Closed alyxto closed 2 months ago
Can reproduce. Had been working fine for a month or so until it just stopped working without me having made any changes (that I can remember at least).
Configuration is exact same as following https://goauthentik.io/docs/providers/ldap/generic_setup.
Using version 2023.8.2
Full debug log from moment ldap bind was attempted (spaced by equal blocks to make it easier to read):
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Stale bots are the fucking worst!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I don't even know why I keep this issue open anymore. Migrated away from authentik a while ago because of that.
But still annoyed by the stale bot. Just because you didn't fix the issue doesn't mean it's not a issue anymore! FU Stale bot!
I completely nuked everything I had of my LDAP setup (removed users, groups, integration, etc) and re-configured it, and it somehow worked, so I have no idea what was wrong, considering it was the exact same configuration as before
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as active because it has not received any developer attention yet.
I would also like to bump this issue. Im running into the same problem with the default setup.
These are the trace logs the LDAP outpost gives:
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:26Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:26Z","type":"native"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-03-21T22:43:27Z"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:27Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:28Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","component":"ak-stage-identification","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z","type":"native"}
{"bindDN":"cn=test,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.25.0.1","error":"exceeded stage recursion depth","event":"failed to execute flow","level":"warning","requestId":"a0ddbdfc-2494-4d5b-939f-6895474eb69a","timestamp":"2024-03-21T22:43:29Z"}
This is what the server logs:
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "b66eaccd86b9449f91e04101268d42ee", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.194374", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "55063059403d4d74b321670304810e4e", "runtime": 101, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:58.338275", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "116ad2f33b674905bd24706390c4b4cf", "runtime": 125, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.508842", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "8d7a1d18119e4896852522762ecdc2df", "runtime": 118, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:58.669960", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "91ec6ba390684611af167bb982210465", "runtime": 134, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:58.853351", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "828e0c5bbb4442dc8d96a7bbca989259", "runtime": 106, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.005995", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "409553011d5a422e879f001d8f15551a", "runtime": 141, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.193902", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "b0340c930f714721853d1d2a3435922c", "runtime": 110, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.353949", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "380615e293aa4998becf3717d5dbf137", "runtime": 124, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.522827", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "3fb6f209eb004f4cac62101511172afb", "runtime": 98, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:50:59.664325", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "a9b8c755ae934a7f9338eddf9c5cb310", "runtime": 137, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:50:59.844247", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "b6324cfef3b24e52824f54e2c46d1836", "runtime": 115, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.004946", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "e4a45a50bd244c39b6a8eeb9142e8444", "runtime": 125, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.175906", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "feb7c823637b4cd5aa1de3d5cc08efb2", "runtime": 106, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.325987", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "13d0c4f3702144b68a210f35ac63f02e", "runtime": 132, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.505185", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "401ac0781e1f4a25b4c4a4df18e53c04", "runtime": 105, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.656841", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "b65dae188ad94a7c925de40ab040c6b4", "runtime": 130, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:00.829910", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "5366f4c709cd409eb2aa6d03a6648b4d", "runtime": 107, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:00.984233", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "8c05cfc00b8c45aba559500e4747e85c", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:01.162275", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 57, "remote": "172.25.0.1", "request_id": "662984790853462fac2690effd9c778a", "runtime": 108, "schema_name": "public", "scheme": "http", "status": 302, "timestamp": "2024-03-21T22:51:01.315316", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
{"auth_via": "unauthenticated", "domain_url": "authentik", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "authentik:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 57, "remote": "172.25.0.1", "request_id": "1be976c8d0d64678a9e7c191a2be9ff4", "runtime": 131, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-03-21T22:51:01.497481", "user": "", "user_agent": "goauthentik.io/outpost/2024.2.2"}
@theS1LV3R Would you be willing to share parts of your LDAP setup? Maybe I could find some discrepancies in my own setup. I'm at my wits end with this issue.
If the devs would what any extra info. Feel free to ask.
