Open Bleala opened 2 years ago
antoineraulin
commented
2 years ago Hi!
I have had more successful results using the following flow:
Look at the documentation for LDAP providers, the allowed stages are Identification, Password and Authenticator validator . While in your flow I see a Login stage, this may be the source of your problem.
twicechild
commented
1 year ago Hello everyone!
I finding my self with a similar problem. I tinkered with the flow but without success. Were you able to make this work?
Only difference is I'm using the Kubernetes integration.
Thank you!
hanneshier
commented
1 year ago Same problem for me... Does anyone had success in resolving this issue yet?
Natureshadow
commented
1 year ago Problem reproducible here.
BeryJu
commented
1 year ago Can you post the logs of both the ldap outpost, the authentik server itself, and also try with the default authentication flow?
Natureshadow
commented
1 year ago Can you post the logs of both the ldap outpost, the authentik server itself, and also try with the default authentication flow?
The logs of the outpost are already posted here. Setting the level to debug does not help, no more info is logged.
I am already using the default flow.
The Aurhentik server itself does not produce any log output when searching the LDAP.
Maybe a caching issue? I could try using direct bind and search.
BeryJu
commented
1 year ago When using the cached binding, restart the outpost, then you should get more logs
benedikt-bartscher
commented
1 year ago I have the same problem, i tried many different Flow setups. Here are my logs:
bb-authentik_ldap-1 | {"event":"No session found for user, executing flow","level":"debug","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-02-26T12:47:12Z"}
bb-authentik_ldap-1 | {"bindDN":"cn=opnsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.104.1","component":"ak-stage-identification","event":"Got challenge","flow":"ldap","level":"debug","requestId":"ce607e69-1e56-4215-9179-eaf608654f88","timestamp":"2023-02-26T12:47:13Z","type":"native"}
bb-authentik_ldap-1 | {"bindDN":"cn=opnsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.104.1","component":"ak-stage-identification","event":"Got response","flow":"ldap","level":"debug","requestId":"ce607e69-1e56-4215-9179-eaf608654f88","timestamp":"2023-02-26T12:47:13Z","type":"native"}
bb-authentik_ldap-1 | {"bindDN":"cn=opnsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.104.1","error":"flow error non_field_errors: Failed to authenticate.","event":"failed to execute flow","level":"warning","requestId":"ce607e69-1e56-4215-9179-eaf608654f88","timestamp":"2023-02-26T12:47:13Z"}
bb-authentik_ldap-1 | {"bindDN":"cn=opnsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.104.1","event":"Bind request","level":"info","requestId":"ce607e69-1e56-4215-9179-eaf608654f88","timestamp":"2023-02-26T12:47:13Z","took-ms":318}
marrobHD
commented
1 year ago Same here...
Edit: Somehow I needed to recreate the ldap outpost...
glycerine102
commented
1 year ago Same problem here running on version 2023.2.2 inside Kubernetes. The LDAP outposts were provisioned with the Kubernetes integration. I followed the docs from the Create LDAP Provider step first. When that didn't work I went back and set up the stages and flow. Both the default flow and the ldap specific flow still just give me invalid credentials.
ldap_bind: Invalid credentials (49)The logs below are from the outpost ldap pod with debug on. I don't see any logs appear in the server/worker pods when triggering these.
