Error: The target object cannot be found. Code: 0x20

[tsukky67]

I tried to do LDAP authentication but could not resolve the following error. Other services are working with the same credentials (e.g. QNAP NAS)

docker exec ldap-overleaf-sl cat /var/log/sharelatex/web.log
Set UV_THREADPOOL_SIZE=16
ENABLE_TRACE_AGENT set to undefined
ENABLE_DEBUG_AGENT set to undefined
ENABLE_PROFILE_AGENT set to undefined
Using default settings from /overleaf/services/web/config/settings.defaults.js
Using settings from /etc/sharelatex/settings.js
(node:172) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
An Error occured while getting user data during ldapsearch: Error: The target object cannot be found. Code: 0x20

docker-compose.yaml is this. (* is changed for secret)

cat docker-compose.yml
version: "2.2"
services:
  sharelatex:
    restart: always
    image: ldap-overleaf-sl
    container_name: ldap-overleaf-sl
    depends_on:
      mongo:
        condition: service_healthy
      redis:
        condition: service_healthy
    privileged: false
    ports:
      - 80:80
    links:
      - mongo
      - redis
    volumes:
      - ${MYDATA}/sharelatex:/var/lib/sharelatex
      - ${MYDATA}/letsencrypt:/etc/letsencrypt
      - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
    environment:
      SHARELATEX_APP_NAME: Overleaf
      SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
      SHARELATEX_SITE_URL: https://${MYDOMAIN}
      SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
      #SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
      SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
      SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
      SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
      SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
      # SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
      # SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
      SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
      SHARELATEX_EMAIL_SMTP_PORT: 587
      SHARELATEX_EMAIL_SMTP_SECURE: "false"
      # SHARELATEX_EMAIL_SMTP_USER:
      # SHARELATEX_EMAIL_SMTP_PASS:
      # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
      # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
      SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."

      # make public links accessible w/o login (link sharing issue)
      # https://github.com/overleaf/docker-image/issues/66
      # https://github.com/overleaf/overleaf/issues/628
      # https://github.com/overleaf/web/issues/367
      # Fixed in 2.0.2 (Release date: 2019-11-26)
      SHARELATEX_ALLOW_PUBLIC_ACCESS: "true"
      SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: "true"

      # Uncomment the following line to enable secure cookies if you are using SSL
      # SHARELATEX_SECURE_COOKIE: "true"
      # SHARELATEX_BEHIND_PROXY: "true"

      LDAP_SERVER: ldaps://**.jp:636
      LDAP_BASE: dc=*,dc=*,dc=*,dc=*,dc=*

      ### There are to ways get users from the ldap server

      ## NO LDAP BIND USER:
      # Tries directly to bind with the login user (as uid)
      LDAP_BINDDN: uid=%u,ou=people,dc=*,dc=*,dc=*,dc=*,dc=*

      ## Or you can use ai global LDAP_BIND_USER
      LDAP_BIND_USER: cn=readopnly,dc=*,dc=*,dc=*,dc=*,dc=*
      LDAP_BIND_PW: *

      # Only allow users matching LDAP_USER_FILTER
      LDAP_USER_FILTER: "(memberof=cn=*,ou=*,dc=*,dc=*,dc=*,dc=*,dc=*)"

      # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
      # Admin Users can invite external (non ldap) users. This feature makes only sense
      # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
      # system wide messages.
      LDAP_ADMIN_GROUP_FILTER: "(memberof=cn=root,ou=*,dc=*,dc=*,dc=*,dc=*,dc=*)"
      ALLOW_EMAIL_LOGIN: "true"

      # All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
      LDAP_CONTACT_FILTER: "(objectClass=person)"
      LDAP_CONTACTS: "false"

      ## OAuth2 Settings
      # OAUTH2_ENABLED: "true"
      # OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER
      # OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID
      # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
      # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
      # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
      # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
      # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
      # OAUTH2_USER_ATTR_EMAIL: email
      # OAUTH2_USER_ATTR_UID: id
      # OAUTH2_USER_ATTR_FIRSTNAME: name
      # OAUTH2_USER_ATTR_LASTNAME:
      # OAUTH2_USER_ATTR_IS_ADMIN: site_admin

      # Same property, unfortunately with different names in
      # different locations
      SHARELATEX_REDIS_HOST: redis
      REDIS_HOST: redis
      REDIS_PORT: 6379

      ENABLED_LINKED_FILE_TYPES: "url,project_file"

