LDAP Insufficient Access Rights (50)

[Svenum]

If I want to connect to my ldap I always get the error: "Insufficient Access Rights (50)" In the ldap-outpost is this in the log:

Steps to reproduce the behavior: I do not know how to reproduce this error. I followed the manual in your Docs. The user I use is in the Group thats allowed to bind.

I want to login to these applications via LDAP:

1. Nextcloud
2. Guacamole
3. JellyFin

Provider Settings:

Nextcloud Settings:

INF undefined | bindDN=cn=sa-jellyfin,dc=holypenguin,dc=net client=10.0.1.7 event=Bind request requestId=d359a8b5-2072-4508-9846-86ebe514182a timestamp=2023-03-20T19:52:05Z took-ms=8915 
INF undefined | bindDN=cn=sa-jellyfin,dc=holypenguin,dc=net event=authenticated from session logger=authentik.outpost.ldap.binder.session timestamp=2023-03-20T19:52:10Z 

Version and Deployment (please complete the following information):

• authentik version: 2023.3.1 (also happen in 2023.2.2)
• Deployment: docker-compose (portainer)

[BeryJu]

Is the service account you're binding with allowed to access the application assigned to the ldap provider? You can check this in the application view using the check access button

[Svenum]

Yes, it is passing:

[Svenum]

Now i found this error in my logs:

2023/03/22 14:40:04 handleSearchRequest error LDAP Result Code 50 "Insufficient Access Rights": Search Error: Anonymous BindDN not allowed

[Svenum]

After deleting and recreating Service Accounts, Provider, Application and involved Groups everything works as expected...

[Typhonragewind]

I having this problem, though recreating stuff didn't help.

EDIT: Nvm, i was being dumb and not having a login stage in my LDAP flow

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Mrs-Feathers]

i had this issue, recreated ldap service account, provider and application and group and it worked... but whats annoying is that it hasn't even been a month and already its failing like this again... recreating stuff works but.. what is happening why does it do this? how can i stop this exact error from happening in production?

[erdoking]

Same problem here. New created service-account as ldap bind user was unable to query "ldap_bind: Insufficient access (50)". Identical rights as another user created yesterday for another binding. Tested per ldapsearch from the same server.

Seems to be a caching problem! -> "event":"authenticated from session" Solved after restart authentik-ldap docker container.

Logs before restarting

working (usera)

{"bindDN":"cn=ldap_bind_usera,ou=users,dc=ldap,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-09-03T21:07:09Z"}
{"bindDN":"cn=ldap_bind_usera,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.16.10.33","event":"Bind request","level":"info","requestId":"9abf8aa5-5445-40ea-806d-03b284f72f70","timestamp":"2023-09-03T21:07:09Z","took-ms":2}
{"attributes":[],"baseDN":"DC=ldap,DC=goauthentik,DC=io","bindDN":"cn=ldap_bind_XXX,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.16.10.33","event":"Search request","filter":"(objectClass=group)","level":"info","requestId":"4963
77db-57e4-4cac-a50d-d04a82c73e4a","scope":"Whole Subtree","timestamp":"2023-09-03T21:07:09Z","took-ms":0}

not working (userb)

{"bindDN":"cn=ldap_bind_userb,ou=users,dc=ldap,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-09-03T21:07:21Z"}
{"bindDN":"cn=ldap_bind_userb,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.16.10.33","event":"Bind request","level":"info","requestId":"14b4cd5a-8d27-4e5e-8b3a-993d5da69508","timestamp":"2023-09-03T21:07:21Z","took-ms":0}

[Mailstorm-ctrl]

Yup same issue. When I first setup the outpost and applications everything works fine. Then several minutes later...it just starts to fail. So I made the LDAP flow as described in the docs which did not help. After creating that flow and assigning it I still get insufficient access. If I bind the flow the user I'm testing with, I get invalid credentials.

Haven't tried remaking everything but I don't believe that's a valid solution as that implies there's a deeper root issue that should be resolved first.

[samumatic]

Same here, worked first, and then "Connect (Success); Bind: Insufficient Access Rights", after I changed nothing. Got it working now after adding the group to the application.