ak-outpost-ldap-phl-cb6545fdb-zm5ls ldap {"event":"No session found for user, executing flow","level":"debug","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-03-02T16:37:10Z"}
ak-outpost-ldap-phl-cb6545fdb-zm5ls ldap {"bindDN":"cn=ldapservice,ou=users,dc=ldap,dc=***,dc=net","client":"10.81.0.138","component":"ak-stage-access-denied","event":"Got challenge","flow":"ldap-authentication-flow","level":"debug","requestId":"0894b67c-2b87-4290-b4bd-4f96519f3327","timestamp":"2023-03-02T16:37:10Z","type":"native"}
ak-outpost-ldap-phl-cb6545fdb-zm5ls ldap {"bindDN":"cn=ldapservice,ou=users,dc=ldap,dc=***,dc=net","client":"10.81.0.138","event":"Invalid credentials","level":"info","requestId":"0894b67c-2b87-4290-b4bd-4f96519f3327","timestamp":"2023-03-02T16:37:10Z"}
ak-outpost-ldap-phl-cb6545fdb-zm5ls ldap {"bindDN":"cn=ldapservice,ou=users,dc=ldap,dc=***,dc=net","client":"10.81.0.138","event":"Bind request","level":"info","requestId":"0894b67c-2b87-4290-b4bd-4f96519f3327","timestamp":"2023-03-02T16:37:10Z","took-ms":31}EDIT: I've fixed my issue by adding another stage in my flow. I noticed the docs under the Create Custom Flow section only utilized two of the created stages with orders 10 and 30 (between steps 3 and 4). I added the ldap-authentication-password stage with an order of 20. I also recreated the application, provider, and outpost as I don't believe my changes were taking effect on the outpost.
xubiaosunny
commented
1 year ago 我这里也有这个问题
server log
{"auth_via": "unauthenticated", "event": "f(exec): Flow not applicable to current user", "exc": "FlowNonApplicableException()", "flow_slug": "ldap-authentication-flow", "host": "example.com:8012", "level": "warning", "logger": "authentik.flows.views.executor", "pid": 6278, "request_id": "3378dd964c47428fabbac97fc426289a", "timestamp": "2023-03-03T08:46:45.218857"}
{"auth_via": "unauthenticated", "errors": {"error_message": ["Not a valid string."]}, "event": "f(ch): Invalid challenge", "host": "example:8012", "level": "warning", "logger": "authentik.flows.stage", "pid": 6278, "request_id": "3378dd964c47428fabbac97fc426289a", "stage": null, "stage_view": "authentik.flows.stage.AccessDeniedChallengeView", "timestamp": "2023-03-03T08:46:45.220117"}
{"auth_via": "unauthenticated", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "example.com:8012", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 6278, "remote": "10.196.220.254", "request_id": "3378dd964c47428fabbac97fc426289a", "runtime": 17, "scheme": "http", "status": 200, "timestamp": "2023-03-03T08:46:45.226641", "user": "", "user_agent": "goauthentik.io/outpost/2023.2.2"}
andresiraola
commented
1 year ago I had the same issue. The only way I found to fix it is using direct binding/querying.
Mailstorm-ctrl
commented
10 months ago This issue and https://github.com/goauthentik/authentik/issues/5017 are related. As if you use the default flow, you'll get issue https://github.com/goauthentik/authentik/issues/5017. Create your own flow as documented, and you end up with this issue.
Mrs-Feathers
commented
10 months ago i'm using a flow i created from the cooptonian youtube video that has the identification stage and and password stage just as the image showed in this thread.. it was working for a while and stopped. the restarting of the ldap docker outpost didn't help... creating the user, outpost, and everything LDAP related did work but a couple days later everythign stopped working agian... and i can confirm its not a cache issue as it doesn't work on direct connection either.
TMUniversal
commented
6 months ago I managed to get it to work with these settings:
Please let me know if this works for you, especially the notes marked as important. You can @ mention me for questions about this configuration.
authentik version 2023.10.7
LDAP Client: Jellyfin LDAP Auth Plugin v18, I have also had success with LDAPSoft Ldap Browser 6.10
[!IMPORTANT] Pay special attention to the Authentik LDAP Provider's Direct Binding. Thank you @Zapfmeister
Bind User: cn=ldap_bind_user,ou=ldap_bind_user,dc=ldap,dc=goauthentik,dc=io
[!IMPORTANT] Note how the group
ouis set to the username, for which a single-user group exists in authentik. To do this, I created a service account namedldap_bind_user, with a group of the same name.
Base DN: dc=ldap,dc=goauthentik,dc=io
Bind Password: the service account's token.
