https://github.com/lldap/lldap logo
Join Discord
Powered by
Hi, have you created an issue on the github repo f...
# troubleshooting
r
Hi, have you created an issue on the github repo for this issue? I'm having the exact some problem but I don't want to create duplicate issues. 😅
n
Here's a brand new thread for you! Please keep the discussion for this problem in this thread.
n
Do you mean the admin not being able to change another user's password? Try logging out and back in, KevS' problem was that permissions were not propagated
r
No, this issue concerns password writeback/self-reset through authentik.
I'm having the same error as The_Soartan18k. Unfortunately discord doesn't want to load the message I quoted.
n
That seems like a different problem: you're getting an "unwilling to perform" error
can I see the LLDAP verbose logs?
r
Yes, where can I find them?
I'm running this in unraid
n
I'm not familiar with unraid. In LLDAP, you can enable verbose logs by either changing the config (setting 
verbose: true
) or through environment variables 
LLDAP_VERBOSE=true
. Then the logs go to the standard output
r
Okay, one moment!
I'm running on 
nitnelave/lldap:latest
n
small note: you can switch to lldap/lldap:latest (same image, but more "official")
r
gotcha
I'll do that rn
n
I don't think these are the correct logs: did you get the "unwilling to perform" error after enabling verbose logs? I see 2 successful user listings, and that's it
(I mean, yes, they are the correct LLDAP verbose logs, but they don't contain the error)
r
container boot -> attempt to change password
When i click cahnge password, authentik throws me this:
and in authentik logs I have this
(full python error)
n
I'm not sure authentik supports the right LDAP methods: it expects the password to be stored in a field in the LDAP server, it seems?
r
I am honestly not sure, LDAP is very new to me
n
Hmm, looking at their code, they do use an extended password modify request, but I don't see it in the LLDAP logs. However, the python error doesn't seem related to LDAP at all
If you can manage to get me the LLDAP log that contains "unwilling to perform" (or "UnwillingToPerform"), that would help
r
the last log I sent is all I have unfortunately
n
It's a bit hard for me to debug, since I don't see the logs of the error: the logs you sent me don't contain any error on the LLDAP side
r
Yeah, that's undersatndable
I'll check if authentik to see if they have an idea what might be wrong
Since LLDAP doesn't throw any errors I doubt it's LLDAP
Thank you for your time regardless
n
My pleasure 🙂
r
Hello, I am back, this time with a better log file!
This one actually states the "unwilling to perform" error
n
Hmm, that's what I was afraid of. Authentik uses a normal modify operation instead of an extended password modify operation
That's not supported in lldap
r
Welp, time for me to shoot in a feature request then 😅
Thank you for your time once more. 🙏
n
Sure! Also, note that the logs you sent me contain the new password in clear
(slightly obfuscated, but not meaningfully so)
And also, it's a bit weird since their code seems to use the extended operation. Are you perhaps running an old version of Authentik? Maybe I'm not reading the code well
r
They are allowed to know that the new password is 
bbb
I'm running the newest version, with yesterday's bugfix update
n
Huh, then maybe I'm not reading their code right
r
Would you like to have the stack trace that goes with above log?
In case it might be different
n
Oh, I see the issue: they first try to modify the password the AD way, which uses a modify operation with the unicodePwd field, and then if they get an AttributeError they try the extended operation. However, lldap doesn't return an AttributeError but an UnwillingToPerformError since we don't support the modify operation at all, so it completely fails
Maybe you can get them to change https://github.com/goauthentik/authentik/blob/main/authentik/sources/ldap/password.py#L95 to add an unwillingToPerform to that 
except
Debugging other people's code from my phone is... fun
r
Gotcha, thank you 🙏
Reference for anyone having the same issue as me in the future: https://github.com/goauthentik/authentik/issues/5693
PreviousNext
Powered by