OIDC LDAP - Not able to Login

[sunny5055]

Environment

Docker

Version

0.15.3

Describe the problem

Not able to login using LDAP. The logs are very brief so not able to get much insights on the issue.

Logs

The only logs i can see is below not much details beyond this.

ERROR Invalid username or password

user DOMAIN\sAMAccountName is trying to log in using LDAP. Connecting to LDAP server...

ERROR Invalid username or password

user sAMAccountName is trying to log in using LDAP. Connecting to LDAP server...

ERROR Invalid username or password

Context

This is my sample LDAP config taken directly from my active directory attributes

AUTH_PROVIDER: "ldap" AUTH_LDAP_URI: ldaps://myldapserver.abc.com:3269 AUTH_LDAP_BASE: DC=abc,DC=abc,DC=com AUTH_LDAP_USERNAME_ATTRIBUTE: sAMAccountName AUTH_LDAP_USER_MAIL_ATTRIBUTE: userPrincipalName AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: memberOf AUTH_LDAP_SEARCH_SCOPE: sub AUTH_LDAP_BIND_DN: CN=My Full Name,OU=USERS,OU=SAMPLEOU,OU=SAMPLEOU,OU=SAMPLEOU,DC=abc,DC=abc,DC=com

Please tick the boxes

• [X] I confirm that I attached the proper logs
• [X] I've read the docs
• [X] I've checked for duplicate issues
• [X] I've tried to debug myself

[github-actions[bot]]

Hi 👋. Thank you for submitting your first issue to Homarr. Please ensure that you've provided all nessesary information. You can use the three dots > Edit button to update your post with additional images and information. Depending on the current volume of requests, the team should get in conact with you shortly.

[manuel-rw]

Hi, please provide more information. What LDAP server do you use? How is it configured? Checked the logs of it?

[SeDemal]

Hi, I can see you've used " sAMAccountName", this is usually reserved for windows Active directory and not normal LDAP. Can you confirm what LDAP provider you are using?

[sharmakhimlal]

I'm having the same issue while using with ldap, as I'm using openldap for authentication. It is working with other platform very nicely, but here I'm not able to authenticate it, And not descriptive error logs to understand where is the problem with this (

    env:
      - name: AUTH_PROVIDER
        value: "ldap"
      - name: AUTH_LDAP_URI
        value: "ldap://192.168.100.106:389"
      - name: AUTH_LDAP_BASE
        value: "ou=Users,dc=xyz,dc=net"
      - name: AUTH_LDAP_USERNAME_ATTRIBUTE
        value: "uid"
      - name: AUTH_LDAP_BIND_DN
        value: "cn=admin,dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_PASSWORD
        value: "XXXX"

Error: user testuser is trying to log in using LDAP. Connecting to LDAP server...

ERROR Invalid username or password

[SeDemal]

For both your cases, it seems you are not getting past the stage of logging in the admin. It can mean that the bind_dn, bind_password or URI can be wrong. There is a logging system to help determine such errors, but as for anything ldap, it's complicated. In your case you're not going past stage 1 which in the case of anything related to ldap is logging to the userbase as admin before querying it.

@sharmakhimlal I'm not quite sure of the problem for you, but I can already see that the username attribute is set to uid yet you try to use cn as username attribute for the admin in the bind dn. Also this might come up later, but you might not want to put "ou=users" in your base, as it should only be the base (elements of dc). it might still work though.

