https://github.com/lldap/lldap logo
Join Discord
Powered by
Azelphur - Trying out LLDAP for the first time,...
# troubleshooting
n
Hey! Can you try running LLDAP in verbose mode? That should give you a log of the email attempts
a
🤦 I looked in the config for a debug mode and didn't see that, trying it now 🙂
Seems the change took effect, I get more logs now, but it still logs nothing when I try and do a password reset
n
Out of curiosity, you do have password resets enabled?
a
seems it was commented out in the config file, not sure if the default is disabled, I uncommented it and set it to true but it still doesn't work
n
You can also try to run 
lldap send_test_email --to=my@email.com
a
Copy code
# ./lldap send_test_email --to=azelphur@azelphur.com
Loading configuration from lldap_config.toml
2023-10-11T19:12:35.200319567+00:00  ERROR    🚨 [error]: Could not send email: Connection error: Address not available (os error 99): Address not available (os error 99)
Interesting, giving us an error now 🙂
for reference:
Copy code
[smtp_options]
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset=true
## The SMTP server.
server="smtp"
## The SMTP port.
port=25
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
smtp_encryption = "NONE"
## The SMTP user, usually your email address.
user="noreply@azelphur.com"
## The SMTP password.
password=""
## The header field, optional: how the sender appears in the email. The first
## is a free-form name, followed by an email between <>.
from="LLDAP Admin <noreply@azelphur.com>"
## Same for reply-to, optional.
reply_to="Azelphur <azelphur@azelphur.com>"
That's what I have set for my config
n
Are you using docker or bare metal?
a
and, also maybe useful, here's my working config from authelia that does send email
Copy code
smtp:
    host: smtp
    port: 25
    sender: noreply@azelphur.com
    disable_require_tls: true
using docker
n
can you, from the LLDAP container, ping 
smtp
?
a
Yes, that works
n
Can use use 
--verbose
with the 
send_test_email
command?
a
Copy code
# ./lldap send_test_email --verbose --to=azelphur@azelphur.com
Loading configuration from lldap_config.toml
Configuration: Configuration {
    ldap_host: "0.0.0.0",
    ldap_port: 3890,
    http_host: "0.0.0.0",
    http_port: 17170,
    jwt_secret: ***SECRET***,
    ldap_base_dn: "dc=azelphur,dc=com",
    ldap_user_dn: UserId(
        "admin",
    ),
    ldap_user_email: "",
    ldap_user_pass: ***SECRET***,
    database_url: "sqlite://users.db?mode=rwc",
    ignored_user_attributes: [],
    ignored_group_attributes: [],
    verbose: true,
    key_file: "server_key",
    key_seed: None,
    smtp_options: MailOptions {
        enable_password_reset: false,
        from: None,
        reply_to: None,
        server: "localhost",
        port: 587,
        user: "",
        password: ***SECRET***,
        smtp_encryption: Tls,
        tls_required: None,
    },
    ldaps_options: LdapsOptions {
        enabled: false,
        port: 6360,
        cert_file: "cert.pem",
        key_file: "key.pem",
    },
    http_url: Url {
        scheme: "http",
        cannot_be_a_base: false,
        username: "",
        password: None,
        host: Some(
            Domain(
                "localhost",
            ),
        ),
        port: None,
        path: "/",
        query: None,
        fragment: None,
    },
    server_setup: None,
}
2023-10-11T19:16:21.372972899+00:00  DEBUG    🐛 [debug]: Sending email to 'azelphur@azelphur.com' as 'LLDAP <nobody@lldap>' via ''@'localhost':'587'
2023-10-11T19:16:21.373969462+00:00  ERROR    🚨 [error]: Could not send email: Connection error: Address not available (os error 99): Address not available (os error 99)
looks like it might be trying to connect to 587?
n
Look at the 
smtp_options
in the config
server: localhost
user: ""
it's not picking up your config
a
seems so
n
where do you set your settings?
you can try with a 
--config_file=/data/lldap_config.toml
(I think that's the default for docker)
a
n
can you run the 
send_test_email
command with 
verbose
and 
--config_file=/data/lldap_config.toml
?
