Problem connecting with LDAP
vylion opened this issue · 10 comments
Describe the bug
I have deployed a Fireshare docker container on my machine, and I have been trying to connect Fireshare to the LDAP provider in Authentik. For some reason, whenever I try to login with any user I get the following Traceback output (in the container logs):
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/fireshare/auth.py", line 17, in auth_user_ldap
if out[0]:
IndexError: list index out of range
[2023-11-25 00:27:39,766] DEBUG in auth: failure at block1
DEBUG:fireshare:failure at block1
I have triple-checked that the credentials and other environment variables are correct; when they aren't, I get an actual error about a connection failure and the container exits.
Trying to do the exact same query and filter with the Linux CLI tool ldapsearch
(from the ldap-utils
package) does give a single result, so I am not sure what else could be going wrong, and I don't have the time or environment at the moment to try to clone the repo and debug it myself.
Expected behavior
Being able to log in as a user in the LDAP directory.
Additional context
I'm running the container on a Debian 12 server. The Authentik container is hosted on a different machine (in the same local network), a Raspberry Pi OS 64-bit based on Debian 12.
Would be helpful if you could post your docker environment configuration for Fireshare.
Sorry! I can't believe I forgot about that. Here it is:
version: "3"
services:
fireshare:
container_name: fireshare
image: shaneisrael/fireshare:latest
ports:
- "80:80"
volumes:
- /docker/fireshare/data:/data
- /docker/fireshare/processed:/processed
- /docker/fireshare/videos:/videos
environment:
- SECRET_KEY=**********************************
- MINUTES_BETWEEN_VIDEO_SCANS=5
- PUID=1000
- PGID=1000
- LDAP_ENABLE=true
- LDAP_URL=ldap://192.168.1.135
- LDAP_BINDDN=cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io
- LDAP_PASSWORD=**************************************************
- LDAP_BASEDN=dc=ldap,dc=goauthentik,dc=io
- LDAP_USER_FILTER=(&(|(uid={input})(mail={input}))(objectClass=person))
I don't know if this is the cause of the issue or not, but your LDAP_USER_FILTER is incorrect. Please read the docs on that environment variable. You need to replace {input}
with your uid and mail string.
I must've misunderstood then. I thought that when trying to log in, the {input}
substring was replaced with whatever text the user put in the "Username" box. It shows that way in the debug query log, too. That's the query I matched with ldapsearch
.
Does that mean that I must hardcode my LDAP credentials for any person trying to log in? Because I'd rather not do that, it defeats the whole purpose of having an Active Directory.
Edit: some screenshots
I must've misunderstood then. I thought that when trying to log in, the {input} substring was replaced with whatever text the user put in the "Username" box.
Yes you are correct, I was misreading the doc for it. I was not the one who added LDAP support and since I don't use LDAP myself I am not sure if I am going to be much help. So yeah, please set that back to what you had it set to originally.
Looking at the ldap auth code, it seems like its having trouble with the LDAP_BASEDN. I am unsure if its an issue with the values you set it to or if it is an issue with the fireshare ldap auth itself.
It looks like we had somebody else with a similar issue because they didn't have the memberOf
attribute enabled. Which I guess by default it is not enabled. So maybe try and make sure that attribute is enable in your LDAP setup.
@vylion were you able to resolve the issue?
Closing as stale, feel free to re-open if you need.
Sorry! I've had a busy week and could not get back to this issue.
What do you mean, with having memberOf
enabled? The server definitely does send that field. Should I add it to the filter? Or do you mean adding the LDAP_ADMIN_GROUP
variable? I had that variable set in the beginning, and I removed it in the process of trying to find out what was stopping me from logging in.
Also, unrelated question, but I didn't feel it was worth creating a new issue for; what is the upload URL endpoint? If I want to enable uploads but I don't want them to be accessible through just a card in the feed?
The upload urls you require you to send POST data to are
admin only upload => /api/upload
public upload (if enabled) => /api/upload/public
Admin only upload will not work unless you are also passing along a valid admin session with the request. Public upload does not require a session.
In reference to the memberOf
suggestion I gave. I got this from this issue here. #181