tchapi
Unable to login with LLDAP and Traefik config
So I've been banging my head for two days straight. I was able to get the basic docker-standalone setup rolling. Meaning I was able to login with a manually created user via DAVx5. However, I cannot connect via LLDAP, this might be a duplicate to https://github.com/tchapi/davis/issues/158 but I'm also unable to login and followed basically the same config (ldap wise) and debugging steps.
The dev.log does not show any errors, so it seems.
Here is my docker-compose:
services:
davis:
build:
context: git-repo/
dockerfile: ./docker/Dockerfile-standalone
args:
- fpm_user=82:82 # user and group ID for www-data
- platform=arm64
image: local-davis-standalone:5.1.0
# image: ghcr.io/tchapi/davis:5.1.0
container_name: davis
hostname: davis
depends_on:
- davis-mariadb
expose:
- 9000
networks:
- secure_proxy
- davis_internal
env_file:
- ./.env_local
environment:
- APP_ENV=dev
- DATABASE_DRIVER=mysql
- DATABASE_URL=mysql://${DB_USER}:${DB_PASSWORD}@davis-mariadb:3306/${DB_DATABASE}?serverVersion=mariadb-${MARIA_DB_VERSION}&charset=utf8mb4
- MAILER_DSN=smtp://${MAIL_USERNAME}:${MAIL_PASSWORD}@${MAIL_HOST}:${MAIL_PORT}
- INVITE_FROM_ADDRESS=${MAIL_USERNAME}
- APP_TIMEZONE=${TIMEZONE}
- ADMIN_AUTH_BYPASS=false
- ADMIN_LOGIN=${ADMIN_LOGIN}
- ADMIN_PASSWORD=${ADMIN_PASSWORD}
- AUTH_REALM=SabreDAV
- AUTH_METHOD=LDAP
- CALDAV_ENABLED=true
- CARDDAV_ENABLED=true
- WEBDAV_ENABLED=false
- WEBDAV_TMP_DIR=/tmp
- WEBDAV_PUBLIC_DIR=/webdav/public
# By default, home directories are disabled
- WEBDAV_HOMES_DIR=
- LDAP_AUTH_URL=ldap://${LDAP_URL}
- LDAP_DN_PATTERN="uid=%u,ou=people,dc=domain,dc=com"
- LDAP_MAIL_ATTRIBUTE="mail"
- LDAP_AUTH_USER_AUTOCREATE=true # false by default
- LDAP_CERTIFICATE_CHECKING_STRATEGY="try" # try by default.
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=secure_proxy' # explictly tell trafik in which network to find this container
- 'traefik.http.routers.davis.rule=Host( `davis.${LOCAL_DOMAIN_NAME}`, `davis-${EXTERN_HOMELAB_DOMAIN_NAME}` )'
- 'traefik.http.routers.davis.tls=true'
- 'traefik.http.routers.davis.entrypoints=websecure'
- 'traefik.http.routers.davis.middlewares=secured-chain'
- 'traefik.http.services.davis.loadbalancer.server.port=9000'
- 'traefik.http.routers.davis.service=davis'
davis-mariadb:
image: mariadb:${MARIA_DB_VERSION}
container_name: davis-mariadb
hostname: davis-mariadb
restart: always
networks:
- davis_internal
env_file:
- ./.env_local
environment:
- MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
- MYSQL_DATABASE=${DB_DATABASE}
- MYSQL_USER=${DB_USER}
- MYSQL_PASSWORD=${DB_PASSWORD}
- MARIADB_AUTO_UPGRADE=1
volumes:
- ./davis_data:/var/lib/mysql
command: ["--max-allowed-packet=128M", "--innodb-log-file-size=64M"]
healthcheck:
test: ["CMD", "mariadb-admin", "ping", "-u", "root", "--password=${DB_ROOT_PASSWORD}"]
interval: 10s
timeout: 5s
retries: 5
networks:
secure_proxy:
name: secure_proxy
external: true
davis_internal:
name: davis_internal
Oh and on additional note. To make Traefik work with the standalone docker variant one must modify the Dockerfile-standalone file. Specifically the healtcheck, the "curl --fail" argument results in Traefik filtering this container on startup (probably due to delay of the webserver) and never registering its labels.
