LDAP search seems to only return the user performing the search

[kaylee-98]

Describe your question/ I want to use Authentik as an LDAP provider. I followed to the letter the instructions provided in the documentation. However while testing this, I ran

ldapsearch -x -H ldap://localhost -D "cn=bind-user,ou=users,DC=ldap,DC=authentik,DC=company" -b "DC=ldap,DC=authentik,DC=company" '(objectClass=user)' -W

Which I expected would give me information about all the users on the system. However, it returns only the user information for bind-user itself. (Yes, bind-user is a member of the search group).

Relevant infos I'm using the latest version. It's also probably pertinent to point out that authentication for other users appears to work fine. It just won't provide a listing. I've tried various things, but to be honest I only vaguely understand LDAP so I didn't get far. My assumption is that this is something I am doing wrong, rather than some kind of bug, and I'm only posting here in the hope that someone might be able to help me find the right track.

Logs Nothing appears in the logs at all actually.

Version and Deployment (please complete the following information):

• authentik version: 2023.10
• Deployment: docker-compose

Thank you :)

[MaximalCats]

+1 having the same issue here, anybody figure this out?

[0xNIEI]

Yep, also have the same issue when trying to integrate LDAP with CheckMK. only seeing LDAP Bind User and Group. nothing else.

[kusold]

I don't understand why, but your LDAP Service User needs to be added to group authentik Users.

[0xNIEI]

I added the ldapservice user to my 'users' (i rename the group from authentik Users to users) group. still doesn't work

[NicholasFeldman]

I just ran into this too, you need edit your LDAP Provider to add a search group of users who can do searches.

[aep]

I just ran into this too, you need edit your LDAP Provider to add a search group of users who can do searches.

Exactly that's what I was missing. I think that should be a screenshot in the docs. Someone care for a PR?

[BeryJu]

As said above, the search group is required for a user to be able to view all users in LDAP. I thought we had mentioned this in the docs more clearly but we did not

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.