fault, I'll have a look.

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

Are you sure you tried with the latest changes? The image in question is latest and it should be less than 10 days old (the most recent one is from 6h ago).

<!-- gh-comment-id:1113398759 --> @nitnelave commented on GitHub (Apr 29, 2022): Are you sure you tried with the latest changes? The image in question is `latest` and it should be less than 10 days old (the most recent one is from 6h ago).

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Apr 29, 2022):

Are you sure you tried with the latest changes? The image in question is latest and it should be less than 10 days old (the most recent one is from 6h ago).

I was on commit 2197fe77a5

I'll recompile with latest and see if any change.

<!-- gh-comment-id:1113401960 --> @Cyrix126 commented on GitHub (Apr 29, 2022): > Are you sure you tried with the latest changes? The image in question is `latest` and it should be less than 10 days old (the most recent one is from 6h ago). I was on commit 2197fe77a5d96213e47e4cbfa43d4720ab7d2241 I'll recompile with latest and see if any change.

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

I was on commit 2197fe7

One commit too old :)

<!-- gh-comment-id:1113407030 --> @nitnelave commented on GitHub (Apr 29, 2022): > I was on commit [2197fe7](https://github.com/nitnelave/lldap/commit/2197fe77a5d96213e47e4cbfa43d4720ab7d2241) One commit too old :)

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Apr 29, 2022):

The error "Unknown field: sAMAccountName" seems to persist after compiling to commit 4f89b73fe5

<!-- gh-comment-id:1113458920 --> @Cyrix126 commented on GitHub (Apr 29, 2022): The error "Unknown field: sAMAccountName" seems to persist after compiling to commit 4f89b73fe54a15c2ed60be49b7b31099c6f133c4

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

Ah yeah, but that you can just remove from the config. I'm not sure what the syntax of that URL is, but you want to request the uid of the user.

<!-- gh-comment-id:1113461236 --> @nitnelave commented on GitHub (Apr 29, 2022): Ah yeah, but that you can just remove from the config. I'm not sure what the syntax of that URL is, but you want to request the uid of the user.

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Apr 29, 2022):

Aha, according to https://docs.oracle.com/cd/E19396-01/817-7616/ldurl.html:

LDAP URLs have the following syntax:
ldap[s]://hostname:port/base_dn?attributes?scope?filter

So you want:
url ldap://localhost:389/dc=domain,dc=com?uid?sub?(objectClass=person);

or
url ldap://localhost:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=person);

<!-- gh-comment-id:1113479476 --> @nitnelave commented on GitHub (Apr 29, 2022): Aha, according to https://docs.oracle.com/cd/E19396-01/817-7616/ldurl.html: > LDAP URLs have the following syntax: > `ldap[s]://hostname:port/base_dn?attributes?scope?filter ` So you want: `url ldap://localhost:389/dc=domain,dc=com?uid?sub?(objectClass=person);` or `url ldap://localhost:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=person);`

kerem commented 2026-02-27 08:14:58 +03:00

Author

Owner

Copy link

@Cyrix126 commented on GitHub (Apr 29, 2022):

or url ldap://localhost:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=person);

That's the one.
It works now, I will prepare the example config soon enough.

<!-- gh-comment-id:1113488640 --> @Cyrix126 commented on GitHub (Apr 29, 2022): > or `url ldap://localhost:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=person);` That's the one. It works now, I will prepare the example config soon enough.

kerem referenced this issue 2026-02-27 08:17:48 +03:00

[PR #51] [MERGED] app: Fix login password prompt #511

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/github_actions/codecov/codecov-action-6

copilot/fix-equality-filters-list-attributes

dependabot/github_actions/docker/build-push-action-7

dependabot/github_actions/docker/metadata-action-6

dependabot/github_actions/docker/setup-buildx-action-4

dependabot/github_actions/docker/login-action-4

copilot/update-download-artifact-action

copilot/fix-opensuse-warnings

copilot/fix-1268

copilot/fix-727

copilot/fix-898

copilot/fix-1256

copilot/fix-1251

copilot/fix-1249

copilot/fix-1206

user-attribute-form

user-ui

group-ui

server-user-attribute-schema

crates

haveibeenpwned

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.0.1

Labels

Clear labels   

backend

  

blocked

  

bug

  

cleanup

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

frontend

  

github_actions

  

good first issue

  

help wanted

  

help wanted

  

integration

  

invalid

  

ldap

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

rust

  

rust

  

tests

  

wontfix

No labels

backend

blocked

bug

cleanup

dependencies

docker

documentation

duplicate

enhancement

enhancement

frontend

github_actions

good first issue

help wanted

help wanted

integration

invalid

ldap

pull-request

question

rust

rust

tests

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/lldap-lldap#51

No description provided.