Removing the --fail command and rebuilding this image fixed it for me.
I also have been banging my head against this issue all weekend. It's strange, because there are no statements even referencing LDAP in the logs. It's almost as if the AUTH_METHOD environmental variable is being ignored completely.
In a last-ditch effort, I tried the barebones image and it worked! I had to un-quote LDAP URL and PATTERN variables in the environment file (if you're using an env file). Tested with authentik LDAP.
So to recap: something is wrong with the standalone image (going back to the very first tagged release of the standalone image) that blocks LDAP auth.
Thanks for the input, really appreciated! I gave it a try and now at least have an "401: access denied" error. I still can't figure out if the LDAP connection is good or not according to the logs though.
davis | NOTICE: PHP message: Invalid certificate checking strategy: "try"
davis | 172.25.0.4 - ldapuser 01/Jun/2025:21:23:49 +0000 "PROPFIND /index.php" 401
Having traefik and nginx running right behind one another seems a bit weird (2 proxies redirecting requests) but I guess the standalone variant with the Caddy webserver has the same effect.
One thing I had trouble with was the volume, I wanted it to bind locally instead of the docker volume, but somehow it didn't work. So I sticked with the docker volume.
If anyone had the same process i.e. switching from standalone to none-standalone and having their own docker-compose.yml. Make sure the "fpm_user=101:101" arguments are set for ngnix to work. This also cost me several minutes.
Also I wasn't able to run this none-standalone in APP_ENV=dev. If I wanted to "composer install" within the container I got the error "git was not found in your PATH, skipping source download". Upon trying to install via apk add git I also got permission error. This seems to be an issue with the 101 user group as this is not known by the underlying alpine linux.
I really liked the potential of this project but at this point I must give up as its too time consuming. Given that in the meantime I have a successful radicale instance with LDAP running I can actually focus on syncing my stuff.
For people who come in the future, depending on your setup (especially with podman), you may need to unquote the values in your environmental variables. That might solve your problem with the LDAP_CERTIFICATE_CHECKING_STRETEGY.
I will open another issue about the LDAP and the standalone container when I have some time to troubleshoot the root cause.
Re last paragraph: skill issue? At least close this non-issue if you're giving up.
Even though I gave up, the underlying problem still exists and could affect others. So I’d prefer to keep this thread open until it’s either resolved or clearly documented.
That said, I ended up circling back, couldn’t let it go. After some late-night PHP debugging, I found the cause (and also realized radical’s calendar sharing isn’t quite as neat as davis).
Root cause is all LDAP config parameters must be defined as plain text (no quotes). Unfortunately, the readme shows these config parameters with quotes. These are actually the only parameters documented that way and issues like https://github.com/tchapi/davis/issues/158 as well as other user experiences only focus on unquoting some specific values. I was probably just blind at this point and not applying this rule across the board.
The LDAP_CERTIFICATE_CHECKING_STRATEGY was a good guess but I additionally set it to never as my ldap server is only present within my private network and I don't have certificates ready anyway.
In the end I tested everything with both images, standalone and non-standalone; both seem to work now. I'll open a pull request to improve the docs and my finding regarding traefik with standalone image.
Hello @Daniel-Leer and @tricepsbrachii
First of all, thanks for the issue and the discussion. I appreciate that you're trying Davis, and that you're documenting your debug process for others to benefit from. As you may imagine I have limited time to tend to issues so sorry for not chiming in earlier.
I've commented on the PR. I'll also add a more visible callout in the README to make sure we have a pit of success here for env values.
I'm glad it works correctly now 🎉
Hi @tchapi, thanks a lot for taking care. Unfortunately, I was occupied with moving to a new place and on top of that my server died, so my prios were focusing more on my private life. I appreciate the nice comments and will continue to use your project :)
If I find some spare time I might contribute more.
Cheers.