Hello, I've installed succefully LLDAP few days ago. Now looking to transfert info to _FILE variable. Unfortunately, I always get the following error ``> Starting lldap.. Loading configuration from /data/lldap_config.toml Error: Could not open /secrets/JWT_SECRET from config value jwt_secret_file: Permission denied (os error 13) in

LLDAP_

environment variable(s) > Setup permissions.. Error: Could not open /secrets/JWT_SECRET from config value jwt_secret_file: Permission denied (os error 13) in

LLDAP_

environment variable(s)``

I'm trying to add catch-alls to my docker-mailserver. I've created a multi-value mailalias attribute in my user schema that works and delivers mail as it should. I've added @XYZ.io as an alias as I would in the postfix config but that doesn't work and just gets me undelievered returns my filters:

LDAP_QUERY_FILTER_USER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
LDAP_QUERY_FILTER_GROUP=(&(objectClass=groupOfUniqueNames)(uid=%s))
LDAP_QUERY_FILTER_ALIAS=(&(objectClass=inetOrgPerson)(|(mail=%s)(mailalias=%s)))
LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s))
DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))

logs:

2025-01-05T19:03:40.196766+00:00 mx1 dovecot: lmtp(446): Connect from local
2025-01-05T19:03:40.257009+00:00 mx1 dovecot: auth: ldap(2@abc.xyz): unknown user 
2025-01-05T19:03:40.299816+00:00 mx1 postfix/lmtp[445]: B0563240301D: to=<2@abc.xyz>, relay=mx1.mailhost.tld[/var/run/dovecot/lmtp], delay=0.61, delays=0.48/0.02/0.01/0.1, dsn=5.1.1, status=bounced (host mx1.mailhost.tld[/var/run/dovecot/lmtp] said: 550 5.1.1 <2@abc.xyz> User doesn't exist: 2@abc.xyz (in reply to RCPT TO command))
2025-01-05T19:03:40.300028+00:00 mx1 dovecot: lmtp(446): Disconnect from local: Logged out (state=READY)

Hi, I try to configure smtp on lldap and I get this error, I use simple docker container lldap, I have shared CA and certificate with a volume (/etc/ssl/certs:/etc/ssl/certs:ro and /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro)

We don't enable authentification with user/pwd on our local smtp configuration:

[smtp_options]
enable_password_reset=true
server="smtp.XXXX"
port=465
smtp_encryption = "TLS"
#user="XXX"
#password="XXX"
from="XXXX"
reply_to="XXXX"

Error :

2025-01-09T10:36:07.397297171+00:00  DEBUG    │  ┝━ :bug:ion, source: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } } }
2025-01-09T10:36:10.399530183+00:00  WARN     │  ┝━ :construction:
2025-01-09T10:36:10.399539220+00:00  INFO     │  ┕━ ｉ [info]: Reset token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2025-01-09T10:36:10.399597878+00:00  DEBUG    ┕━ :bug:

Hey, I'm trying to get dovecot+postfix to use lldap. postfix uses dovecot. Dovecot auth works (and I expected postfix to work as well automatically...) But when receiving an email, I get the following in the log:

LDAP request [ 3.05ms | 90.89% / 100.00% ] session_id: b4d57d6a-4704-4cca-ae08-1b921f316a7a
┝━ :bug: [debug]:  | msg: LdapMsg { msgid: 19, op: SearchRequest(LdapSearchRequest { base: "", scope: Subtree, aliases: Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: And([Equality("memberof", "cn=mail,ou=groups,dc=example,dc=de"), Equality("uid", "jakob")]), attrs: ["uid"] }), ctrl: [] }
┝━ do_search [ 278µs | 9.11% ]
┕━ :bug: [debug]:  | response: SearchResultDone(LdapResult { code: InvalidDNSyntax, matcheddn: "", message: "Missing DN value", referral: [] })

The filter specified in the config is

(&(memberof=cn=mail,ou=groups,dc=example,dc=de)(uid=%{user}))

, which fits the debug msg IMHO. But I don't understand the error message. The filter works fine with ldapsearch and looks fine to me 🤔 Is the empty base a problem? Not sure why though, I specified it in the config. Thanks for any insight

Maybe not strictly lldap, but, isn't this a valid search filter?

