Question: Authelia Config: How to get user groups about lldap HOT 15 CLOSED

It looks like a simple syntax error: you're missing (| at the beginning, and authelia is not helping you see that. Filters are s-expressions, so of the form (function arg1 arg2 arg3) where each arg can be an s-expression itself. You're just missing the top-level OR, the function |.

from lldap.

S-what!? 6-001 again!? Unfortunately I bummed through that class 😊

Anyway, guessing your meaning, I tried groups_filter: (|(member={dn})(&(member={dn})(objectClass=groupOfNames))(&(uniquemember={dn})(objectclass=groupOfUniqueNames))) and met with natural failure of lack of understanding.

I am too beat up by the authelia/LLDAP combo that I will appreciate an expression that I can paste in authelia configuration.
Can you do that for me please? Provide an S-expression to cut&paste into Authelia. The information in the LLDAP example_config does not work.

Thank you.

from lldap.

Hmm, it seems I was carried away by an early diagnosis (I still stand by my explanation about the syntax error, but now I see that it doesn't change anything).

Your more complex query doesn't change anything, it will return the same thing as the one in the example config, which is correct. Looking at the LLDAP logs, I see that it returns the 2 groups that contain authtest. So the error must be somewhere else. Can I see your authelia config, and any relevant authelia logs?

from lldap.

This is the current state.

ldap:
  implementation: custom
  address: 'ldap://127.0.0.1:389'
  timeout: 5s
  base_dn: dc=example,dc=com

  attributes:
    display_name: displayName
    group_name: cn
    mail: mail
    username: uid

  additional_users_dn: ou=people
  users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
  additional_groups_dn: ou=groups

  # NoWork groups_filter: (&(member={dn})(objectClass=groupOfNames))
  # NoWork groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
  # https://www.reddit.com/r/selfhosted/comments/158quyz/comment/jtdjpuj/
  ## (&(member={dn})(objectclass=group)) --> groups_filter: (&(member={dn})(objectclass=groupOfUniqueNames))

  # Only this filter is supported right now
  # https://raw.githubusercontent.com/lldap/lldap/main/example_configs/authelia_config.yml
  # groups_filter: "(member={dn})"
  groups_filter: "(member={dn})"

  # permit_referrals: false
  permit_unauthenticated_bind: false

from lldap.

I need to add that I am currently on a released version v0.5.0.

I am working to deploy a newver build from here https://github.com/lldap/lldap/actions/runs/7449328497

from lldap.

That looks fine, and seems to yield the correct response from LLDAP. I wonder what's going on on authelia's side. Any interesting logs?

from lldap.

I know nothing about LDAP but it seems the query is wrong but please indulge me.
What group search query should I send with any LDAP client to LLDAP to return 'group1' from the following result?

response: SearchResultEntry(LdapSearchResultEntry { dn: "cn=group1,ou=groups,dc=example,dc=com", attributes: [LdapPartialAttribute { atype: "cn", vals: ["group1"] }] })

I would like to hard code that query into authelia config, and see whathappens. Then, I can then start playing with the ors and ands.

from lldap.

That would be (cn="group1") or the even more explicit (dn="uid=group1,ou=groups,dc=...")

But I don't think that's necessary. The query as it is is "give me all the groups that contain the user authtest", and it returns group1 and group2.

Look, I have experience debugging integrations with LLDAP, and in this case it's not an LLDAP problem: the query and the response over LDAP look fine. I'm guessing there's something wrong on the authelia side, so I'll ask once more: are there any relevant Authelia logs?

from lldap.

@nitnelave
It feels like I have exhausted your patience. I am very sorry for this, and i will move along shortly.
FWIW, I tried (cn="group1"), and go this result:

INFO ┕━ LDAP request [ 2.08ms | 0.10% / 1.79% ]
DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: SearchRequest(LdapSearchRequest { base: "ou=groups,dc=example,dc=com", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: Equality("cn", ""group1""), attrs: ["cn"] }), ctrl: [] }
DEBUG ┝━ do_search [ 1.96ms | 0.66% / 1.69% ]
DEBUG │ ┝━ 🐛 [debug]: | request.base: "ou=groups,dc=example,dc=com" | scope: Groups
DEBUG │ ┕━ get_groups_list [ 1.19ms | 0.04% / 1.03% ]
DEBUG │ ┝━ 🐛 [debug]: | filters: DisplayName(GroupName(""group1""))
DEBUG │ ┕━ list_groups [ 1.15ms | 0.99% ] filters: Some(DisplayName(GroupName(""group1"")))
DEBUG │ ┕━ 🐛 [debug]: | return: []
DEBUG ┕━ 🐛 [debug]: | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })


I keep thinking it has to do with LLDAP because I see 🐛 [debug]: | return: [] but you are right, I don't know what I am talking about. BTW, I have installed ldapsearch so I can "learn to fish."

Thank you for sharing a better part of your day with me. I truly appreciate the timely support.
Moving right along ...

from lldap.

Aha, don't worry, you haven't exhausted my patience! Btw, the filter I gave you was wrong, you don't need the quotes so it should be (cn=group1).

It's just that I don't have access to your system, and all the information you give me points to a misinterpretation of the LDAP response by Authelia. Which is why I'm once more asking you to look at the authelia logs.

from lldap.

Thanks for your compassion, and the gentle push back.
I looked carefully at Authelia ... lo and behold it was stripping out the groups, before returning the profile.
time="2024-01-12T19:58:31Z" level=trace msg="Profile details for user 'authtest' => groups: [group1 group2], emails [[email protected]]" method=POST path=/api/firstfactor remote_ip=0.0.0.0

It would seem that it was NOT LLDAP's fault (this time around 😏) The issue is between the chair and the computer.

Thanks again for your support.
I will close the issue if you wish.

from lldap.

I am very very sorry to have wasted your time yesterday. However, in case sopomeone else comes around asking for them groups, I found out from Authelia devs that Authelia does not expose user groups at this time

Thank you for your time.

from lldap.

Hey, don't be so hard on yourself, it was reasonable to suspect LLDAP, it's the less well-established player here, and I've had my share of reports where indeed we weren't responding with the expected info.

To help the next person, do you think you could make a small PR to drop a note in the authelia config explaining that the groups don't show up?

from lldap.

I would love to create a PR but don't do GIT. I tried to add the information directly to your repo yesterday but Github told me that I do not have write access so, I moved right along.
Thank you.

from lldap.

To clarify for anyone else looking at this, Authelia absolutely does provide identity information to third parties which includes user groups. We support two practical and relatively standard methods for doing this via Response Headers (which can be securely and transparently added to Request Headers via our proxy integrations) and as an OpenID Connect 1.0 provider.

The issue in this instance was assuming what was returned at a particular API endpoint instead of checking the OpenAPI 3.0 documentation of the endpoints; I don't think LLDAP documenting these endpoints and usages when they are intended for usage with the Authelia portal would be too helpful unless I'm misunderstanding something?

It should also be noted we have a coming implementation template that includes several attribute values, filters, etc. which will ease integration of LLDAP with Authelia (we would also welcome any contributions or feedback via appropriate channels, also these values can mostly be used with the current release as a great starting point):

https://authelia-next.netlify.app/reference/guides/ldap/

Want to also say I appreciate all the troubleshooting nitnelave performed.

from lldap.