Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend #7310

Open
8 tasks done
jorti opened this issue May 14, 2024 · 1 comment
Open
8 tasks done

Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend #7310

jorti opened this issue May 14, 2024 · 1 comment
Labels
priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet type/bug/unconfirmed Unconfirmed Bugs

Comments

@jorti
Copy link

jorti commented May 14, 2024

Version

v4.38.8

Deployment Method

Docker

Reverse Proxy

Traefik

Reverse Proxy Version

3.0.0

Description

When using LLDAP as the authentication backend, LLDAP is logging warnings every time the user information is refreshed (every minute). The message warns that a non-existing attribute memberof has been queried for a group:

2024-05-14T09:55:42.476728449+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof

Reproduction

  1. Configure a LLDAP authentication backend:
authentication_backend:
  password_reset:
    disable: false
  refresh_interval: '1m'
  ldap:
    address: 'ldap://lldap:3890'
    implementation: 'lldap'
    base_dn: 'dc=example,dc=com'
    user: 'uid=authelia_bind_user,ou=people,dc=example,dc=com'
  1. Login in some application using forward-auth.
  2. When Authelia refreshes the user information every minute, we get warning messages in LLDAP.

Expectations

Authelia should not query the memberof attribute for groups when using the lldap LDAP implementation.

Configuration (Authelia)

# yamllint disable rule:comments-indentation
---
server:
  address: 'tcp://:9091/'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
log:
  level: 'debug'
telemetry:
  metrics:
    enabled: true
    address: 'tcp://:9959'
totp:
  disable: false
  issuer: 'auth.example.com'
  algorithm: 'sha256'
webauthn:
  disable: false
identity_validation:
  reset_password:
authentication_backend:
  password_reset:
    disable: false
  refresh_interval: '1m'
  ldap:
    address: 'ldap://lldap:3890'
    implementation: 'lldap'
    base_dn: 'dc=example,dc=com'
    user: 'uid=authelia_bind_user,ou=people,dc=example,dc=com'
password_policy:
  standard:
    enabled: true
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3
privacy_policy:
  enabled: false
  require_user_acceptance: false
  policy_url: ''
access_control:
  default_policy: 'deny'
  rules:
    - domain: "app1.apps.example.com"
      policy: two_factor
      subject:
        - 'group:group7'
session:
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://example.com'
  redis:
    host: 'authelia-valkey'
    port: 6379
regulation:
  max_retries: 3
  find_time: '3m'
  ban_time: '1h'
storage:
  postgres:
    address: 'tcp://authelia-postgres:5432'
    database: 'authelia'
    username: 'authelia'
notifier:
  smtp:
    address: 'submission://smtp.example.com:587'
    username: '[email protected]'
    sender: 'Authelia <[email protected]>'
identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/run/secrets/AUTHELIA_IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
    authorization_policies:
      app2_policy:
        default_policy: 'deny'
        rules:
          - policy: 'two_factor'
            subject: 'group:group1'
    cors:
      endpoints:
        - 'authorization'
        - 'pushed-authorization-request'
        - 'token'
        - 'revocation'
        - 'introspection'
        - 'userinfo'
    clients:
      - client_id: 'app2'
        client_name: 'App 2'
        client_secret: 'REDACTED'
        authorization_policy: 'app2_policy'
        pre_configured_consent_duration: '365d'
        token_endpoint_auth_method: 'client_secret_post'
        redirect_uris:
          - 'https://apps2.example.com/oauth2callback/authelia'
        scopes:
          - 'openid'
          - 'groups'
          - 'email'
          - 'profile'
...

