authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Connect Nextcloud via LDAP Outpost

Open martin-nohava opened this issue 3 years ago • 2 comments

Describe your question Hi. I would like to connect Nextcloud instance to Authentik via LDAP Outpost, but I can't figure out any functional configuration. Every time I try to login to Nextcloud with user defined in Authentik I get this error message in Nextcloud:

# Message after login attempt with 'martin' username. 
Warning | user_ldap | LDAP Login: Could not get user object for DN cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io. Maybe the LDAP entry has no set display name attribute?

Also couldn't find any documentation on this. For Nextcloud only SAML documentation is written as of now.

According to Nextcloud LDAP integration, it seams that Nextcloud can communicate with LDAP Outpost (screenshot 1), correctly obtain number of users (screenshot 2) and groups (screenshot 4), confirm existence of specific users (screenshot 3) and so on, but fails to use this information for user login.

Has anyone been able to achieve this type of connection between Authentik and Nextcloud? Thank you.

Relevant infos

  • Nextcloud version: 23.0.3 Hub II
  • Deployment: docker-compose

Screenshots 1 2 3 4

Logs Output of docker-compose logs for LDAP Outpost

{"baseDN":"ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(&(|(objectclass=user))(displayname=*))","level":"info","requestId":"66ed1073-a605-436d-9b95-f5ebd89eab37","scope":"Whole Subtree","timestamp":"2022-04-27T10:57:35Z","took-ms":0}
{"bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"User has access","level":"info","requestId":"bc6b096c-3f7e-45d0-8f48-07eaf64bf3d6","timestamp":"2022-04-27T10:57:54Z"}
{"bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Allowed access to search","group":"authentik Admins","level":"info","requestId":"bc6b096c-3f7e-45d0-8f48-07eaf64bf3d6","timestamp":"2022-04-27T10:57:54Z"}
{"bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Bind request","level":"info","requestId":"bc6b096c-3f7e-45d0-8f48-07eaf64bf3d6","timestamp":"2022-04-27T10:57:54Z","took-ms":10615}
{"baseDN":"ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(&(|(objectclass=user))(|(cn=martin)))","level":"info","requestId":"c0f4454f-941f-41cb-9096-f7498fee1853","scope":"Whole Subtree","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"ffd34f56-ff83-44ef-b24b-e4b5d1ddafe3","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"d4c49213-275b-4eb5-ae2f-2c394c38bcb3","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"e2d2b213-c30b-41f4-ab17-6a36029a7ec4","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"f8d8377f-ce5d-43dc-af87-4abf983151a8","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"78cf550e-4d83-4b37-8c0e-3b9fded262d9","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"0e7e9648-e340-4fef-aa8c-9bcdaab7dc6a","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"21a5d1b7-a09f-464e-9354-cb510e330e80","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"a8919af7-f53e-40ba-a18a-bccd91dc9093","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"11d9715b-c7f5-4335-a03e-a3adaf69c681","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}
{"baseDN":"cn=martin,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.0.10","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"8d9dbe5b-1e30-4122-ab34-30fed79ea3c3","scope":"Base Object","timestamp":"2022-04-27T10:57:56Z","took-ms":0}

Version and Deployment (please complete the following information):

  • authentik version: 2022.4.1
  • Deployment: docker-compose

martin-nohava avatar Apr 27 '22 11:04 martin-nohava

Can confirm this on 2022.7.3. Any Updates on this @BeryJu? Is there some way we can help resolve this?

shadowcpy avatar Jul 28 '22 23:07 shadowcpy

@martin-nohava Fixed with setting: Advanced -> Displayname Attribute: name Expert -> Override UUID Detection -> User: uid Expert -> Clear Username - Ldap Mapping WARNING: THIS WILL RESET ALL LDAP USERS IN NEXTCLOUD (Files and everything else)

shadowcpy avatar Jul 28 '22 23:07 shadowcpy

Hello, i have the same problem @martin-nohava. I do not understand the solution @your-sudden-death. In jellyfin, gitea and jenkins is works. So i don't unterstand the different.

Waboath avatar Jan 20 '23 17:01 Waboath

This may be connected to #5394

a-gerhard avatar Apr 27 '23 18:04 a-gerhard

I have the same issue, I tried @your-sudden-death solution, but it did not work. Any news about this problem

diegobrandao avatar Mar 06 '24 01:03 diegobrandao

I'll screen my settings here if it helps.

image image image image image image image image image

mailPrimaryAddress should be mail on a standard authentik install. nextcloudQuota is an attribute I add on my users, leave blank if you don't want it. Also, all filters are written by hand, without using nextcloud configuration dialogs.

Closing as it's not an authentik issue.

rissson avatar Mar 28 '24 17:03 rissson