[sharmakhimlal]

Hi, Thanks for getting back to me, But all of the details are right. And it is still not working.

    env:
      - name: AUTH_LDAP_SEARCH_SCOPE
        value: base
      - name: AUTH_PROVIDER
        value: "ldap"
      - name: AUTH_LDAP_URI
        value: "ldap://192.168.100.106:389"
      - name: AUTH_LDAP_BASE
        value: "dc=xyz,dc=net"
      - name: AUTH_LDAP_USERNAME_ATTRIBUTE
        value: "uid"
      - name: AUTH_LDAP_BIND_DN
        value: "cn=admin,dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_PASSWORD
        value: "xxxx"
      - name: AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG
        value: "(uid=*)"

ldapsearch -H ldap://192.168.100.106:389 -b 'dc=xyz,dc=net' -D 'cn=admin,dc=xyz,dc=net' -W

Enter LDAP Password:

extended LDIF

#

LDAPv3

base with scope subtree

filter: (objectclass=*)

requesting: ALL

#

xyz.net

dn: dc=xyz,dc=net objectClass: top objectClass: dcObject objectClass: organization o: xyz dc: xyz

Users, xyz.net

dn: ou=Users,dc=xyz,dc=net objectClass: top objectClass: organizationalUnit ou: Users

So, maybe I've to include any other env variable to make it working, Or how to debug this ?

[SeDemal]

It's simple really, homarr is trying to do stage 1, connect the admin. All it needs for that is the URI, BIND_DN and BIND_PASSWORD. If it goes through then you'll see the next message which is "Connection established. Searching User...". All the other env variables are for the next stages. If the problem is not from the environment variables, then it means that homarr can't talk to the server. Are you sure your ldap server can be seen by homarr? (bridge or something of the likes?)

[sharmakhimlal]

@SeDemal , Yes it is working fine and able to talk to this ldap server. As you can see on 389 port, it is hitting fine; on other random port, it gets refused. Yeah, that's what I wanted to see that why it is not showing me such errors or messages if everything has been seup as according to the documentation.

root@homarr-f7fcc568f-4wbhw:/app# echo > /dev/tcp/192.168.100.106/389 root@homarr-f7fcc568f-4wbhw:/app# echo > /dev/tcp/192.168.100.106/32 bash: connect: Connection refused bash: /dev/tcp/192.168.100.106/32: Connection refused

[SeDemal]

The function is really simple, it take the URI, a username and a password. If any are wrong, it returns the error you see. I don't really know what else to tell you there. I can only take your word for it that your env variables are indeed correct. might not be your case but I had to make 1 user re-type the password 3 times and it did actually end up working (problems with having long complicated and secure passwords) It might be an error of how the env is setup. I know some users have had problems between using ":" or "=", same for putting the values in quotation. (In the example we have for docker compose for example, there are no quotations but the one for the docker run command does)

[sharmakhimlal]

Hi @SeDemal , Finally I got the issue, As my password variable is having double dollar ($$) and after applying when I checked in the pod it converted to single dollar ($) and that's why it is not able to connect to the ldap and not able to proceed further with that.

   env:
      - name: AUTH_PROVIDER
        value: "ldap"
      - name: AUTH_LDAP_URI
        value: "ldap://192.168.100.106:389"
      - name: AUTH_LDAP_BASE
        value: "dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_DN
        value: "cn=admin,dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_PASSWORD
        value: 'XXXXX'
      - name: AUTH_LDAP_USERNAME_ATTRIBUTE
        value: uid
      - name: AUTH_LDAP_SEARCH_SCOPE
        value: sub

listening on port 7575 url: http://homarr-6dcff5c8d5-mdd7m:7575 user k.lal is trying to log in using LDAP. Connecting to LDAP server... Connection established. Searching User...

ERROR User found but with invalid or non-existing Email. Not Supported: " "

at Object.authorize (.next/server/chunks/7534.js:111:23) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14) at async AuthHandler (node_modules/next-auth/core/index.js:302:28) at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19) at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)

I don't have email attached to the User , does it required to put here ?

[SeDemal]

That's an unusual problem but one I can see happen actually. Good to know, see if there's a need for escape "\".

User not found in LDAP means that the search is not getting any users upon the parameters you've given. Firstly, I'd remove the extra arg, that is only required if you wish to filter more (like if you have inactive and active accounts to only search within the active etc) What you might need to set instead is the USERNAME_ATTRIBUTE, usually it is between cn and uid, depends which one your ldap server uses.

