LDAP: Insufficient Permissions

[StizLor]

Describe the bug Issue revolves around ldap provider via outpost and binding ldap. When setting a group or user other than the ldap-bind (user or group) the ldap can't bind to authentik anymore. This is tested with jellyfin as ldap client application. In Short -

The ldap bind is successful when:

• no group/user is bound to the application
• only the ldap-bind group/user is bound to the application
  • when binding the bind-group, other users can be member as well and it still works

The ldap bind fails when:

• user/group other than bind-user/group is bound to application

To Reproduce Steps to reproduce the behavior:

Config in Jellyfin: https://docs.goauthentik.io/integrations/services/jellyfin/

1. Create an application (here jellyfin)
2. Create provider (OAuth/OIDC)
3. Create user and group for ldap binding
4. Create provider (ldap)
5. Bind ldap provider as backchannel provider to application
6. Create ldap outpost bound to application (jellyfin)
7. Create user_group used for access to application
8. Create user and add to user_group
9. Bind user_group to application

Expected behavior It is expected that the bind is always working, no matter what groups/users are bound to the application.

Screenshots

Logs

when failing

Authentik Events:

{
    "user": {
        "pk": 11,
        "email": "",
        "username": "ldap_bind"
    },
    "action": "login",
    "app": "authentik.events.signals",
    "context": {
        "auth_method": "password",
        "http_request": {
            "args": {
                "goauthentik.io/outpost/ldap": "true"
            },
            "path": "/api/v3/flows/executor/default-authentication-flow/",
            "method": "GET",
            "request_id": "9652bb8978c64ffba3902ff17b0c4623",
            "user_agent": "goauthentik.io/outpost/2024.6.2"
        },
        "auth_method_args": {}
    },
    "client_ip": "10.0.40.5",
    "expires": "2025-01-29T13:12:59.819Z",
    "brand": {
        "pk": "c6147328563b485da3e3d05ef75960c1",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

Jellyfin Logs:

[2024-08-02 15:12:58.664 +02:00] [ERR] [107] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Failed to Connect or Bind to server as user "cn=ldap_bind,ou=users,dc=int,dc=freydank,dc=ch"
LdapException: Insufficient Access Rights (50) Insufficient Access Rights
LdapException: Matched DN: 

Outpost Logs:

{"bindDN":"cn=ldap_bind,ou=users,dc=int,dc=freydank,dc=ch","client":"10.0.40.5","event":"Access denied for user","flow":"default-authentication-flow","level":"info","requestId":"5bdb9ebb-8a25-4c15-941f-fe5f33bcb594","timestamp":"2024-08-02T13:12:59Z"}
{"bindDN":"cn=ldap_bind,ou=users,dc=int,dc=freydank,dc=ch","client":"10.0.40.5","event":"Access denied for user","level":"info","requestId":"5bdb9ebb-8a25-4c15-941f-fe5f33bcb594","timestamp":"2024-08-02T13:12:59Z"}
{"bindDN":"cn=ldap_bind,ou=users,dc=int,dc=freydank,dc=ch","client":"10.0.40.5","event":"Bind request","level":"info","requestId":"5bdb9ebb-8a25-4c15-941f-fe5f33bcb594","timestamp":"2024-08-02T13:12:59Z","took-ms":1983}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-08-02T13:16:22Z"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-08-02T13:16:22Z"}

Authentik Worker:

{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 89981, "remote": "10.126.0.7", "schema_name": "public", "scheme": "ws", "timestamp": "2024-08-02T13:26:09.147811", "user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 89981, "remote": "10.0.40.5", "request_id": "06a8583159264df5b00187037577b476", "runtime": 870, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-08-02T13:26:15.877524", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 89981, "remote": "10.0.40.5", "request_id": "5067c559c7f34688a81783a71d04d334", "runtime": 33, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-08-02T13:26:15.944469", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 89981, "remote": "10.0.40.5", "request_id": "73d3403868814918a727184fc3f5f211", "runtime": 112, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-08-02T13:26:16.091086", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik.int.freydank.ch", "event": "Successful authentication", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.stages.password.stage", "pid": 89981, "request_id": "45b9e12f5f7c477bbc8efa297a58978d", "schema_name": "public", "timestamp": "2024-08-02T13:26:16.630813", "user": "ldap_bind"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 89981, "remote": "10.0.40.5", "request_id": "45b9e12f5f7c477bbc8efa297a58978d", "runtime": 514, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-08-02T13:26:16.634671", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 89981, "remote": "10.0.40.5", "request_id": "b70510cb78394e60bab6bb79596e4718", "runtime": 64, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-08-02T13:26:16.725063", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"action": "login", "auth_via": "unauthenticated", "client_ip": "10.0.40.5", "context": {"auth_method": "password", "auth_method_args": {}, "http_request": {"args": {"goauthentik.io/outpost/ldap": "true"}, "method": "GET", "path": "/api/v3/flows/executor/default-authentication-flow/", "request_id": "9c8ad3c392bf4a919ba5a09b9260db9b", "user_agent": "goauthentik.io/outpost/2024.6.2"}}, "domain_url": "authentik.int.freydank.ch", "event": "Created Event", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.events.models", "pid": 89981, "request_id": "9c8ad3c392bf4a919ba5a09b9260db9b", "schema_name": "public", "timestamp": "2024-08-02T13:26:16.813764", "user": {"email": "", "pk": 11, "username": "ldap_bind"}}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "Task published", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.root.celery", "pid": 89981, "request_id": "9c8ad3c392bf4a919ba5a09b9260db9b", "schema_name": "public", "task_id": "38f46c2c98584fd39deb6460cfcba03b", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-08-02T13:26:16.843707"}
{"auth_via": "unauthenticated", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 89981, "remote": "10.0.40.5", "request_id": "9c8ad3c392bf4a919ba5a09b9260db9b", "runtime": 125, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-08-02T13:26:16.877830", "user": "ldap_bind", "user_agent": "goauthentik.io/outpost/2024.6.2"}
{"auth_via": "session", "domain_url": "authentik.int.freydank.ch", "event": "/api/v3/core/applications/jellyfin/check_access/", "host": "authentik.int.freydank.ch", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 89981, "remote": "10.0.40.5", "request_id": "d01cfd6f89db424e8ff2b593ff2a5a9f", "runtime": 43, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-08-02T13:26:16.953498", "user": "ldap_bind", "user_agent": "goauthentik.io/outpost/2024.6.2"}

Version and Deployment (please complete the following information):

• authentik version: 2024.6.2
• Deployment: Docker Compose
  • Docker: 27.1.1
  • Compose: v2.29.0

[DirgoSalga]

I am also having trouble authenticating over LDAP. It is not exactly the same setup, but I think it is close enough.

My problem is that LDAP authentication is not working for the only account that has MFA. Everyone else can authenticate at Jellyfin using LDAP no problem.

Is this a known issue?

[StizLor]

@DirgoSalga Do you use the default authentication flow for the ldap provider (default-authentication-flow)? I assume by your comment that you also use authentik as ldap provider. If you do, the flow contains a mfa stage that is run if a mfa-device is enrolled.

Testing it myself, the logs show that the flow fails at the mfa stage. I do not know if it is intended that way. If you have no session when authenticating on jellyfin via ldap, a redirect would be needed to enter the mfa. When already authenticated, authentik does not seem pass the mfa stage correctly.

Either this is a bug and needs to be fixed or you could write a policy or whole new flow. The policy would just skip the mfa. The flow wouldn't include a mfa stage.

No satisfactory solution but at least all flows would work again and apps could still authenticate.

[DirgoSalga]

Thanks for your reply! I will give the workaround a try as soon as I find some time to tinker around again. I'll let you know if I get it working.

[Fuseteam]

i'm also running into this with a custom flow without mfa testing the flow in authentik seems to work fine without mfa but ldapsearch says insufficient permissions

[Fuseteam]

hmmm interestingly enough if i put it on direct querying, i get operations error but with cached i can see in the logs it shows up as an anonymous user if i chance objectclass to 'username' rather than user i do get "success" but i see no info with direct querying

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Fuseteam]

I have not found a solution yet