search

Arksine / moonraker

Web API Server for Klipper
https://moonraker.readthedocs.io
GNU General Public License v3.0
1.09k stars 416 forks source link

"[No User]" error when signing in with LDAP #919

Open justinhschaaf opened 3 days ago

justinhschaaf commented 3 days ago

What happened

Hello! I've gone ahead and configured authentication with LDAP as described in the documentation for Moonraker and Fluidd. Now, whenever I try to sign in using my LDAP credentials, Fluidd shows an "Invalid credentials" error message, and Moonraker's logs show an error 401 with the message "[No User]". I've manually updated Fluidd, Moonraker, and Klipper to the latest versions as described in Fluidd's documentation to no avail.

The LDAP server I'm trying to authenticate through is Authentik's LDAP outpost, which I've verified is working properly through manual queries with the ldapsearch command and by configuring it with another application (OPNsense). I can also see Moonraker properly querying the server in its logs.

Client

Fluidd

Browser

Chrome, Firefox

How to reproduce

Assuming you already have working Moonraker, Fluidd, and Authentik instances:

  1. Setup an LDAP in provider as described here.

    • I personally use Authentik with authentik-nix, which you can view my full configuration for here. The environment file for authentik-ldap has the AUTHENTIK_HOST, AUTHENTIK_TOKEN, and AUTHENTIK_INSECURE variables provided when viewing the outpost in Authentik.

  2. Update moonraker.conf, adding a [ldap] section pointing to the Authentik outpost and updating [authorization] to force logins and default to LDAP.

    • The user filter is optional. This should make it so users must have the iam-fluidd group to authenticate. The issue still occurs without this being declared.
    ```ini [ldap] ldap_host: [LDAP IP ADDRESS] ldap_port: 389 ldap_secure: False base_dn: dc=ldap,dc=goauthentik,dc=io bind_dn: [SERVICE ACCOUNT USERNAME] bind_password: [SERVICE ACCOUNT PASSWORD] user_filter: (&(objectClass=user)(cn=USERNAME)(memberOf=cn=iam-fluidd,ou=groups,dc=ldap,dc=goauthentik,dc=io)) [authorization] force_logins: True default_source: ldap cors_domains: ... ```

  3. Restart Moonraker with systemctl restart moonraker. Navigate to your Fluidd instance in your web browser of choice and try signing in using your Authentik/LDAP account credentials.

Additional information

moonraker.log - The login attempts are at the very bottom of the file.

moonraker.conf

Relevant logs in the LDAP server

![image](https://github.com/user-attachments/assets/2ce5a767-6c5d-4e61-91c5-7206150eb5db)

Error message as seen in Fluidd

![image](https://github.com/user-attachments/assets/3f8a6264-0b47-4039-9f47-a589578e5147)
Arksine commented 9 hours ago

Most of the ldap functionality is contributed. Since I do not use ldap myself I only have a high level understanding of its inner workings. I'm willing to take a look at this, however it would be useful if you can reproduce the issue with verbose logging enabled. Presuming you are on a typical installation, this can be done by adding MOONRAKER_VERBOSE_LOGGING="y" to Moonraker's environment file (<data_folder>/systemd/moonraker.env). The documentation provides further detail. After making the modifications, restart the Moonraker service, reproduce the issue, and attach the log. Thanks.