[SeDemal]

I'm not quite sure of the requirements of the email, but IIRC it's a necessity for nextauth to have. But from what I remember a lot of apps that use ldap for userbase provider usually require the same so I'm surprised this error doesn't come up (Also please don't edit massive chunks of information from your messages to which I'm answering, this is confusing for referencement of the issue and anyone reading the thread for help)

[sharmakhimlal]

@SeDemal , Above is the working till this email error. So do I need to add email to these users in my ldap server.

Error.

Connection established. Searching User...

ERROR User found but with invalid or non-existing Email. Not Supported: " "

at Object.authorize (.next/server/chunks/7534.js:111:23) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14) at async AuthHandler (node_modules/next-auth/core/index.js:302:28) at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19) at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)

[SeDemal]

I'm not familiar with openldap, I know windows AD creates a "bogus" one automatically using the username and the base dn. "username@ldapxyz.net" If openldap allows you to, maybe you could do the same. or you might have to force users to use emails.

[sharmakhimlal]

Thanks @SeDemal , Finally it starts working with some twicks in the environment variables and needed to add email attribute to the user to make it working.

    env:
      - name: AUTH_PROVIDER
        value: "ldap"
      - name: AUTH_LDAP_URI
        value: "ldap://192.168.100.106:389"
      - name: AUTH_LDAP_BASE
        value: "dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_DN
        value: "cn=admin,dc=xyz,dc=net"
      - name: AUTH_LDAP_BIND_PASSWORD
        value: 'XXXX'
      - name: AUTH_LDAP_USERNAME_ATTRIBUTE
        value: uid
      - name: AUTH_LDAP_SEARCH_SCOPE
        value: sub

Note: Please check your password what you've provide in the env variable should be exactly same in the container, because it sometime get interpolated while using special characters i.e. ($)

Listening on port 7575 url: http://homarr-c7576c6dd-w7782:7575 user testuser is trying to log in using LDAP. Connecting to LDAP server... Connection established. Searching User... User found. Logging in... User logged in. Retrieving groups... user testuser successfully authorized

And one more ask here, If I want to use first time registered user along with ldap user, Is there any way to switch between authentication methods, Or just need to remove these variables and change AUTH_PROVIDER to "credentials"

[SeDemal]

That info is written plainly and quite big on the doc's ldap page in the description of "AUTH_PROVIDER". https://homarr.dev/docs/advanced/sso You can have both, just separate them with a comma : "credentials,ldap"

[SeDemal]

@sunny5055 hope this provides a bit of context needed for debugging on your part too. From what I see though, there might be some miss-configurations.

The port seem strange to me as ldap runs on 389 and ldaps on 636, but if you've change it on purpose it's fine. Base should only use the very base of your address, usually domain and tld, no subdomain. The Username Attribute you're trying to use is very specific to Active directory, normal ldap would use "cn" or "uid". Usermail attribute goes about the same, it's the identifier name under which the email is saved, so normally just "mail", and you can't use some random entry, it has to correlate to an email or it won't work. The BIND_DN full of "SAMPLEOU", which I hope are swaped and actual values on your side, and the CN needs to be an admin account on your ldap server.

And lastly, are you trying to connect with the username "DOMAIN\sAMAccountName" ? Or is that a replacement to obscure private information? You need to use a username. Even for win AD you don't need the "domain" part.

[sunny5055]

Hello all thank you for the reply. Yes I am using Windows Activity Directory. 3269 is also a standard port for LDAPS. (https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority) I have tried with DOMAIN\sAMAccountName or just sAMAccountName and also userPrincipalName ( which is email) I checked the container couldnt find any additional logs. Is there a debug log available which can be enabled?

