H
Homarr2mo ago
Larsluph

Trouble setting up LDAP sync

I'm currently trying to setup LDAP syncing with my local Authentik instance. I created everything needed to make LDAP queries and tested querying the server from the Homarr container, here's the following command I used from a shell attached to the Homarr docker container that returned the list of users in my LDAP server: ldapsearch -x -H $AUTH_LDAP_URI -D "$AUTH_LDAP_BIND_DN" -b "$AUTH_LDAP_BASE" '(objectClass=user)' -w "$AUTH_LDAP_BIND_PASSWORD" Here's my docker compose file so far:
services:
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: unless-stopped
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- "${HOMARR_CONFIG}/configs:/app/data/configs"
- "${HOMARR_CONFIG}/icons:/app/public/icons"
- "${HOMARR_CONFIG}/data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DEFAULT_COLOR_SCHEME: dark
PORT: ${HOMARR_PORT}
AUTH_PROVIDER: ldap
AUTH_LDAP_URI: "ldap://host.docker.internal"
AUTH_LDAP_BASE: "${LDAP_BASE_DN}"
AUTH_LDAP_BIND_DN: "${LDAP_BIND_USER}"
AUTH_LDAP_BIND_PASSWORD: "${LDAP_BIND_PWD}"
AUTH_LDAP_ADMIN_GROUP: "authentik Admins"
AUTH_LDAP_OWNER_GROUP: "authentik Admins"
services:
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: unless-stopped
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- "${HOMARR_CONFIG}/configs:/app/data/configs"
- "${HOMARR_CONFIG}/icons:/app/public/icons"
- "${HOMARR_CONFIG}/data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DEFAULT_COLOR_SCHEME: dark
PORT: ${HOMARR_PORT}
AUTH_PROVIDER: ldap
AUTH_LDAP_URI: "ldap://host.docker.internal"
AUTH_LDAP_BASE: "${LDAP_BASE_DN}"
AUTH_LDAP_BIND_DN: "${LDAP_BIND_USER}"
AUTH_LDAP_BIND_PASSWORD: "${LDAP_BIND_PWD}"
AUTH_LDAP_ADMIN_GROUP: "authentik Admins"
AUTH_LDAP_OWNER_GROUP: "authentik Admins"
Solution:
Because I currently have two layers of security, one for accessing the app (forward auth) which was already configured, and one for logging in and modifying boards (LDAP). Authentik doesn't allow for backchannel (secondary) providers for OIDC so I gave LDAP a shot. Now that you mention it, it might be a good idea to migrate both into a single OIDC provider if it's better supported by Homarr....
Jump to solution
31 Replies
Cakey Bot
Cakey Bot2mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Larsluph
LarsluphOP2mo ago
No description
Larsluph
LarsluphOP2mo ago
homarr | user test is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user asd is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user asd is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user test is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user test is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user asd is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user asd is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
homarr | user test is trying to log in using LDAP. Connecting to LDAP server...
homarr | Connection established. Searching User...
homarr |
homarr | ERROR User not found in LDAP
homarr |
homarr | at Object.authorize (.next/server/chunks/7534.js:107:34)
homarr | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr | at async Object.callback (node_modules/next-auth/core/routes/callback.js:362:14)
homarr | at async AuthHandler (node_modules/next-auth/core/index.js:302:28)
homarr | at async NextAuthApiHandler (node_modules/next-auth/next/index.js:22:19)
homarr | at async auth (.next/server/pages/api/auth/[...nextauth].js:143:12)
homarr |
Both authentik (LDAP server) and Homarr 0.15.6 containers runs on a Debian server
Larsluph
LarsluphOP2mo ago
I can also confirm that the user test works and that I can login to it
No description
Serenaphic
Serenaphic2mo ago
Hi, why would you want to use LDAP if you have authentik ? Authentik is an OIDC provider, not LDAP If you do have a proper reason (To each their own really, it's fine), it seems ldap is getting stuck on searching for the user, that would mean the filter is improper maybe? LDAP is really confusing tbh and query parameters even more. Also, you mentionned the user "test" to work, although the issue was supposed to be fixed, does you user have any non alphanumerical characters in it? anything with accent or special characters?
Solution
Larsluph
Larsluph2mo ago
Because I currently have two layers of security, one for accessing the app (forward auth) which was already configured, and one for logging in and modifying boards (LDAP). Authentik doesn't allow for backchannel (secondary) providers for OIDC so I gave LDAP a shot. Now that you mention it, it might be a good idea to migrate both into a single OIDC provider if it's better supported by Homarr.
Larsluph
LarsluphOP2mo ago
It's a passphrase consisting of letters, numbers and dashes (-) so nothing too fancy I guess
Serenaphic
Serenaphic2mo ago
Well, the advantage of OIDC is that you can enable auto login,meaning that once you've connected through the authentik page, you'll automatically be logged in to homarr too, which is nice. Your username is a passphrase?
