Seems when adding attributes to the group schema, it's not keeping case on the attribute. **Example**: I created attribute with name: groupType Looks like in lldap its just created it as grouptype all lowercase, and when using a search mapping of groupType it's not found. I'll take a further look, it may be an issue with backstages mappers

Hey it seems I've locked out of my admin in lldap. How can I reset the password?

Is there any way to get the key seed and jwt key? I've accidentally deleted the env file Nevermind, I've got it, I just changed keys, and changed passwords for my users. Luckily I didn't have that many. Its now in ZFS, so I can restore it if I delete it now. Learned that lesson.

How does the user defined attributes work? I have a python script that is searching a user and while i can pull back the group memberships i do not see the user attributes

I am attempting to setup LLDAP as the backend for my home assistant users but am having a problem authenticating. I have enabled verbose logging and this is the error message I am getting in LLDAP. I am using the script provided on Github but am unsure what i have done wrong. Thanks for the help.

lldap  | 2024-12-04T17:03:47.872151636+00:00  INFO     ｉ [info]: LDAP session start: b411daa3-3db1-4f65-8a3b-05093964a666
lldap  | 2024-12-04T17:03:47.872195089+00:00  ERROR    🚨 [error]: Message is not constructed
lldap  | 2024-12-04T17:03:47.872206950+00:00  INFO     LDAP request [ 3.41µs | 100.00% ] session_id: b411daa3-3db1-4f65-8a3b-05093964a666
lldap  | 2024-12-04T17:03:47.872312744+00:00  ERROR    🚨 [error]: [LDAP] Service Error: while handling incoming messages: while receiving LDAP op: The LDAP msg contains invalid BER

Hi Folks, I just set up LLDAP in a docker container. The web GUI works and I crated an aditional user. For a first test I wanted to try a call via curl. As LLDAP_LDAP_BASE_DN I gave it: dc=unraid,dc=fritz,dc=box I tried around, for example: curl -u admin:password ldap://unraid.fritz.box:3890/ curl -u admin:password ldap://unraid.fritz.box:3890/dc=unraid,dc=fritz,dc=box But always get the response: curl: (38) LDAP: cannot bind In Wireshark I saw in the response: "Missing DN value". Agaist this puplic testserver my curl request was successfull: https://www.forumsys.com/2022/05/10/online-ldap-test-server/ Can someone help me what I am doing wrong or how I have to write my curl command?

Hm, if I try to provide the server_key file through either the conf key "server_key_file" or the env var "LLDAP_SERVER_KEY_FILE", I get the following error on startup: `lldap-start[2672]: Error: Could not open

/run/secrets/lldap-server-key

from config value `server_key_file`: stream did not contain valid UTF-8 in /nix/store/a92szmxz1iqgqk3hlsvg26np5wxhr0vj-lldap_config.toml TOML file` The file is binary data, generated by lldap itself previously. Isn't it incorrect to check if it's valid UTF8?

Hello, for some time, i can't load webpage from LLDAP because

text/html MIME is forbidden

. I think i have a problem with

X-Content-Type-Options

but why ? I have this problem with and without reverse-proxy. How to solve it with a secure approach ?

Stalwart Integration: Strange folders created when sending first email. https://pastebin.com/SAcqteuC

I am trying to build postfix with lldap. When doing postmap -q abc.com ldap:/etc/postfix/ldap-virtual-domain.cf , its not returning any value. /etc/postfix/ldap-virtual-domain.cf configuration as follow # Address of your LDAP server with protocol specified server_host = ldaps://idm.abc.com:6360 # Base DN for domain entries search_base = dc=abc,dc=com # Adjust as necessary for your directory structure # Distinguished Name (DN) of the user allowing for LDAP binds bind_dn = uid=ro_admin,ou=people,dc=abc,dc=com # Password for the bind user (ensure secure handling of sensitive information) bind_pw = PASSWORD #TLS tls_ca_cert_file =/home/vmail/abc.com/lldap.crt # Define the query filter settings for virtual domains query_filter = (&(objectClass=inetOrgPerson)(mail=*@%s)) result_attribute = mail # Result format result_format = %s What should be the correct query_filter for to extract the dc ?