Connection is set to SSL (port 636) (you may need to specify skip verification), not StartTLS.
ldap-authentication-flowRequire no authentication (likely optional, this is the prerequisite to use this flow)MESSAGE_CONTINUEanyBoth set to:
RETRYanyldap-identification-stageUsername, E-Mail (UPN is not selected)ldap-authentication-passwordauthentik Built-in (should not be necessary)ldap-authentication-passwordUser database + standard password, User database + app password, User database + LDAP passworddefault-password-change (Change Password) (default)5 (default)ldap-authentication-loginseconds=0 (default)seconds=0 (default)Your provider must be associated with an application and selected in the LDAP outpost.
LDAPdc=ldap,dc=goauthentik,dc=io[!IMPORTANT] I have a search group set,
ldap_search, which must be created separately. Theldap_bind_usermust be assigned to that group.
Zapfmeister
commented
6 months ago ldapsearch -x -LLL -h IP -p 389 -W -D "CN=ldapsearch,ou=users,dc=ldap,dc=mydomain,dc=mydomainsuffix" -b 'DC=ldap,DC=mydomain,dc=mydomainsuffix' '(objectClass=*)' -d "debug"
Enter LDAP Password:Produced the error:
ldap_bind: Insufficient access (50)
What fixed it for me, was to change the provider from cached binding and cached querying to direct. Also, make sure to create a service user, not a normal users
kuolemaaa
commented
6 months ago FIXED (sort of): My so-called authentik_ldap LDAP outpost container was contacting my authentik server container via http://authentik_server:9000 that is the internal (by means of docker network) endpoint using the environment variable in docker compose AUTHENTIK_HOST: http://authentik_server:9000.
Turns out it did not liked it (I guess 'it' is the main authentik server, looking at the log below and the HTTP 302s there). Hence I switched to an https version of the endpoint, using the url on the advanced setting in the LDAP application edit page, and the ldapsearch query worked.
The problem is that the URL that authentik showed me is the public one and I would like to keep the communication between the ldap outpost and the authentik server inside the docker network, for example, using https://authentik_server:9443.
Using the internal name of docker it does not work tho. Suggestions are welcome.
authentik 2024.2.1
Same configuration (if im not wrong) as TMUniversal's setup (above) and it does not work for me.
Executing from another container inside the same network of the ldap outpost, authentik and authentik's worker:
# ldapsearch -H 'ldap://authentik_ldap:3389' -D 'cn=ldapsearch,ou=ldapsearch,dc=ldap,dc=goauthentik,dc=io' -w 'service'
ldap_bind: Invalid credentials (49)My outpost container tells me:
{"bindDN":"cn=ldapsearch,ou=ldapsearch,dc=ldap,dc=goauthentik,dc=io","client":"172.22.0.2","error":"exceeded stage recursion depth","event":"failed to execute flow","level":"warning","requestId":"49eb9457-c7ab-4e0e-9767-dbb3b6a931d7","timestamp":"2024-03-04T16:12:37Z"}
{"bindDN":"cn=ldapsearch,ou=ldapsearch,dc=ldap,dc=goauthentik,dc=io","client":"172.22.0.2","event":"Bind request","level":"info","requestId":"49eb9457-c7ab-4e0e-9767-dbb3b6a931d7","timestamp":"2024-03-04T16:12:37Z","took-ms":6436}My authentik container tells me:
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "3b21c15be01a40818f2e661627d03907", "runtime": 403, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:17.620257", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "f26d08c709b44eb9a35a0ac2d37dfb8d", "schema_name": "public", "timestamp": "2024-03-04T16:14:17.800623", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "f26d08c709b44eb9a35a0ac2d37dfb8d", "runtime": 193, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:17.823018", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "c755e3f1f1e14848bb2fd3303a6c5e6b", "runtime": 410, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:18.242729", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "9589673d28914e77804e40389ce812f9", "schema_name": "public", "timestamp": "2024-03-04T16:14:18.417375", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "9589673d28914e77804e40389ce812f9", "runtime": 169, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:18.419895", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "df74bfcf82af4fb1b1ea628bd9fcd907", "runtime": 407, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:18.837047", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "8a643cec3a584e6baa085b4b3f80658d", "schema_name": "public", "timestamp": "2024-03-04T16:14:19.036878", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "8a643cec3a584e6baa085b4b3f80658d", "runtime": 193, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:19.039706", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "7a2b72d25eea435f831c6e10e8f8a085", "runtime": 404, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:19.452507", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "0b82d6fe12b64d9a83ec1b1f71d309dc", "schema_name": "public", "timestamp": "2024-03-04T16:14:19.641777", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "0b82d6fe12b64d9a83ec1b1f71d309dc", "runtime": 182, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:19.643699", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "5eef509353494f62957bf218a1aa8699", "runtime": 397, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:20.050471", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "e76a8ff4d6804c2d84dcebbae842c02f", "schema_name": "public", "timestamp": "2024-03-04T16:14:20.246877", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "e76a8ff4d6804c2d84dcebbae842c02f", "runtime": 189, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:20.249319", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "b25f1cb8886449c49d27e2eddf3bca2f", "runtime": 394, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:20.652793", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "cf387883ebdf4449ad95c1f05c2d80f0", "schema_name": "public", "timestamp": "2024-03-04T16:14:20.843857", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "cf387883ebdf4449ad95c1f05c2d80f0", "runtime": 183, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:20.845853", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "5226f04662c340618df47cfdb814077a", "runtime": 401, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:21.255458", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "53099260dbca4e339a2048ba73a86a60", "schema_name": "public", "timestamp": "2024-03-04T16:14:21.436105", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "53099260dbca4e339a2048ba73a86a60", "runtime": 174, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:21.438323", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "120422b435da42a4b714e4852f90c1a1", "runtime": 403, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:21.851588", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "b63fc48092af4f8481864123160ae52b", "schema_name": "public", "timestamp": "2024-03-04T16:14:22.041525", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "b63fc48092af4f8481864123160ae52b", "runtime": 184, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:22.043855", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "1b6d8bffae8e431185fb87de1200289d", "runtime": 393, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:22.446041", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "e71c6c5c416245c39b32a831c67dec15", "schema_name": "public", "timestamp": "2024-03-04T16:14:22.628431", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "e71c6c5c416245c39b32a831c67dec15", "runtime": 174, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:22.630782", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "bd77937d812b4a57b5c0337395aa0be2", "runtime": 406, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:23.046196", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "authentik", "event": "Successful authentication", "host": "authentik:9000", "level": "info", "logger": "authentik.stages.password.stage", "pid": 48, "request_id": "9c432c4f52a54e03a5f864500c26945f", "schema_name": "public", "timestamp": "2024-03-04T16:14:23.242935", "user": "ldapsearch"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 48, "remote": "172.22.0.2", "request_id": "9c432c4f52a54e03a5f864500c26945f", "runtime": 190, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-04T16:14:23.246267", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 48, "remote": "172.22.0.2", "request_id": "9c6afe9dacdc4b058669ccd1c99d21ce", "runtime": 388, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-04T16:14:23.643545", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.1"}I dont know if worth mentioning: I "checked access" of the application LDAP against ldapsearch user and passed.
dotupNET
commented
3 months ago Any news?
Hello there!
I tried to get the LDAP Outpost in Authentik working, but i'm always getting an
Invalid credentialserror. I don't know what to do now.I created an LDAP Providar, Application and Outpost, as you can see on the screenshots.
And also a custom flow, because i read that LDAP is not working if a flow has MFA enabled.
But when i try to do a
ldapsearchi'm getting the following error:In the
ak-outpost-ldapcontainer created by Authentik i get the following log:{"bindDN":"cn=***,ou=users,dc=ldap,dc=***,dc=***","client":"192.***.***.***","event":"Bind request","level":"info","requestId":"5e90557b-5942-4001-b2dd-fa4453798bac","timestamp":"2022-04-18T07:34:28Z","took-ms":35479}I'm using the latest Authentik version
2022.4.1and deployed everything withdocker-compose.Do you have an idea what the problem is here?
Greetings