Larsluph
LarsluphOP2mo ago
no this is the password, username is just "test" That's great I was wondering if it was the case or not, then switching to OIDC seems like a great idea
Serenaphic
Serenaphic2mo ago
Oh ok I missunderstood. I thought you said that you had a user named "test" that was working with homarr but not a real account. What you meant is that the user is valid but not recognized by homarr
Larsluph
LarsluphOP2mo ago
that's it yeah
Serenaphic
Serenaphic2mo ago
It's really great, even if you try accessing any app that makes you go through authentik, as long as the session is still valid, you can then go to homarr and the login process goes automatically just remember to also add the AUTH_OIDC_AUTO_LOGIN env var as well
Larsluph
LarsluphOP2mo ago
gotcha, thanks Okay so I tried to setup everything but it looks like I'm stuck in a redirection loop when accessing Homarr, whether I'm or not connected to Authentik (tried in Incognito mode and another browser)
Serenaphic
Serenaphic2mo ago
this might be because you need NEXTAUTH_URL
Larsluph
LarsluphOP2mo ago
ow it's not mentioned in the docs, what should I set it to ?
Serenaphic
Serenaphic2mo ago
your homarr url Yeah sorry, it's actually a bug from I'm not sure who between us or nextauth. the automatic setup of the value is no proper and you have to manually set it. It is extensively referenced in about every thread about OIDC tbf
Larsluph
LarsluphOP2mo ago
I looked at other threads and I don't have the same error from logs, seems like I got 404 instead of the classic 302
[next-auth][error][SIGNIN_OAUTH_ERROR]
homarr | https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
homarr | error: {
homarr | message: 'expected 200 OK, got: 404 Not Found',
homarr | stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
homarr | ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
homarr | ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
homarr | ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
homarr | ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
homarr | ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
homarr | ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
homarr | ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
homarr | ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
homarr | ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
homarr | name: 'OPError'
homarr | },
homarr | providerId: 'oidc',
homarr | message: 'expected 200 OK, got: 404 Not Found'
homarr | }
[next-auth][error][SIGNIN_OAUTH_ERROR]
homarr | https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
homarr | error: {
homarr | message: 'expected 200 OK, got: 404 Not Found',
homarr | stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
homarr | ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
homarr | ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
homarr | ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
homarr | ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
homarr | ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
homarr | ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
homarr | ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
homarr | ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
homarr | ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
homarr | name: 'OPError'
homarr | },
homarr | providerId: 'oidc',
homarr | message: 'expected 200 OK, got: 404 Not Found'
homarr | }
Serenaphic
Serenaphic2mo ago
I am guessing there might be something wrong in the URI?
Larsluph
LarsluphOP2mo ago
I have these two envs
AUTH_OIDC_URI: ${AUTHENTIK_BASE_URL}
NEXTAUTH_URL: ${HOMARR_BASE_URL}
AUTH_OIDC_URI: ${AUTHENTIK_BASE_URL}
NEXTAUTH_URL: ${HOMARR_BASE_URL}
Larsluph
LarsluphOP2mo ago
oh ok Well now I have the 301
Serenaphic
Serenaphic2mo ago
and the redirect URL in the OIDC setup needs to be "https://homarr.domain.tld/api/auth/callback/oidc" You followed the example in the docs for the OIDC setup?
Larsluph
LarsluphOP2mo ago
Well I had "https://homarr.domain.tld/.*" setup, even with a fixed path it doesn't work :c yup
Serenaphic
Serenaphic2mo ago
Alright, when you log in, what page are you getting stuck on and what is the URL of said page? OIDC has a tendency to give the error in the URL instead of in logs
Larsluph
LarsluphOP2mo ago
Ok well I think I found the issue I had a trailing slash for the AUTH_OIDC_URI URL :facepalm:
Serenaphic
Serenaphic2mo ago
Hey, sorry I ended covering my discord and didn't see. Trailing slashes are a bane is it all working then?
Larsluph
LarsluphOP2mo ago
Yep tested for myself and a friend of mine's credentials, thanks for your time!
Larsluph
LarsluphOP2mo ago
@Tag I just created a PR to clarify the URI in the docs https://github.com/homarr-labs/documentation/pull/126
GitHub
docs: Clarify OIDC issuer URI setup by Larsluph · Pull Request #126...
Thank you for contributing to Homarr! So that your Pull Request can be handled effectively, please populate the following fields (delete sections that are not applicable) Category Documentation Ove...
Serenaphic
Serenaphic2mo ago
Actually I think I know what might have happened, if you copied the link I had sent in discord, discord is the one that adds trailing slashes. Really annoying If you didn't though, it's a nice reminder. Thanks for contributing 🙂
Larsluph
LarsluphOP2mo ago
I think I copied the one from authentik directly, it does include a slash there. I just always forgot that the trailing slash mean something for some parsers
Want results from more Discord servers?
Add your server