Hello, I've installed succefully LLDAP few days ago. Now looking to transfert info to _FILE variable. Unfortunately, I always get the following error ``> Starting lldap.. Loading configuration from /data/lldap_config.toml Error: Could not open /secrets/JWT_SECRET from config value jwt_secret_file: Permission denied (os error 13) in

LLDAP_

environment variable(s) > Setup permissions.. Error: Could not open /secrets/JWT_SECRET from config value jwt_secret_file: Permission denied (os error 13) in

LLDAP_

environment variable(s)``

I'm trying to add catch-alls to my docker-mailserver. I've created a multi-value mailalias attribute in my user schema that works and delivers mail as it should. I've added @XYZ.io as an alias as I would in the postfix config but that doesn't work and just gets me undelievered returns my filters:

LDAP_QUERY_FILTER_USER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
LDAP_QUERY_FILTER_GROUP=(&(objectClass=groupOfUniqueNames)(uid=%s))
LDAP_QUERY_FILTER_ALIAS=(&(objectClass=inetOrgPerson)(|(mail=%s)(mailalias=%s)))
LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s))
DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))

logs:

2025-01-05T19:03:40.196766+00:00 mx1 dovecot: lmtp(446): Connect from local
2025-01-05T19:03:40.257009+00:00 mx1 dovecot: auth: ldap(2@abc.xyz): unknown user 
2025-01-05T19:03:40.299816+00:00 mx1 postfix/lmtp[445]: B0563240301D: to=<2@abc.xyz>, relay=mx1.mailhost.tld[/var/run/dovecot/lmtp], delay=0.61, delays=0.48/0.02/0.01/0.1, dsn=5.1.1, status=bounced (host mx1.mailhost.tld[/var/run/dovecot/lmtp] said: 550 5.1.1 <2@abc.xyz> User doesn't exist: 2@abc.xyz (in reply to RCPT TO command))
2025-01-05T19:03:40.300028+00:00 mx1 dovecot: lmtp(446): Disconnect from local: Logged out (state=READY)

Hi, I try to configure smtp on lldap and I get this error, I use simple docker container lldap, I have shared CA and certificate with a volume (/etc/ssl/certs:/etc/ssl/certs:ro and /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro)

We don't enable authentification with user/pwd on our local smtp configuration:

[smtp_options]
enable_password_reset=true
server="smtp.XXXX"
port=465
smtp_encryption = "TLS"
#user="XXX"
#password="XXX"
from="XXXX"
reply_to="XXXX"

Error :

2025-01-09T10:36:07.397297171+00:00  DEBUG    │  ┝━ :bug:ion, source: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } } }
2025-01-09T10:36:10.399530183+00:00  WARN     │  ┝━ :construction:
2025-01-09T10:36:10.399539220+00:00  INFO     │  ┕━ ｉ [info]: Reset token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2025-01-09T10:36:10.399597878+00:00  DEBUG    ┕━ :bug:

Hey, I'm trying to get dovecot+postfix to use lldap. postfix uses dovecot. Dovecot auth works (and I expected postfix to work as well automatically...) But when receiving an email, I get the following in the log:

LDAP request [ 3.05ms | 90.89% / 100.00% ] session_id: b4d57d6a-4704-4cca-ae08-1b921f316a7a
┝━ :bug: [debug]:  | msg: LdapMsg { msgid: 19, op: SearchRequest(LdapSearchRequest { base: "", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("memberof", "cn=mail,ou=groups,dc=example,dc=de"), Equality("uid", "jakob")]), attrs: ["uid"] }), ctrl: [] }
┝━ do_search [ 278µs | 9.11% ]
┕━ :bug: [debug]:  | response: SearchResultDone(LdapResult { code: InvalidDNSyntax, matcheddn: "", message: "Missing DN value", referral: [] })

The filter specified in the config is

(&(memberof=cn=mail,ou=groups,dc=example,dc=de)(uid=%{user}))

, which fits the debug msg IMHO. But I don't understand the error message. The filter works fine with ldapsearch and looks fine to me 🤔 Is the empty base a problem? Not sure why though, I specified it in the config. Thanks for any insight

Maybe not strictly lldap, but, isn't this a valid search filter?

