LDAP not working on 2024.4.0

[foux]

Describe the bug Hello, Since switching to 2024.4.0, every LDAP connection attemps fails with the error error LDAP Result Code 50 "Insufficient Access Rights" in the LDAP container. Switching back to 2024.2.3 and the LDAP login starts reworking.

If the workers and servers containers are on 2024.4.0 and the LDAP container are on 2024.2.3 it works

To Reproduce Steps to reproduce the behavior:

1. Update to 2024.4.0
2. Try to access a website behind an LDAP authentication

Expected behavior The authentication should work

Version and Deployment (please complete the following information):

• authentik version: 2024.4.0
• Deployment: docker-compose

[BeryJu]

Please include the logs of the ldap outpost container

[foux]

Sorry about that, here they are :

{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2024-04-25T10:08:29Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2024-04-25T10:08:29Z"}
{"event":"not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.","level":"info","logger":"authentik.go_debugger","timestamp":"2024-04-25T10:08:29Z"}
{"event":"Successfully connected websocket","level":"info","logger":"authentik.outpost.ak-ws","outpost":"2ffad1f6-868d-4b84-9a45-8cb98c3bb75a","timestamp":"2024-04-25T10:08:29Z"}
{"event":"Fetching certificate and private key","level":"info","logger":"authentik.outpost.cryptostore","timestamp":"2024-04-25T10:08:29Z","uuid":"d1ddf53b-fcee-40ad-a732-a4f907ac866e"}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-04-25T10:08:29Z"}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-04-25T10:08:30Z"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-04-25T10:08:30Z"}
{"event":"Starting Metrics server","level":"info","listen":"0.0.0.0:9300","logger":"authentik.outpost.metrics","timestamp":"2024-04-25T10:08:30Z"}
{"event":"Starting LDAP SSL server","level":"info","listen":"0.0.0.0:6636","logger":"authentik.outpost.ldap","timestamp":"2024-04-25T10:08:30Z"}
{"event":"Starting LDAP server","level":"info","listen":"0.0.0.0:3389","logger":"authentik.outpost.ldap","timestamp":"2024-04-25T10:08:30Z"}
{"event":"Starting authentik outpost","hash":"tagged","level":"info","logger":"authentik.outpost","timestamp":"2024-04-25T10:08:30Z","version":"2024.4.0"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-04-25T10:08:30Z"}
{"error":"interface conversion: *api.FlowErrorChallenge is not flow.challengeInt: missing method GetType","event":"recover in bind request","level":"error","timestamp":"2024-04-25T10:09:05Z"}
{"bindDN":"cn=ldap_bind,ou=users,dc=opds,dc=payet,dc=io","client":"192.168.10.1","event":"Bind request","level":"info","requestId":"d3d68701-01d6-4e59-be0e-90f032c71090","timestamp":"2024-04-25T10:09:05Z","took-ms":98}
{"attributes":[],"baseDN":"DC=opds,DC=payet,DC=io","bindDN":"cn=ldap_bind,ou=users,dc=opds,dc=payet,dc=io","client":"192.168.10.1","event":"Search request","filter":"(&(cn=foux))","level":"info","requestId":"2bf2ebed-6e9c-441f-8be0-340547a8cddd","scope":"Whole Subtree","timestamp":"2024-04-25T10:09:05Z","took-ms":0}
2024/04/25 10:09:05 handleSearchRequest error LDAP Result Code 50 "Insufficient Access Rights": access denied

I guess the error is this line {"error":"interface conversion: *api.FlowErrorChallenge is not flow.challengeInt: missing method GetType","event":"recover in bind request","level":"error","timestamp":"2024-04-25T10:09:05Z"} but I don't really get what it means

[BeryJu]

I think this might be indirectly caused by https://github.com/goauthentik/authentik/issues/9402 or https://github.com/goauthentik/authentik/issues/9408, which sources do you have configured in your login flow?

[foux]

Built-in, Google, Plex and Mailcow. But just FYI, I only have issue with LDAP logins. Oauth and Proxy works like a charm (with the same sources + 2FA which is disabled on LDAP for obvious reasons)

[BeryJu]

plex also causes the issue so if your authentication flow that you're using for LDAP also has the plex source in its identification stage, that'll also error

[foux]

Thanks, I'll go back to 2024.4 and disable Plex and report here

[foux]

You're absolutely right @BeryJu, it works when disabling Plex. Thanks

[foux]

Closing this one as the issue is already merged. Thanks again @BeryJu