Trouble setting up LDAP sync
I'm currently trying to setup LDAP syncing with my local Authentik instance.
I created everything needed to make LDAP queries and tested querying the server from the Homarr container, here's the following command I used from a shell attached to the Homarr docker container that returned the list of users in my LDAP server:
ldapsearch -x -H $AUTH_LDAP_URI -D "$AUTH_LDAP_BIND_DN" -b "$AUTH_LDAP_BASE" '(objectClass=user)' -w "$AUTH_LDAP_BIND_PASSWORD"
Here's my docker compose file so far:
Solution:Jump to solution
Because I currently have two layers of security, one for accessing the app (forward auth) which was already configured, and one for logging in and modifying boards (LDAP).
Authentik doesn't allow for backchannel (secondary) providers for OIDC so I gave LDAP a shot.
Now that you mention it, it might be a good idea to migrate both into a single OIDC provider if it's better supported by Homarr....
31 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Both authentik (LDAP server) and Homarr 0.15.6 containers runs on a Debian server
I can also confirm that the user
test works and that I can login to it
Hi, why would you want to use LDAP if you have authentik ? Authentik is an OIDC provider, not LDAP
If you do have a proper reason (To each their own really, it's fine), it seems ldap is getting stuck on searching for the user, that would mean the filter is improper maybe?
LDAP is really confusing tbh and query parameters even more.
Also, you mentionned the user "test" to work, although the issue was supposed to be fixed, does you user have any non alphanumerical characters in it? anything with accent or special characters?
Solution
Because I currently have two layers of security, one for accessing the app (forward auth) which was already configured, and one for logging in and modifying boards (LDAP).
Authentik doesn't allow for backchannel (secondary) providers for OIDC so I gave LDAP a shot.
Now that you mention it, it might be a good idea to migrate both into a single OIDC provider if it's better supported by Homarr.
It's a passphrase consisting of letters, numbers and dashes (-) so nothing too fancy I guess
Well, the advantage of OIDC is that you can enable auto login,meaning that once you've connected through the authentik page, you'll automatically be logged in to homarr too, which is nice.
Your username is a passphrase?
no this is the password, username is just "test"
That's great I was wondering if it was the case or not, then switching to OIDC seems like a great idea
Oh ok I missunderstood. I thought you said that you had a user named "test" that was working with homarr but not a real account. What you meant is that the user is valid but not recognized by homarr
that's it yeah
It's really great, even if you try accessing any app that makes you go through authentik, as long as the session is still valid, you can then go to homarr and the login process goes automatically
just remember to also add the AUTH_OIDC_AUTO_LOGIN env var as well
gotcha, thanks
Okay so I tried to setup everything but it looks like I'm stuck in a redirection loop when accessing Homarr, whether I'm or not connected to Authentik (tried in Incognito mode and another browser)
this might be because you need NEXTAUTH_URL
ow it's not mentioned in the docs, what should I set it to ?
your homarr url
Yeah sorry, it's actually a bug from I'm not sure who between us or nextauth. the automatic setup of the value is no proper and you have to manually set it.
It is extensively referenced in about every thread about OIDC tbf
I looked at other threads and I don't have the same error from logs, seems like I got 404 instead of the classic 302
I am guessing there might be something wrong in the URI?
I have these two envs
NEXTAUTH_URL="https://homarr.domain.tld"
AUTH_OIDC_URI="https://authentik.domain.tld/application/o/homarr"
oh ok
Well now I have the 301
and the redirect URL in the OIDC setup needs to be "https://homarr.domain.tld/api/auth/callback/oidc"
You followed the example in the docs for the OIDC setup?
Alright, when you log in, what page are you getting stuck on and what is the URL of said page?
OIDC has a tendency to give the error in the URL instead of in logs
Ok well I think I found the issue
I had a trailing slash for the AUTH_OIDC_URI URL
:facepalm:
Hey, sorry I ended covering my discord and didn't see.
Trailing slashes are a bane
is it all working then?
Yep tested for myself and a friend of mine's credentials, thanks for your time!
@Tag I just created a PR to clarify the URI in the docs
https://github.com/homarr-labs/documentation/pull/126
GitHub
docs: Clarify OIDC issuer URI setup by Larsluph · Pull Request #126...
Thank you for contributing to Homarr! So that your Pull Request can be handled effectively, please populate the following fields (delete sections that are not applicable)
Category
Documentation
Ove...
Actually I think I know what might have happened, if you copied the link I had sent in discord, discord is the one that adds trailing slashes. Really annoying
If you didn't though, it's a nice reminder.
Thanks for contributing 🙂
I think I copied the one from authentik directly, it does include a slash there. I just always forgot that the trailing slash mean something for some parsers