Build Information

Last Tag: v4.38.8
State: tagged clean
Branch: v4.38.8
Commit: cd32d5ce0b3cc2d581f63700c5cec1174c027718
Build Number: 28628
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Mon, 15 Apr 2024 13:44:28 +1000
Extra: 

Go:
    Version: go1.22.1
    Module Path: github.com/authelia/authelia/v4
    Executable Path: github.com/authelia/authelia/v4/cmd/authelia

Logs (Authelia)

[275129.147037] authelia[771106]: time="2024-05-14T09:54:41Z" level=debug msg="Check authorization of subject username=user1 groups=group3,group3-admins,group4,group4-admins,group1,group1-admins,group2,group5,group6,group6-admins,group7 ip=2001:db8::2 and object https://app1.apps.example.com/REDACTED (method GET)."
[275189.855929] authelia[771106]: time="2024-05-14T09:55:42Z" level=debug msg="Checking the authentication backend for an updated profile for user" method=GET path=/api/authz/forward-auth remote_ip="2001:db8::2" username=user1
[275190.003712] lldap[770768]: 2024-05-14T09:55:42.372748505+00:00  INFO     LDAP session [ 60.9ms | 0.40% / 100.00% ]
[275190.004422] lldap[770768]: 2024-05-14T09:55:42.372821354+00:00  INFO     ┝━ LDAP request [ 58.0ms | 0.15% / 95.32% ]
[275190.004513] lldap[770768]: 2024-05-14T09:55:42.372843038+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=authelia_bind_user,ou=people,dc=example,dc=com", cred: LdapBindCred::Simple }), ctrl: [] }
[275190.004594] lldap[770768]: 2024-05-14T09:55:42.372847370+00:00  DEBUG    │  ┝━ do_bind [ 57.9ms | 0.05% / 95.17% ] dn: uid=authelia_bind_user,ou=people,dc=example,dc=com
[275190.004663] lldap[770768]: 2024-05-14T09:55:42.372861831+00:00  DEBUG    │  │  ┝━ bind [ 57.7ms | 0.04% / 94.85% ]
[275190.004746] lldap[770768]: 2024-05-14T09:55:42.372870665+00:00  DEBUG    │  │  │  ┝━ get_password_file_for_user [ 174µs | 0.29% ] user_id: UserId(CaseInsensitiveString("authelia_bind_user"))
[275190.004812] lldap[770768]: 2024-05-14T09:55:42.373306334+00:00  DEBUG    │  │  │  ┕━ passwords_match [ 57.5ms | 94.53% ] username: authelia_bind_user
[275190.004879] lldap[770768]: 2024-05-14T09:55:42.430839787+00:00  DEBUG    │  │  ┝━ get_user_groups [ 164µs | 0.27% ] user_id: "authelia_bind_user"
[275190.004945] lldap[770768]: 2024-05-14T09:55:42.431261903+00:00  DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(2), display_name: GroupName("lldap_password_manager"), creation_date: 2024-04-28T14:21:53.978896636, uuid: Uuid("f0415fef-6437-3eee-a399-4fe2a318240b"), attributes: [] }}
[275190.005028] lldap[770768]: 2024-05-14T09:55:42.431265483+00:00  DEBUG    │  │  ┕━ 🐛 [debug]: Success!
[275190.005103] lldap[770768]: 2024-05-14T09:55:42.431279681+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
[275190.005175] lldap[770768]: 2024-05-14T09:55:42.431442775+00:00  INFO     ┝━ LDAP request [ 528µs | 0.11% / 0.87% ]
[275190.005256] lldap[770768]: 2024-05-14T09:55:42.431454558+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "OU=people,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 1, timelimit: 0, typesonly: false, filter: And([Or([Equality("uid", "user1"), Equality("mail", "user1")]), Equality("objectClass", "person")]), attrs: ["uid", "mail", "cn", "memberOf"] }), ctrl: [] }
[275190.005323] lldap[770768]: 2024-05-14T09:55:42.431455685+00:00  DEBUG    │  ┝━ do_search [ 462µs | 0.21% / 0.76% ]
[275190.005387] lldap[770768]: 2024-05-14T09:55:42.431645307+00:00  DEBUG    │  │  ┝━ 🐛 [debug]:  | request.base: "OU=people,dc=example,dc=com" | scope: Users
[275190.005453] lldap[770768]: 2024-05-14T09:55:42.431646537+00:00  DEBUG    │  │  ┝━ get_user_list [ 331µs | 0.03% / 0.54% ]
[275190.005518] lldap[770768]: 2024-05-14T09:55:42.431653149+00:00  DEBUG    │  │  │  ┝━ 🐛 [debug]:  | filters: And([Or([UserId(UserId(CaseInsensitiveString("user1"))), Equality(LowercaseEmail, "user1")]), And([])])
[275190.005590] lldap[770768]: 2024-05-14T09:55:42.431656925+00:00  DEBUG    │  │  │  ┕━ list_users [ 315µs | 0.52% ] filters: Some(And([Or([UserId(UserId(CaseInsensitiveString("user1"))), Equality(LowercaseEmail, "user1")]), And([])])) | _get_groups: true