[SeDemal]

This is the debug log as explained, the first line says homarr is trying to log in the admin. That step only requires the binds and the URI. if any of the 3 are wrong or if homarr cannot contact the ldap provider, then it'll fail as shown in the logs. I'm the one that wrote the example for active directory so I'm somewhat familiar with it. For the Bind_DN , it's just "CN=AdminUser,CN=Users,DC=xyz,DC=net", the only thing you should be changing in there is the AdminUser, so it uses your admin account, or an admin account you've made for auth purposes. For the bind password, careful when entering it, if it's complex there's chances for typos. Also as sharmakhimlal demonstrated, special character might need to be escaped using \. You didn't show you're using it but I'm only guessing you removed it to protect private information. If you could, I would prefer for you to replace sensitive information with placeholders that are less confusing, and don't remove complete lines, this helps us know if you've missed an important env variable. I would also recommend to follow the Active directory example as closely as possible. I can see some variables are not set like such which made me think that you were not on active directory.

[sunny5055]

@SeDemal Thank you for the reply. I did some changes to config and found the issue is related to LDAPS. Am not sure if its related to certificate because its private SSL ? I changed ldap to server to port 386 and the same config works. Am now trying to figure out what could be the issue with LDAPS.

[SeDemal]

Have you tried using port 636 instead? From what I'm reading you shouldn't use the other one if you're just doing login / search

[sunny5055]

Yes I have tried 636 and 3269 both. Once I change LDAP to LDAPS the authentication fails with generic error. ERROR Invalid username or password

[TORAMBO]

Hey there ,

please give me a PM if the issue is up2date.

Solution: If you using Synology Directory or Windows Directory you need to disable the hardbase auth.

You can read the solution here: https://discord.com/channels/972958686051962910/1279195636981305474 its the Homarr Discord

`version: "3.9" services: homarr:

network_mode: "host" #use it if you wanna have host ip.

container_name: Homarr
image: ghcr.io/ajnart/homarr:latest
#image: ghcr.io/sedemal/homarr:41 #TESTING SYSTEM with better logs.
mem_limit: 4g
cpu_shares: 768
security_opt:
  - no-new-privileges:true
restart: on-failure:5
ports:
  - 4755:7575
volumes:
  - /volume1/docker/homarr:/app/data/configs:rw
  - /volume1/docker/homarr/data:/data:rw
  - /volume1/docker/homarr/icons:/app/public/icons:rw
  - /var/run/docker.sock:/var/run/docker.sock
environment:
  AUTH_PROVIDER: ldap,credentials
  AUTH_LDAP_URI: ldap://DOMAINIP:389
  AUTH_LDAP_BASE: "dc=DOMAINNAME,dc=local"
  AUTH_LDAP_BIND_DN: "DOMAINUSER@DOMAIN.local"
  AUTH_LDAP_BIND_PASSWORD: "DOMAINPASSWORD"
  AUTH_LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"
  #AUTH_LDAP_USER_MAIL_ATTRIBUTE: "MAIL"
  #AUTH_LDAP_GROUP_CLASS: "group"
  #AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: "member"
  #AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: "dn"
  #AUTH_LDAP_ADMIN_GROUP: "Administrators"
  #AUTH_LDAP_OWNER_GROUP: "Administrators"
  AUTH_LDAP_SEARCH_SCOPE: "sub"
  #AUTH_LDAP_ENCRYPTION: NO
  #AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: "(sAMAccountType=805306368)"
  TZ: Europe/Berlin
  # activate Debug-Logs
  #DEBUG: "true"`

`IMPORTANT

Password: Dont use Special Symbols in your password for the Domain User

*Solution DONT WORKS | AUTH_LDAP_BIND_DN: "CN=Administrator,CN=Users,dc=HERE,dc=local"
WORKS | AUTH_LDAP_BIND_DN: "domainUSER@domainname.local"

NEEDED | AUTH_LDAP_SEARCH_SCOPE: "sub" to search any user`

[github-actions[bot]]

Hello 👋, this issue has been open for 60 days without activity. We mark issues to help prioritise and close dead issues. Can you confirm that this issue is still relevant on the latest version? I'll remove the stale label as soon as there is further activity on this issue. Thank you 🙏