(&(&(uid=nas_admin)(objectclass=inetOrgPerson)(unix_uid_number=*))(memberOf=uid=nas_users,ou=groups,dc=example,dc=com))

It's built by sssd, and it reports

ldap_search_ext failed: Bad search filter

, testing with ldapsearch reports the same, until I remove the

(unix_uid_number=*)

part, but shouldn't that be valid? I don't see anything in the lldap log, it's not possible that it has rejected it, without anything in the log, right?

I’m trying to migrate away from truecharts lldap implementation, basically Kubernetes on truenas, to docker (on windows). Via pgadmin, copied all lldap tables over to the user.db file in docker, including the blob passwords. In docker, I set the

LLDAP_JWT_SECRET

to the value I found in Kubernetes. When I try to login with the admin account on the docker environment, I get the message “Corrupted password file for” What am I doing wrong?

Hi, all. I'm having a bit of trouble getting Jellyfin to talk to the lldap server. This is the error message I'

I'm running LLDAP in a Pod in Kubernetes with an

emptyDir

mounted as the

/data

folder ([link to Deployment](https://github.com/vehagn/homelab/blob/main/k8s/infra/auth/lldap/deployment.yaml)). From what I undestand the

key_seed

is randomly generated each time LLDAP start, but since I only use ephemeral storage I suppose this key isn't saved anywhere? I assume the only reason why it's working is that I use the bootstrap script to (re-)generate the passwords upon each restart. Should I explicitly set the

LLDAP_KEY_SEED

value?

Hi all, I'm running LLDAP in an Inucs container, on Alpine 3.21. I have it all set up and running. I'm trying to use it to password-authenticate users on a separate container. I have my

/etc/nslcd.conf

adapted from the sample PAM configuration in the repo, and nscd running on the same box. I'm running

nslcd -d

in the foreground to see logs. I can query lldap on the seperate container with commands like

id

and

getent

, but actually trying to log in keeps giving me "password denied". Even double- and tripple- checking that my password is right. I tried changing passwords to remove all symbols, same thing. Is there something special I have to do to set up passwords?

I'm still trying to make a discord bot to manage user subscriptions, this time i'm as far as being able to create a user from discord, but i'm getting stuck on adding the user to the subscribers group. From what i can tell, i'm getting hung up here: modify_request = {"memberUid": [(MODIFY_ADD, [user_dn.split(',')[0].split('=')[1]])]} # Extracts only the username in that the attribute memberUid isn't correct, but i don't know what it's supposed to be (or even what i'm doing because i'm getting chatgpt to do all the work) When i run the command to add a user, i get this output from my script, but it only adds the user and does not add the user to the subscribers group: ✅ Successfully added uid=watlingj,ou=people,dc=example,dc=com to cn=subscribers,ou=groups,dc=example,dc=com

Hi 🙂 not sure if this is per design... I want to query for a user-attribute that is of type List. When doing ldapsearch and only one attribute (e.g. mailalias) for an object is set, the return is as expected. However, when I set a second mailalias, nothing is returned anymore... Any ideas how to tackle this? ldapsearch -x -H ldap://lldap -D "uid=admin,ou=people,dc=example,dc=com" -w secret -b "dc=example,dc=com" "(&(objectClass=inetOrgPerson)(mailAlias=alias@example.com))" mail

Hello everyone ! I've just discovered LLDAP, and i would like to connect my Synology NAS, but it can't login. Do you know where can i find Base DN, Bind DN and password for connect to it ?

Hello, is the user of LLDAP is admin or something else?

Hello, this is a question regarding the

lldap_password_manager

group and authelia. Even after adding the authelia user to that group I still get an

Insufficient Access Rights

error when resetting or changing the password. I have searched multiple discussion, but I haven't found this exact problem before. I have attached both the verbose LLDAP log and trace level authelia logs to cross reference the requests being made. Both logs are redacted using

example.com

as the placeholder.