[275190.005679] lldap[770768]: 2024-05-14T09:55:42.432231814+00:00  DEBUG    │  │  │     ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId(CaseInsensitiveString("user1")), email: Email("[email protected]"), display_name: Some("user1"), creation_date: 2024-04-28T14:30:41.442273335, uuid: Uuid("f9a3fecf-3e10-3eb7-9333-356909a33945"), attributes: [] }, groups: Some([GroupDetails { group_id: GroupId(8), display_name: GroupName("group3"), creation_date: 2024-04-29T19:03:54.255375437, uuid: Uuid("6736cfb0-4389-32bf-85b5-71c98684f282"), attributes: [] }, GroupDetails { group_id: GroupId(9), display_name: GroupName("group3-admins"), creation_date: 2024-04-29T19:04:03.056373778, uuid: Uuid("4e706a2a-fbb4-3b01-bd90-425bae1dd051"), attributes: [] }, GroupDetails { group_id: GroupId(12), display_name: GroupName("group4"), creation_date: 2024-04-30T07:46:07.232586220, uuid: Uuid("658ea802-b4be-3741-9692-0528f60f82e5"), attributes: [] }, GroupDetails { group_id: GroupId(13), display_name: GroupName("group4-admins"), creation_date: 2024-04-30T07:46:17.377293414, uuid: Uuid("2a4f7258-9be3-3488-9391-e72aa5ae1d56"), attributes: [] }, GroupDetails { group_id: GroupId(7), display_name: GroupName("group1"), creation_date: 2024-04-29T19:03:15.682533353, uuid: Uuid("2fa8804d-bb31-3910-bbea-daaf1de44975"), attributes: [] }, GroupDetails { group_id: GroupId(11), display_name: GroupName("group1-admins"), creation_date: 2024-04-30T05:30:59.124992404, uuid: Uuid("1a5fb736-e51e-3880-b012-8bbbc106ce1e"), attributes: [] }, GroupDetails { group_id: GroupId(14), display_name: GroupName("group2"), creation_date: 2024-04-30T09:32:05.281817199, uuid: Uuid("f152c7ee-9889-33c9-8c80-a06637d39526"), attributes: [] }, GroupDetails { group_id: GroupId(10), display_name: GroupName("group5"), creation_date: 2024-04-29T20:09:53.190451172, uuid: Uuid("e501465f-a232-38da-be7f-5472d984d0b8"), attributes: [] }, GroupDetails { group_id: GroupId(4), display_name: GroupName("group6"), creation_date: 2024-04-29T08:33:28.791807313, uuid: Uuid("36402396-ec29-3984-afc7-1a402f3a4cc6"), attributes: [] }, GroupDetails { group_id: GroupId(5), display_name: GroupName("group6-admins"), creation_date: 2024-04-29T08:33:36.945014620, uuid: Uuid("a83969d8-1490-3bff-819b-a00e9917d60d"), attributes: [] }, GroupDetails { group_id: GroupId(6), display_name: GroupName("group7"), creation_date: 2024-04-29T09:52:17.014433643, uuid: Uuid("af0e9a90-1be0-39c6-998e-5eca13ad6cef"), attributes: [] }]) }]
[275190.005830] lldap[770768]: 2024-05-14T09:55:42.432236255+00:00  DEBUG    │  │  ┕━ expand_attribute_wildcards [ 3.44µs | 0.01% ] ldap_attributes: ["uid", "mail", "cn", "memberOf"]
[275190.005908] lldap[770768]: 2024-05-14T09:55:42.432239702+00:00  DEBUG    │  │     ┕━ 🐛 [debug]:  | resolved_attributes: ["uid", "mail", "cn", "memberOf"]
[275190.006017] lldap[770768]: 2024-05-14T09:55:42.432266313+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "uid=user1,ou=people,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "uid", vals: ["user1"] }, LdapPartialAttribute { atype: "mail", vals: ["[email protected]"] }, LdapPartialAttribute { atype: "cn", vals: ["user1"] }, LdapPartialAttribute { atype: "memberOf", vals: ["cn=group3,ou=groups,dc=example,dc=com", "cn=group3-admins,ou=groups,dc=example,dc=com", "cn=group4,ou=groups,dc=example,dc=com", "cn=group4-admins,ou=groups,dc=example,dc=com", "cn=group1,ou=groups,dc=example,dc=com", "cn=group1-admins,ou=groups,dc=example,dc=com", "cn=group2,ou=groups,dc=example,dc=com", "cn=group5,ou=groups,dc=example,dc=com", "cn=group6,ou=groups,dc=example,dc=com", "cn=group6-admins,ou=groups,dc=example,dc=com", "cn=group7,ou=groups,dc=example,dc=com"] }] })
[275190.006164] lldap[770768]: 2024-05-14T09:55:42.432288950+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
[275190.006343] lldap[770768]: 2024-05-14T09:55:42.473576907+00:00  INFO     ┕━ LDAP request [ 2.08ms | 0.66% / 3.42% ]
[275190.006448] lldap[770768]: 2024-05-14T09:55:42.473612639+00:00  DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "OU=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("member", "uid=user1,ou=people,dc=example,dc=com"), Equality("objectClass", "groupOfUniqueNames")]), attrs: ["cn", "memberOf"] }), ctrl: [] }
[275190.006558] lldap[770768]: 2024-05-14T09:55:42.473615791+00:00  DEBUG       ┝━ do_search [ 1.68ms | 0.84% / 2.76% ]
[275190.006663] lldap[770768]: 2024-05-14T09:55:42.474721621+00:00  DEBUG       │  ┝━ 🐛 [debug]:  | request.base: "OU=groups,dc=example,dc=com" | scope: Groups
