authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

LDAP invalid memory or nil pointer dereference

Open obsidiangroup opened this issue 3 years ago • 0 comments

Describe the bug When performing an ldapsearch against the authentik ldap, the authentik ldap outpost container gives an invalid memory address error.

To Reproduce Steps to reproduce the behavior:

  1. Setup a new Application and create an LDAP Provider
  2. Add application to your LDAP Outpost
  3. From a Linux shell, run 'ldapsearch -x -h <IP> -p 389 -D <binding DN> -W -b <base DN>
  4. See error

Expected behavior Outpost should behave normally and return corret information

Screenshots Example ldapsearch response without explicitly setting objectClass:

[[email protected]: ~]ldapsearch -x -h auth -p 389 -D 'cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld' -W -b 'ou=users,auth,dc=domain,dc=tld'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=auth,dc=domain,dc=tld> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Same, but setting objectClass:

[[email protected]: ~]ldapsearch -x -h 192.168.1.170 -p 389 -D 'cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld' -W -b 'ou=users,dc=auth,dc=domain,dc=tld' '(objectClass=user)'
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=auth,dc=domain,dc=tkd> with scope subtree
# filter: (objectClass=user)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

If applicable, add screenshots to help explain your problem.

Logs

{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2022-08-24T23:33:50Z"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","error":"invalid base DN","event":"Username not for instance","level":"debug","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:00Z"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2022-08-24T23:34:00Z"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","component":"ak-stage-identification","event":"Got challenge","flow":"auth-flow","level":"debug","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:01Z","type":"native"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","component":"xak-flow-redirect","event":"Got response","flow":"auth-flow","level":"debug","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:02Z","type":"redirect"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","event":"User has access","flow":"auth-flow","level":"debug","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:02Z"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","event":"User has access","level":"info","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:02Z"}
{"allowedGroup":"b25d3ce9-6b9b-4557-84c0-805f39ffbb4c","event":"Checking search access","level":"trace","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2022-08-24T23:34:02Z","userGroup":"f58e42b5-f1e5-4f4e-9439-3d05056438bc"}
{"allowedGroup":"b25d3ce9-6b9b-4557-84c0-805f39ffbb4c","event":"Checking search access","level":"trace","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2022-08-24T23:34:02Z","userGroup":"c0a62162-34dd-4472-8fd2-4743d25c52a4"}
{"bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","event":"Bind request","level":"info","requestId":"8a98e90c-7a8b-4491-bdf6-1ad3389eb66c","timestamp":"2022-08-24T23:34:02Z","took-ms":2623}
{"error":"runtime error: invalid memory address or nil pointer dereference","event":"recover in search request","level":"error","timestamp":"2022-08-24T23:34:02Z"}
{"baseDN":"ou=users,dc=auth,dc=domain,dc=tld","bindDN":"cn=ldapadmin,ou=users,dc=auth,dc=domain,dc=tld","client":"192.168.1.72","event":"Search request","filter":"(objectClass=user)","level":"info","requestId":"50cc57d5-bef1-4855-bc03-ffb686213067","scope":"Whole Subtree","timestamp":"2022-08-24T23:34:02Z","took-ms":1}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2022-08-24T23:34:10Z"}

Version and Deployment (please complete the following information):

  • authentik version: [e.g. 2022.8.1]
  • Deployment: [e.g. docker-compose]

Additional context Issue also was present in 2022.7.3. If other logs / information required, please let me know.

obsidiangroup avatar Aug 24 '22 23:08 obsidiangroup