Apologies for the slow response;
I have set up the LDAP outpost with the following docker-compose service:
ldap_outpost:
image: ghcr.io/goauthentik/ldap:$_AUTHENTIK_TAG
container_name: authentik_ldap_outpost
restart: unless-stopped
ports:
- 127.0.0.1:3389:3389
- 127.0.0.1:6636:6636
environment:
AUTHENTIK_HOST: https://authentik.example.com
AUTHENTIK_TOKEN: verylongkeygottenfromwebui
In the web-ui I created a new outpost:
jellyfin_ldap
My jellyfin_ldap
provider is configured with both direct binding and querying, and uses the ldap-authentication-flow
flow. No MFA support. I have a dedicated ldap_bind_group
as Search Group. Under Protocol settings, Base DN is set to the default (DC=ldap,DC=goauthentik,DC=io
). Changing this used to work fine, haven't tried again since I re-setup everything.
My ldap-authentication-flow
is collapsed below (UUIDs have been edited just to make them easier to read).
ldap-authentication-flow.yml
The bind user is:
ldap_bind_user
The user is added to the ldap_bind_group
as described above, as well as password set using the Set password button.
In Jellyfin, the LDAP plugin is configured as following:
cn=ldap_bind_user,ou=users,DC=ldap,DC=goauthentik,DC=io
Using these settings login to Jellyfin works as supposed. Let me know if there are any missing details.
Thanks for sharing @theS1LV3R. No worries im late too.
Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside? I have been testing again a bit and when I connect from my local PC to my server over a FQDN then it works, but when I connect to with LDAP outpost and the server on the same machine and try to connect the two within a docker bridge network I get this error. So the server configuration is clearly fine.
Weirdly enough when I tried the exact same setup on my local machine in WSL it did work. The only difference between my machine and my server is that the server runs Debian 12 and my WSL is Ubuntu 22.04. I cant imagine that makes a difference but yet here we are.
Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside? I have been testing again a bit and when I connect from my local PC to my server over a FQDN then it works, but when I connect to with LDAP outpost and the server on the same machine and try to connect the two within a docker bridge network I get this error. So the server configuration is clearly fine.
Same behavior on my docker setup
Quick question. Do you connect the LDAP outpost via a docker network with the internal docker DNS name or do you connect to the outside?
The AUTHENTIK_HOST
env var on the LDAP outpost is set to the external DNS name, so that connection goes outside of docker I believe.
Weirdly enough when I tried the exact same setup on my local machine in WSL it did work. The only difference between my machine and my server is that the server runs Debian 12 and my WSL is Ubuntu 22.04. I cant imagine that makes a difference but yet here we are.
WSLs network stack is very weird due to it being WSL, and that includes Docker unfortunately. So there could be a ton of other hidden differences.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the bug When I try to authenticate against the LDAP outpost, I get a "Invalid credentials (49)" response, even tho the credentials are valid. The outpost ist self shows the error "exceeded stage recursion depth".
To Reproduce ldapsearch -x -b "DC=auth,DC=example,DC=com" -H ldap://auth.example.com -D "cn=ldap,ou=users,DC=auth,DC=example,DC=com" -w 'REDACTED'
Expected behavior Not crashing
Logs authentik-ldap | {"bindDN":"cn=ldap,ou=users,dc=auth,dc=example,dc=com","client":"2a01:4f8:xxxx:xxxx::1","error":"exceeded stage recursion depth","event":"failed to execute flow","level":"warning","requestId":"3027187c-XXXX-XXXX-XXXX-XXXX","timestamp":"2023-08-10T08:28:44Z"} authentik-ldap | {"bindDN":"cn=ldap,ou=users,dc=auth,dc=example,dc=com","client":"2a01:4f8:xxxx:xxxx::1","event":"Bind request","level":"info","requestId":"3027187c-XXXX-XXXX-XXXX-XXXX","timestamp":"2023-08-10T08:28:44Z","took-ms":13687}
Version and Deployment (please complete the following information):