[275190.006763] lldap[770768]: 2024-05-14T09:55:42.474724270+00:00  DEBUG       │  ┝━ get_groups_list [ 1.16ms | 0.09% / 1.91% ]
[275190.006864] lldap[770768]: 2024-05-14T09:55:42.474746048+00:00  DEBUG       │  │  ┝━ 🐛 [debug]:  | filters: And([Member(UserId(CaseInsensitiveString("user1"))), And([])])
[275190.006966] lldap[770768]: 2024-05-14T09:55:42.474755513+00:00  DEBUG       │  │  ┕━ list_groups [ 1.11ms | 1.82% ] filters: Some(And([Member(UserId(CaseInsensitiveString("user1"))), And([])]))
[275190.007133] lldap[770768]: 2024-05-14T09:55:42.476696477+00:00  DEBUG       │  │     ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(8), display_name: GroupName("group3"), creation_date: 2024-04-29T19:03:54.255375437, uuid: Uuid("6736cfb0-4389-32bf-85b5-71c98684f282"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(9), display_name: GroupName("group3-admins"), creation_date: 2024-04-29T19:04:03.056373778, uuid: Uuid("4e706a2a-fbb4-3b01-bd90-425bae1dd051"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(12), display_name: GroupName("group4"), creation_date: 2024-04-30T07:46:07.232586220, uuid: Uuid("658ea802-b4be-3741-9692-0528f60f82e5"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(13), display_name: GroupName("group4-admins"), creation_date: 2024-04-30T07:46:17.377293414, uuid: Uuid("2a4f7258-9be3-3488-9391-e72aa5ae1d56"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(7), display_name: GroupName("group1"), creation_date: 2024-04-29T19:03:15.682533353, uuid: Uuid("2fa8804d-bb31-3910-bbea-daaf1de44975"), users: [UserId(CaseInsensitiveString("user4")), UserId(CaseInsensitiveString("user8")), UserId(CaseInsensitiveString("user9")), UserId(CaseInsensitiveString("user1")), UserId(CaseInsensitiveString("user5")), UserId(CaseInsensitiveString("user6")), UserId(CaseInsensitiveString("user7")), UserId(CaseInsensitiveString("user3")), UserId(CaseInsensitiveString("user2"))], attributes: [] }, Group { id: GroupId(11), display_name: GroupName("group1-admins"), creation_date: 2024-04-30T05:30:59.124992404, uuid: Uuid("1a5fb736-e51e-3880-b012-8bbbc106ce1e"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(14), display_name: GroupName("group2"), creation_date: 2024-04-30T09:32:05.281817199, uuid: Uuid("f152c7ee-9889-33c9-8c80-a06637d39526"), users: [UserId(CaseInsensitiveString("user1")), UserId(CaseInsensitiveString("user8")), UserId(CaseInsensitiveString("user9")), UserId(CaseInsensitiveString("user5")), UserId(CaseInsensitiveString("user6")), UserId(CaseInsensitiveString("user7")), UserId(CaseInsensitiveString("user3")), UserId(CaseInsensitiveString("user2")), UserId(CaseInsensitiveString("user4"))], attributes: [] }, Group { id: GroupId(10), display_name: GroupName("group5"), creation_date: 2024-04-29T20:09:53.190451172, uuid: Uuid("e501465f-a232-38da-be7f-5472d984d0b8"), users: [UserId(CaseInsensitiveString("user1")), UserId(CaseInsensitiveString("user2")), UserId(CaseInsensitiveString("user3")), UserId(CaseInsensitiveString("user4"))], attributes: [] }, Group { id: GroupId(4), display_name: GroupName("group6"), creation_date: 2024-04-29T08:33:28.791807313, uuid: Uuid("36402396-ec29-3984-afc7-1a402f3a4cc6"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(5), display_name: GroupName("group6-admins"), creation_date: 2024-04-29T08:33:36.945014620, uuid: Uuid("a83969d8-1490-3bff-819b-a00e9917d60d"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }, Group { id: GroupId(6), display_name: GroupName("group7"), creation_date: 2024-04-29T09:52:17.014433643, uuid: Uuid("af0e9a90-1be0-39c6-998e-5eca13ad6cef"), users: [UserId(CaseInsensitiveString("user1"))], attributes: [] }]
[275190.007357] lldap[770768]: 2024-05-14T09:55:42.476709665+00:00  DEBUG       │  ┝━ expand_attribute_wildcards [ 7.58µs | 0.01% ] ldap_attributes: ["cn", "memberOf"]
[275190.007480] lldap[770768]: 2024-05-14T09:55:42.476716939+00:00  DEBUG       │  │  ┕━ 🐛 [debug]:  | resolved_attributes: ["cn", "memberOf"]
