[GH-ISSUE #139] Unable to authenticate against lldap from IPMI Controller #58

New issue

Closed

opened 2026-02-27 08:15:00 +03:00 by kerem · 4 comments

kerem commented

2026-02-27 08:15:00 +03:00

Owner

Originally created by @Leppunen on GitHub (Apr 19, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/139

I'm trying to make my home server's IPMI controller to authenticate against lldap, where the ldap group 'admin' is mapped to the IPMI administrator group, and noticed that lldap cannot handle the search filter used by the IPMI. lldap debug log is below.


DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=xx,ou=people,dc=xx,dc=xx", cred: Simple("********") }), ctrl: [] }

DEBUG lldap::infra::ldap_handler: Received bind request for "cn=xx,ou=people,dc=xx,dc=xx"

DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })

DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }

DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=xx,dc=xx", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Equality("cn", "admin")]), attrs: ["member"] }), ctrl: [] }

DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=groups,dc=xx,dc=xx", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Equality("cn", "admin")]), attrs: ["member"] }

DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported group filter: Unknown field: objectClass", referral: [] })

Originally created by @Leppunen on GitHub (Apr 19, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/139 I'm trying to make my home server's IPMI controller to authenticate against lldap, where the ldap group 'admin' is mapped to the IPMI administrator group, and noticed that lldap cannot handle the search filter used by the IPMI. lldap debug log is below. ``` DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=xx,ou=people,dc=xx,dc=xx", cred: Simple("********") }), ctrl: [] } DEBUG lldap::infra::ldap_handler: Received bind request for "cn=xx,ou=people,dc=xx,dc=xx" DEBUG lldap::infra::ldap_server: Replying with LDAP op: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None }) DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] } DEBUG lldap::infra::ldap_server: Received LDAP message: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=xx,dc=xx", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Equality("cn", "admin")]), attrs: ["member"] }), ctrl: [] } DEBUG lldap::infra::ldap_handler: Received search request: LdapSearchRequest { base: "ou=groups,dc=xx,dc=xx", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "groupOfNames"), Equality("cn", "admin")]), attrs: ["member"] } DEBUG lldap::infra::ldap_server: Replying with LDAP op: SearchResultDone(LdapResult { code: UnwillingToPerform, matcheddn: "", message: "Unsupported group filter: Unknown field: objectClass", referral: [] }) ```

kerem closed this issue

2026-02-27 08:15:00 +03:00

kerem commented

2026-02-27 08:15:01 +03:00

Author

Owner

@nitnelave commented on GitHub (Apr 19, 2022):

It seems that it's trying to get "groupOfNames", but the LLDAP groups are "groupOfUniqueNames". Is that something that you can configure? Otherwise I can adapt the filters to match. I'll definitely improve the error message, it should be a valid filter that returns nothing (since the condition is valid but does not match anything).

@nitnelave commented on GitHub (Apr 19, 2022): It seems that it's trying to get "groupOfNames", but the LLDAP groups are "groupOfUniqueNames". Is that something that you can configure? Otherwise I can adapt the filters to match. I'll definitely improve the error message, it should be a valid filter that returns nothing (since the condition is valid but does not match anything).

kerem commented

2026-02-27 08:15:01 +03:00

Author

Owner

@Leppunen commented on GitHub (Apr 19, 2022):

I have no configurability for that behaviour. i can only specify most basic things like locations of groups/users etc.

@Leppunen commented on GitHub (Apr 19, 2022): I have no configurability for that behaviour. i can only specify most basic things like locations of groups/users etc.

kerem commented

2026-02-27 08:15:01 +03:00

Author

Owner

@nitnelave commented on GitHub (Apr 19, 2022):

Well, technically it's an issue with IPMI, but I'm willing to be a bit more flexible and allow the groups to also be listed as groupOfNames.

@nitnelave commented on GitHub (Apr 19, 2022): Well, technically it's an issue with IPMI, but I'm willing to be a bit more flexible and allow the groups to also be listed as groupOfNames.

kerem commented

2026-02-27 08:15:02 +03:00

Author

Owner

@Leppunen commented on GitHub (Apr 19, 2022):

I tested this change and it looks like i can successfully authenticate against lldap now. Many thanks! 👍

@Leppunen commented on GitHub (Apr 19, 2022): I tested this change and it looks like i can successfully authenticate against lldap now. Many thanks! 👍

kerem referenced this issue

2026-02-27 08:17:50 +03:00

[PR #58] [MERGED] readme: Add badges, client configuration guide #516