Hey, I'm fiddling around with postfix and added a few attributes:

# lldap-cli schema attribute user list
Name           Type        Is list  Is visible  Is editable
----           ----        -------  ----------  -----------
avatar         JPEG_PHOTO  false    true        true
creation_date  DATE_TIME   false    true        false
display_name   STRING      false    true        true
email_address  STRING      false    true        false
email_aliases  STRING      true     true        false
email_quota    STRING      false    true        false
first_name     STRING      false    true        true
last_name      STRING      false    true        true
mail           STRING      false    true        true
user_id        STRING      false    true        false
uuid           STRING      false    true        false

If I try to query any of my custom attributes, I get

dict_ldap_lookup: Search error -7: Bad search filter

. Doesn't matter if the attribute is String or List. The same config that queries "mail" works.

Hi I’m currently setting up LLDAP for my nifi authentication. I am having issues because I am unable to talk to the secure ldap port 6360. Is there an external way to test the port? Both are running in docker containers with a network setup for them and a subnet specified due to nifi configurations

Hi all - I am struggling to get my docker mailserver to authenticate against lldap. Below is an excerpt from the docker mailserver logs and my compose.yaml file. Any help hugely appreciated!!! environment: # Core LDAP Configuration - ACCOUNT_PROVISIONER=LDAP - LDAP_SERVER_HOST=ldap://lldap:3890 - LDAP_SEARCH_BASE=ou=people,dc=recognition-circular,dc=org - LDAP_BIND_DN=cn=admin,ou=people,dc=recognition-circular,dc=org - LDAP_BIND_PW=Rec0gnition123 - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))) - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward))) # Dovecot-Specific LDAP Mapping - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u))) - DOVECOT_USER_ATTRS=uid=5000,gid=5000,home=/var/mail/%Ln,mail=maildir:~/Maildir - DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u))(userPassword={SHA1}%w)) - DOVECOT_AUTH_BIND=yes # SASL Configuration - ENABLE_SASLAUTHD=1 - SASLAUTHD_MECHANISMS=ldap - SASLAUTHD_LDAP_SERVER=ldap://lldap:3890 - SASLAUTHD_LDAP_BIND_DN=cn=admin,ou=people,dc=recognition-circular,dc=org - SASLAUTHD_LDAP_PASSWORD=Rec0gnition123 - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=recognition-circular,dc=org - SASLAUTHD_LDAP_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%U))

Hello, I doubt that this is an lldap specific issue, but am posting here in case someone has experience/seen a similar issue. I am using Docker Mailserver. Users authenticate with LLDAP. Everything was working fine until I setup an email account to send email from Nextcloud and integrated Nextcloud with LLDAP. I got nextcloud to send a test email - this appears to have removed my mailboxes and stopped them from receiving email from any source other than Nextcloud. This is the error message from my logs:

Recipient address rejected: User unknown in virtual mailbox table; from=<prvs=52072ff83d=david@xyz.com> to=<xxxx@recognition-circular.org> proto=ESMTP helo=<mx07-0060ad01.pphosted.com>

If I do a

./setup.sh email list

, all the accounts now look like this: Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota 2025-04-22 15:03:32+02:00 ERROR listmailuser: Supplied non-number argument '' to '_bytes_to_human_readable_size()' 2025-04-22 15:03:32+02:00 ERROR listmailuser: Aborting 2025-04-22 15:03:32+02:00 ERROR listmailuser: Supplied non-number argument '' to '_bytes_to_human_readable_size()' 2025-04-22 15:03:32+02:00 ERROR listmailuser: Aborting *

cloud@recognition-circular.org

( / ) [%] Apart from the Nextcloud integration nothing has changed with my mailserver config or my lldap config. Maybe a longshot, but has anyone experienced something similar?