[275190.007600] lldap[770768]: 2024-05-14T09:55:42.476728449+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.007699] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.007806] lldap[770768]: 2024-05-14T09:55:42.476733970+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.007909] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008008] lldap[770768]: 2024-05-14T09:55:42.476738623+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008115] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008208] lldap[770768]: 2024-05-14T09:55:42.476743241+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008314] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008407] lldap[770768]: 2024-05-14T09:55:42.476747006+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008507] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008597] lldap[770768]: 2024-05-14T09:55:42.476751291+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008636] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008668] lldap[770768]: 2024-05-14T09:55:42.476765897+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008705] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008732] lldap[770768]: 2024-05-14T09:55:42.476770576+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008766] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008805] lldap[770768]: 2024-05-14T09:55:42.476782633+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008843] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008875] lldap[770768]: 2024-05-14T09:55:42.476786657+00:00  WARN        │  ┝━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008912] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.008950] lldap[770768]: 2024-05-14T09:55:42.476791132+00:00  WARN        │  ┕━ 🚧 [warn]: Ignoring unrecognized group attribute: memberof\n\
[275190.008996] lldap[770768]:                                To disable this warning, add it to "ignored_group_attributes" in the config.
[275190.009031] lldap[770768]: 2024-05-14T09:55:42.476808596+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group3,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group3"] }] })
[275190.009069] lldap[770768]: 2024-05-14T09:55:42.476865370+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group3-admins,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group3-admins"] }] })
[275190.009104] lldap[770768]: 2024-05-14T09:55:42.476889590+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group4,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group4"] }] })
[275190.009139] lldap[770768]: 2024-05-14T09:55:42.476910730+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group4-admins,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group4-admins"] }] })
[275190.009177] lldap[770768]: 2024-05-14T09:55:42.476930316+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] })
[275190.009220] lldap[770768]: 2024-05-14T09:55:42.476951569+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1-admins,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1-admins"] }] })
[275190.009254] lldap[770768]: 2024-05-14T09:55:42.476970586+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group2,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group2"] }] })
[275190.009284] lldap[770768]: 2024-05-14T09:55:42.476997694+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group5,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group5"] }] })
[275190.009317] lldap[770768]: 2024-05-14T09:55:42.477032683+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group6,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group6"] }] })
[275190.009355] lldap[770768]: 2024-05-14T09:55:42.477052620+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group6-admins,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group6-admins"] }] })
[275190.009396] lldap[770768]: 2024-05-14T09:55:42.477072628+00:00  DEBUG       ┝━ 🐛 [debug]:  | response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group7,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group7"] }] })
[275190.009435] lldap[770768]: 2024-05-14T09:55:42.477114053+00:00  DEBUG       ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
[275190.009473] authelia[771106]: time="2024-05-14T09:55:42Z" level=debug msg="Check authorization of subject username=user1 groups=group3,group3-admins,group4,group4-admins,group1,group1-admins,group2,group5,group6,group6-admins,group7 ip=2001:db8::2 and object https://app1.apps.example.com/REDACTED (method GET)."