      # Enables Thumbnail generation using ImageMagick
      ENABLE_CONVERSIONS: "true"

  mongo:
    restart: always
    image: mongo:4.4
    container_name: mongo
    expose:
      - 27017
    volumes:
      - ${MYDATA}/mongo_data:/data/db
    healthcheck:
      test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
      interval: 10s
      timeout: 10s
      retries: 5
    command: "--replSet overleaf"

  # See also: https://github.com/overleaf/overleaf/issues/1120
  mongoinit:
    image: mongo:4.4
    # this container will exit after executing the command
    restart: "no"
    depends_on:
      mongo:
        condition: service_healthy
    entrypoint:
      [
        "mongo",
        "--host",
        "mongo:27017",
        "--eval",
        'rs.initiate({ _id: "overleaf", members: [ { _id: 0, host: "mongo:27017" } ] })',
      ]

  redis:
    restart: always
    image: redis:6.2
    container_name: redis
    expose:
      - 6379
    volumes:
      - ${MYDATA}/redis_data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

[yzx9]

Based on the prompt, this seems not to be a bug, but rather a case of incorrect configuration.

For instance, in your

LDAP_BIND_USER: cn=readopnly,dc=*,dc=*,dc=*,dc=*,dc=*

the term "readopnly" appears to be a misspelling of "readonly". I would suggest a thorough re-examination of your configuration settings.

[tsukky67]

It was a simple typo. I probably typed it wrong while changing it several times. However, even after fixing it, it still shows the same behavior as before. In addition, I noticed that requests with different usernames are giving different errors, so I assume that access to the LDAP server is successful.

docker exec ldap-overleaf-sl cat /var/log/sharelatex/web.log
Set UV_THREADPOOL_SIZE=16
ENABLE_TRACE_AGENT set to undefined
ENABLE_DEBUG_AGENT set to undefined
ENABLE_PROFILE_AGENT set to undefined
Using default settings from /overleaf/services/web/config/settings.defaults.js
Using settings from /etc/sharelatex/settings.js
(node:165) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
An Error occured while getting user data during ldapsearch: Error: The target object cannot be found. Code: 0x20 #This is the error problem that is happening.
Could not bind user: uid=text,ou=people,dc=＊,dc=*,dc=＊,dc=＊,dc=＊ #Behavior when this line is a non-existent user name

[tsukky67]

After several retries, I believe the problem with my configuration is in the LDAP_USER_FILTER section. It refers to the readme that

LDAP_USER_FILTER: '(&(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u))'

and it refers to the example file that

LDAP_USER_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"

I have tried several times, referring to both writing styles, but the behavior has not changed. I consider this part important because commenting it out fundamentally makes it not work properly.

I have tried the config

LDAP_USER_FILTER: "objectClass=*"

This is not working.

And I got the error An Error occured while getting user data during ldapsearch: Error: Invalid attribute name: * with the config

LDAP_USER_FILTER: "*"

This means that the config for ldapsearch is loaded, and it is probably no work for it. Does anyone have any good ideas?

[smhaller]

I think you should use either:

     ## NO LDAP BIND USER:
     LDAP_BINDDN: uid=%u,ou=people,dc=*,dc=*,dc=*,dc=*,dc=*

OR

      ## Or you can use ai global LDAP_BIND_USER
      LDAP_BIND_USER: cn=readonly,dc=*,dc=*,dc=*,dc=*,dc=*
      LDAP_BIND_PW: *

For testing your LDAP_USER_FILTER: you can use e.g.:

ldapsearch

similar to the confiugration

ldapsearch -vvvv  -D 'uid=YOURUSERID,ou=people,dc=XXX,dc=XXX,dc=XXX' -b 'dc=XXX,dc=XXX,dc=XXX' -H ldaps://LDAPSERVER.FQDN:636  -W '(|(memberof=cn=GROUPNAME,ou=groups,dc=XXX,dc=XXX,dc=XXX)(memberof=cn=SECONDGROUPNAME,ou=groups,dc=XXX,dc=XXX,dc=XXX))'

where

• -D is the binddn
• -b is the searchbase
• -W prompts for simple authentication and the most important part is the last - the filterstring.

Note: this filter gives you a list of entries which are in group GROUPNAME or in SECONDGROUPNAME

Config

for the configuration you normally ask then is UID in this result therefore the string is

'(&(uid=%u)(|(memberof=cn=YYYY,ou=groups,dc=...)(memberof=cn=ZZZ,ou=groups,dc=...)))'

I hope this helps

[yzx9]

Thank you for your issue. We hope the the provided information was helpful to you. This issue will now be closed due to prolonged inactivity. If you have more questions, feel free to reopen it or open a new one.