Hello, I noticed a weird behaviour on one of my LLDAP docker deployments. After a few days of uptime, LLDAP became unresponsive, front is not loading and LLDAP does not respond to requests. After restart, it works again for a few days and becomes unresponsive. Has anyone else had the same issue?

message has been deleted

Can't login first install?

i'm trying to get lldap working with stalwart, but it says "incorrect username or password". more details in the thread

Configuring TrueNAS with LLDAP

message has been deleted

I've used this LLDAP in a portainer stack for a few months, works great. The actual LLDAP is working, but when I try use the web panel to edit uses I get "Could not Log in". Haven't used the web panel in a month of so, unsure what happened. If I put in the wrong password it says "Invalid username or password", and when I use the right password it says this in the log:

INFO     ｉ [info]: OPAQUE login attempt for "jacob"
INFO     ｉ [info]: OPAQUE login successful for "jacob"

https://cdn.discordapp.com/attachments/1384712140308480130/1384712148441108681/image.png?ex=68536d2e&is=68521bae&hm=1dff1b71a3ed382b52c9db6573ae25b13f5d30ffe336b6dcbdea68dd4e660cce& https://cdn.discordapp.com/attachments/1384712140308480130/1384712148684509388/image.png?ex=68536d2e&is=68521bae&hm=6a81c17a740834b051ea6e0be4c29ca9836aaeef289dffd7d95a6b67aa039771&

I'm setting up a new environment, a separate computing cluster, and I'll have about six machines and about that many users. I chose LLDAP because we need a simple, small scale authentication system. I downloaded the sources and built LLDAP per the guide. I created a service for my lldap binary, and when I started it, I get a message about the JWT string must be initialized in the lldap_config.toml file. I'm not sure where the template for that file exists, or where the file should be located. I'm running Rocky Linux 9.5. Thank you for you assistance. I didn't see detailed instructions on the github page, and I'm not experienced with LDAP.

Another "Can't login" issue... This is really frustrating at the moment, as I followed exactly the docs and expected to be able to login out of the box, but nothing works. I created LLDAP via the compose.yaml from the github page, chmod the volume to 777, changed the configuration to reset admin password always - and still, nothing. All I get is a 'OPAQUE login attempt for "admin"' and the web form says "Invalid username or password". I use "admin" as user and "adminPas$word" as password. Can anyone point me in a direction for more proper troubleshooting? Am I missing something, is the compose.yaml only a "maybe" and I take it too literally?

Anyone successfully using LLDAP with Jellyfin? I cannot for the life of me get it to work

[16:14:36] [WRN] [44] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Ldap Test Failed to Connect or Bind to server
2025-06-25 16:14:36.887558+00:00LdapException: Unable to connect to server lldap:3890 (91) Connect Error
2025-06-25 16:14:36.887585+00:00System.Net.Sockets.SocketException (111): Connection refused
2025-06-25 16:14:36.887604+00:00at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
2025-06-25 16:14:36.887687+00:00at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)

This is the error I get when running "Save and Test LDAP Server Settings" in Jellyfin. To me its not a container network issue because I can ping the lldap container from the jellyfin container... What's weird is the exact same connection details I'm trying to use with Jellyfin work just fine with Open WebUI...

I am running into the following error:

Could not initiate password reset[500 ]: Internal server error: `Could not send email: Error sending email: permanent error (535): 5.7.8 Username and Password not accepted. For more information, go to5.7.8 https://support.google.com/mail/?p=BadCredentials 6a1803df08f44-6fd772fa9c9sm11203576d6.82 - gsmtp`

though I ran this through a smtp tester and it worked with the same setup. I do have my server using the SMTP email with a different application though I don't think that would matter. This is what I have atm :

LDAP_SMTP_OPTIONS__FROM: LLDAP Admin <${SMTP_USER}>
LLDAP_SMTP_OPTIONS__PASSWORD: ${SMTP_PASSWORD}
LLDAP_SMTP_OPTIONS__PORT: 587
LLDAP_SMTP_OPTIONS__REPLY_TO: Do not reply <${SMTP_USER}>
LLDAP_SMTP_OPTIONS__SERVER: smtp.gmail.com
LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: STARTTLS
LLDAP_SMTP_OPTIONS__USER: ${SMTP_USER}
LLDAP_VERBOSE: true