(&(&(uid=nas_admin)(objectclass=inetOrgPerson)(unix_uid_number=*))(memberOf=uid=nas_users,ou=groups,dc=example,dc=com))

It's built by sssd, and it reports

ldap_search_ext failed: Bad search filter

, testing with ldapsearch reports the same, until I remove the

(unix_uid_number=*)

part, but shouldn't that be valid? I don't see anything in the lldap log, it's not possible that it has rejected it, without anything in the log, right?

I’m trying to migrate away from truecharts lldap implementation, basically Kubernetes on truenas, to docker (on windows). Via pgadmin, copied all lldap tables over to the user.db file in docker, including the blob passwords. In docker, I set the

LLDAP_JWT_SECRET

to the value I found in Kubernetes. When I try to login with the admin account on the docker environment, I get the message “Corrupted password file for” What am I doing wrong?

Hi, all. I'm having a bit of trouble getting Jellyfin to talk to the lldap server. This is the error message I'

I'm running LLDAP in a Pod in Kubernetes with an

emptyDir

mounted as the

/data

folder ([link to Deployment](https://github.com/vehagn/homelab/blob/main/k8s/infra/auth/lldap/deployment.yaml)). From what I undestand the

key_seed

is randomly generated each time LLDAP start, but since I only use ephemeral storage I suppose this key isn't saved anywhere? I assume the only reason why it's working is that I use the bootstrap script to (re-)generate the passwords upon each restart. Should I explicitly set the

LLDAP_KEY_SEED

value?

Hi all, I'm running LLDAP in an Inucs container, on Alpine 3.21. I have it all set up and running. I'm trying to use it to password-authenticate users on a separate container. I have my

/etc/nslcd.conf

adapted from the sample PAM configuration in the repo, and nscd running on the same box. I'm running

nslcd -d

in the foreground to see logs. I can query lldap on the seperate container with commands like

id

and

getent

, but actually trying to log in keeps giving me "password denied". Even double- and tripple- checking that my password is right. I tried changing passwords to remove all symbols, same thing. Is there something special I have to do to set up passwords?

I'm still trying to make a discord bot to manage user subscriptions, this time i'm as far as being able to create a user from discord, but i'm getting stuck on adding the user to the subscribers group. From what i can tell, i'm getting hung up here: modify_request = {"memberUid": [(MODIFY_ADD, [user_dn.split(',')[0].split('=')[1]])]} # Extracts only the username in that the attribute memberUid isn't correct, but i don't know what it's supposed to be (or even what i'm doing because i'm getting chatgpt to do all the work) When i run the command to add a user, i get this output from my script, but it only adds the user and does not add the user to the subscribers group: ✅ Successfully added uid=watlingj,ou=people,dc=example,dc=com to cn=subscribers,ou=groups,dc=example,dc=com

Hi 🙂 not sure if this is per design... I want to query for a user-attribute that is of type List. When doing ldapsearch and only one attribute (e.g. mailalias) for an object is set, the return is as expected. However, when I set a second mailalias, nothing is returned anymore... Any ideas how to tackle this? ldapsearch -x -H ldap://lldap -D "uid=admin,ou=people,dc=example,dc=com" -w secret -b "dc=example,dc=com" "(&(objectClass=inetOrgPerson)(mailAlias=alias@example.com))" mail

Hello everyone ! I've just discovered LLDAP, and i would like to connect my Synology NAS, but it can't login. Do you know where can i find Base DN, Bind DN and password for connect to it ?

Hello, is the user of LLDAP is admin or something else?

Hello, this is a question regarding the

lldap_password_manager

group and authelia. Even after adding the authelia user to that group I still get an

Insufficient Access Rights

error when resetting or changing the password. I have searched multiple discussion, but I haven't found this exact problem before. I have attached both the verbose LLDAP log and trace level authelia logs to cross reference the requests being made. Both logs are redacted using

example.com

as the placeholder.

