Closed alyxto closed 2 months ago
theS1LV3R
commented
1 year ago Can reproduce. Had been working fine for a month or so until it just stopped working without me having made any changes (that I can remember at least).
Configuration is exact same as following https://goauthentik.io/docs/providers/ldap/generic_setup.
Using version 2023.8.2
Full debug log from moment ldap bind was attempted (spaced by equal blocks to make it easier to read):
authentik-automation[bot]
commented
10 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
alyxto
commented
10 months ago Stale bots are the fucking worst!
authentik-automation[bot]
commented
8 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
alyxto
commented
8 months ago I don't even know why I keep this issue open anymore. Migrated away from authentik a while ago because of that.
But still annoyed by the stale bot. Just because you didn't fix the issue doesn't mean it's not a issue anymore! FU Stale bot!
theS1LV3R
commented
8 months ago I completely nuked everything I had of my LDAP setup (removed users, groups, integration, etc) and re-configured it, and it somehow worked, so I have no idea what was wrong, considering it was the exact same configuration as before
authentik-automation[bot]
commented
6 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
alyxto
commented
6 months ago This issue has been automatically marked as active because it has not received any developer attention yet.
TomKooiman
commented
6 months ago I would also like to bump this issue. Im running into the same problem with the default setup.
These are the trace logs the LDAP outpost gives:
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:26Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:26Z","type":"native"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-03-21T22:43:27Z"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","error":"exceeded stage recursion depth","event":"failed to execute flow","level":"warning","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z"}This is what the server logs:
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "b66eaccd86b9449f91e04101268d42ee", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.194374", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "55063059403d4d74b321670304810e4e", "runtime": 101, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:58.338275", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "116ad2f33b674905bd24706390c4b4cf", "runtime": 125, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.508842", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "8d7a1d18119e4896852522762ecdc2df", "runtime": 118, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:58.669960", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "91ec6ba390684611af167bb982210465", "runtime": 134, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.853351", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "828e0c5bbb4442dc8d96a7bbca989259", "runtime": 106, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.005995", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "409553011d5a422e879f001d8f15551a", "runtime": 141, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.193902", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "b0340c930f714721853d1d2a3435922c", "runtime": 110, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.353949", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "380615e293aa4998becf3717d5dbf137", "runtime": 124, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.522827", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "3fb6f209eb004f4cac62101511172afb", "runtime": 98, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.664325", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "a9b8c755ae934a7f9338eddf9c5cb310", "runtime": 137, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.844247", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "b6324cfef3b24e52824f54e2c46d1836", "runtime": 115, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.004946", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "e4a45a50bd244c39b6a8eeb9142e8444", "runtime": 125, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.175906", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "feb7c823637b4cd5aa1de3d5cc08efb2", "runtime": 106, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.325987", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "13d0c4f3702144b68a210f35ac63f02e", "runtime": 132, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.505185", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "401ac0781e1f4a25b4c4a4df18e53c04", "runtime": 105, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.656841", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "b65dae188ad94a7c925de40ab040c6b4", "runtime": 130, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.829910", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "5366f4c709cd409eb2aa6d03a6648b4d", "runtime": 107, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.984233", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "8c05cfc00b8c45aba559500e4747e85c", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:01.162275", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "662984790853462fac2690effd9c778a", "runtime": 108, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:01.315316", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "1be976c8d0d64678a9e7c191a2be9ff4", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:01.497481", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}@theS1LV3R Would you be willing to share parts of your LDAP setup? Maybe I could find some discrepancies in my own setup. I'm at my wits end with this issue.
If the devs would what any extra info. Feel free to ask.
theS1LV3R
commented
5 months ago Apologies for the slow response;
I have set up the LDAP outpost with the following docker-compose service:
ldap_outpost:
image: ghcr.io/goauthentik/ldap:$_AUTHENTIK_TAG
container_name: authentik_ldap_outpost
restart: unless-stopped
ports:
- 127.0.0.1:3389:3389
- 127.0.0.1:6636:6636
environment:
AUTHENTIK_HOST: https://authentik.example.com
AUTHENTIK_TOKEN: verylongkeygottenfromwebuiIn the web-ui I created a new outpost:
jellyfin_ldapMy jellyfin_ldap provider is configured with both direct binding and querying, and uses the ldap-authentication-flow flow. No MFA support. I have a dedicated ldap_bind_group as Search Group. Under Protocol settings, Base DN is set to the default (DC=ldap,DC=goauthentik,DC=io). Changing this used to work fine, haven't tried again since I re-setup everything.
My ldap-authentication-flow is collapsed below (UUIDs have been edited just to make them easier to read).
ldap-authentication-flow.yml
The bind user is:
ldap_bind_userThe user is added to the ldap_bind_group as described above, as well as password set using the Set password button.
In Jellyfin, the LDAP plugin is configured as following:
cn=ldap_bind_user,ou=users,DC=ldap,DC=goauthentik,DC=ioUsing these settings login to Jellyfin works as supposed. Let me know if there are any missing details.
TomKooiman
commented
5 months ago Thanks for sharing @theS1LV3R. No worries im late too.
Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside? I have been testing again a bit and when I connect from my local PC to my server over a FQDN then it works, but when I connect to with LDAP outpost and the server on the same machine and try to connect the two within a docker bridge network I get this error. So the server configuration is clearly fine.
Weirdly enough when I tried the exact same setup on my local machine in WSL it did work. The only difference between my machine and my server is that the server runs Debian 12 and my WSL is Ubuntu 22.04. I cant imagine that makes a difference but yet here we are.
gassssss
commented
5 months ago Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside? I have been testing again a bit and when I connect from my local PC to my server over a FQDN then it works, but when I connect to with LDAP outpost and the server on the same machine and try to connect the two within a docker bridge network I get this error. So the server configuration is clearly fine.
Same behavior on my docker setup
theS1LV3R
commented
4 months ago Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside?
The AUTHENTIK_HOST env var on the LDAP outpost is set to the external DNS name, so that connection goes outside of docker I believe.
Weirdly enough when I tried the exact same setup on my local machine in WSL it did work. The only difference between my machine and my server is that the server runs Debian 12 and my WSL is Ubuntu 22.04. I cant imagine that makes a difference but yet here we are.
WSLs network stack is very weird due to it being WSL, and that includes Docker unfortunately. So there could be a ton of other hidden differences.
authentik-automation[bot]
commented
2 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the bug When I try to authenticate against the LDAP outpost, I get a "Invalid credentials (49)" response, even tho the credentials are valid. The outpost ist self shows the error "exceeded stage recursion depth".
To Reproduce ldapsearch -x -b "DC=auth,DC=example,DC=com" -H ldap://auth.example.com -D "cn=ldap,ou=users,DC=auth,DC=example,DC=com" -w 'REDACTED'
Expected behavior Not crashing
Logs authentik-ldap | {"bindDN":"cn=ldap,ou=users,dc=auth,dc=example,dc=com","client":"2a01:4f8:xxxx:xxxx::1","error":"exceeded stage recursion depth","event":"failed to execute flow","level":"warning","requestId":"3027187c-XXXX-XXXX-XXXX-XXXX","timestamp":"2023-08-10T08:28:44Z"} authentik-ldap | {"bindDN":"cn=ldap,ou=users,dc=auth,dc=example,dc=com","client":"2a01:4f8:xxxx:xxxx::1","event":"Bind request","level":"info","requestId":"3027187c-XXXX-XXXX-XXXX-XXXX","timestamp":"2023-08-10T08:28:44Z","took-ms":13687}
Version and Deployment (please complete the following information):