Logs (Proxy / Application)

No response

Documentation

https://www.authelia.com/reference/guides/ldap/#filter-defaults

Pre-Submission Checklist

  • I agree to follow the Code of Conduct

  • This is a bug report and not a support request

  • I have read the security policy and this bug report is not a security issue or security related issue

  • I have either included the complete configuration file or I am sure it's unrelated to the configuration

  • I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

  • I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

  • I have checked for related proxy or application logs and included them if available

  • I have checked for related issues and checked the documentation
@jorti jorti added priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet type/bug/unconfirmed Unconfirmed Bugs labels May 14, 2024
@glime-ai Glime AI
Copy link

glime-ai bot commented May 14, 2024

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

To address the issue of Authelia querying the non-existing memberof attribute for groups when using the lldap LDAP implementation, you can modify the LDAP attribute mappings in Authelia's configuration to ensure it does not request attributes that are not supported by your LDAP implementation.

In your current configuration, Authelia is likely using default settings or explicit settings that include the memberof attribute. Since lldap does not recognize this attribute, you need to adjust the LDAP attribute mappings in Authelia to exclude memberof.

Here’s how you can adjust the configuration:

  1. Identify the Attribute Mappings: Check your Authelia configuration for any mappings that include memberof. This could be in the user or group attribute mappings.

  2. Modify the Configuration: Remove or comment out the lines that map or request the memberof attribute. Ensure that the attributes you configure are supported by lldap.

  3. Restart Authelia: After making changes to the configuration, restart Authelia to apply the changes.

Here is an example of how you might adjust the LDAP settings in the Authelia configuration:

authentication_backend:
  ldap:
    address: 'ldap://lldap:3890'
    implementation: 'lldap'
    base_dn: 'dc=example,dc=com'
    user: 'uid=authelia_bind_user,ou=people,dc=example,dc=com'
    attributes:
      username: 'uid'
      mail: 'mail'
      display_name: 'cn'  # Assuming 'cn' is used for display names in your LDAP
      # member_of: 'memberOf'  # Remove or comment out this line if 'memberOf' is not supported

Make sure to adjust the attribute names according to what is supported by lldap and what is required by your Authelia setup.

If you continue to encounter issues or need to customize the behavior further, consider consulting the Authelia documentation or seeking support from the Authelia community or the maintainers of the lldap implementation.

This comment was generated by Glime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet type/bug/unconfirmed Unconfirmed Bugs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jorti