Hey, I'm fiddling around with postfix and added a few attributes:

# lldap-cli schema attribute user list
Name           Type        Is list  Is visible  Is editable
----           ----        -------  ----------  -----------
avatar         JPEG_PHOTO  false    true        true
creation_date  DATE_TIME   false    true        false
display_name   STRING      false    true        true
email_address  STRING      false    true        false
email_aliases  STRING      true     true        false
email_quota    STRING      false    true        false
first_name     STRING      false    true        true
last_name      STRING      false    true        true
mail           STRING      false    true        true
user_id        STRING      false    true        false
uuid           STRING      false    true        false

If I try to query any of my custom attributes, I get

dict_ldap_lookup: Search error -7: Bad search filter

. Doesn't matter if the attribute is String or List. The same config that queries "mail" works.

Hi I’m currently setting up LLDAP for my nifi authentication. I am having issues because I am unable to talk to the secure ldap port 6360. Is there an external way to test the port? Both are running in docker containers with a network setup for them and a subnet specified due to nifi configurations

Hi all - I am struggling to get my docker mailserver to authenticate against lldap. Below is an excerpt from the docker mailserver logs and my compose.yaml file. Any help hugely appreciated!!! environment: # Core LDAP Configuration - ACCOUNT_PROVISIONER=LDAP - LDAP_SERVER_HOST=ldap://lldap:3890 - LDAP_SEARCH_BASE=ou=people,dc=recognition-circular,dc=org - LDAP_BIND_DN=cn=admin,ou=people,dc=recognition-circular,dc=org - LDAP_BIND_PW=Rec0gnition123 - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))) - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward))) # Dovecot-Specific LDAP Mapping - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u))) - DOVECOT_USER_ATTRS=uid=5000,gid=5000,home=/var/mail/%Ln,mail=maildir:~/Maildir - DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u))(userPassword={SHA1}%w)) - DOVECOT_AUTH_BIND=yes # SASL Configuration - ENABLE_SASLAUTHD=1 - SASLAUTHD_MECHANISMS=ldap - SASLAUTHD_LDAP_SERVER=ldap://lldap:3890 - SASLAUTHD_LDAP_BIND_DN=cn=admin,ou=people,dc=recognition-circular,dc=org - SASLAUTHD_LDAP_PASSWORD=Rec0gnition123 - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=recognition-circular,dc=org - SASLAUTHD_LDAP_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%U))

Hello, I doubt that this is an lldap specific issue, but am posting here in case someone has experience/seen a similar issue. I am using Docker Mailserver. Users authenticate with LLDAP. Everything was working fine until I setup an email account to send email from Nextcloud and integrated Nextcloud with LLDAP. I got nextcloud to send a test email - this appears to have removed my mailboxes and stopped them from receiving email from any source other than Nextcloud. This is the error message from my logs:

Recipient address rejected: User unknown in virtual mailbox table; from=<prvs=52072ff83d=david@xyz.com> to=<xxxx@recognition-circular.org> proto=ESMTP helo=<mx07-0060ad01.pphosted.com>

If I do a

./setup.sh email list

, all the accounts now look like this: Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota 2025-04-22 15:03:32+02:00 ERROR listmailuser: Supplied non-number argument '' to '_bytes_to_human_readable_size()' 2025-04-22 15:03:32+02:00 ERROR listmailuser: Aborting 2025-04-22 15:03:32+02:00 ERROR listmailuser: Supplied non-number argument '' to '_bytes_to_human_readable_size()' 2025-04-22 15:03:32+02:00 ERROR listmailuser: Aborting *

cloud@recognition-circular.org

( / ) [%] Apart from the Nextcloud integration nothing has changed with my mailserver config or my lldap config. Maybe a longshot, but has anyone experienced something similar?

Hello, I noticed a weird behaviour on one of my LLDAP docker deployments. After a few days of uptime, LLDAP became unresponsive, front is not loading and LLDAP does not respond to requests. After restart, it works again for a few days and becomes unresponsive. Has anyone else had the same issue?