(from inside the container)
a
Copy code
bash-5.1# ./lldap send_test_email --config-file=/data/lldap_config.toml --verbose --to=azelphur@azelphur.com
Loading configuration from /data/lldap_config.toml
Configuration: Configuration {
    ldap_host: "0.0.0.0",
    ldap_port: 3890,
    http_host: "0.0.0.0",
    http_port: 17170,
    jwt_secret: ***SECRET***,
    ldap_base_dn: "dc=azelphur,dc=com",
    ldap_user_dn: UserId(
        "admin",
    ),
    ldap_user_email: "",
    ldap_user_pass: ***SECRET***,
    database_url: "sqlite:///data/users.db?mode=rwc",
    ignored_user_attributes: [],
    ignored_group_attributes: [],
    verbose: true,
    key_file: "/data/private_key",
    key_seed: None,
    smtp_options: MailOptions {
        enable_password_reset: true,
        from: Some(
            Mailbox {
                name: Some(
                    "LLDAP Admin",
                ),
                email: Address {
                    serialized: "noreply@azelphur.com",
                    at_start: 7,
                },
            },
        ),
        reply_to: Some(
            Mailbox {
                name: Some(
                    "Azelphur",
                ),
                email: Address {
                    serialized: "azelphur@azelphur.com",
                    at_start: 8,
                },
            },
        ),
        server: "smtp",
        port: 25,
        user: "noreply@azelphur.com",
        password: ***SECRET***,
        smtp_encryption: None,
        tls_required: None,
    },
    ldaps_options: LdapsOptions {
        enabled: false,
        port: 6360,
        cert_file: "cert.pem",
        key_file: "key.pem",
    },
    http_url: Url {
        scheme: "https",
        cannot_be_a_base: false,
        username: "",
        password: None,
        host: Some(
            Domain(
                "lldap.home.azelphur.com",
            ),
        ),
        port: None,
        path: "/",
        query: None,
        fragment: None,
    },
    server_setup: None,
}
2023-10-11T19:20:34.816961269+00:00  DEBUG    🐛 [debug]: Sending email to 'azelphur@azelphur.com' as 'LLDAP Admin <noreply@azelphur.com>' via 'noreply@azelphur.com'@'smtp':'25'
2023-10-11T19:20:34.851319744+00:00  ERROR    🚨 [error]: Could not send email: internal client error: No compatible authentication mechanism was found: No compatible authentication mechanism was found
looking more promising there, I believe I need to disable tls_required to get that to work
although I'm not sure if there's an option to do that in the config
got it, had to omit username and password 🙂
so the test email worked now, but password reset still doesn't
just to recap: 
./lldap send_test_email  --to=azelphur@azelphur.com
doesn't work, because it doesn't load my config 
./lldap send_test_email --config-file=/data/lldap_config.toml --to=azelphur@azelphur.com
does work, and sends an email password reset doesn't work, and nothing is shown in the logs
n
Alright, can you set verbose to true in the config, restart the LLDAP container, and paste the (parsed) config from the logs? At least the smtp options
a
Copy code
Loading configuration from /data/lldap_config.toml
Configuration: Configuration {
    ldap_host: "0.0.0.0",
    ldap_port: 3890,
    http_host: "0.0.0.0",
    http_port: 17170,
    jwt_secret: ***SECRET***,
    ldap_base_dn: "dc=azelphur,dc=com",
    ldap_user_dn: UserId(
        "admin",
    ),
    ldap_user_email: "",
    ldap_user_pass: ***SECRET***,
    database_url: "sqlite:///data/users.db?mode=rwc",
    ignored_user_attributes: [],
    ignored_group_attributes: [],
    verbose: true,
    key_file: "/data/private_key",
    key_seed: None,
    smtp_options: MailOptions {
        enable_password_reset: true,
        from: Some(
            Mailbox {
                name: Some(
                    "LLDAP Admin",
                ),
                email: Address {
                    serialized: "noreply@azelphur.com",
                    at_start: 7,
                },
            },
        ),
        reply_to: Some(
            Mailbox {
                name: Some(
                    "Azelphur",
                ),
                email: Address {
                    serialized: "azelphur@azelphur.com",
                    at_start: 8,
                },
            },
        ),
        server: "smtp",
        port: 25,
        user: "",
        password: ***SECRET***,
        smtp_encryption: None,
        tls_required: Some(
            false,
        ),
    },
    ldaps_options: LdapsOptions {
        enabled: false,
        port: 6360,
        cert_file: "cert.pem",
        key_file: "key.pem",
    },
    http_url: Url {
        scheme: "https",
        cannot_be_a_base: false,
        username: "",
        password: None,
        host: Some(
            Domain(
                "lldap.home.azelphur.com",
            ),
        ),
        port: None,
        path: "/",
        query: None,
        fragment: None,
    },
    server_setup: None,
}
n
Alright, and with all that, the password reset doesn't work? What do you get in the logs?
There should be a "Sending email to ... as ... via ..."
a
when I press reset password, nothing new is logged (I'm watching the output of docker logs --follow lldap)
n
What about in the browser, any console logs? (with F12)
or do you see new network requests in the network tab?
a
I do, it seems to send a HTTP GET http://192.168.1.11:17170/auth/reset/step1/azelphur@azelphur.com It gets a 200 response.
I would expect that to be a HTTP POST
n
do you see the request in the LLDAP logs?
a
no, nothing new is logged in lldap
n
Then you're not talking to the server you're watching
You probably have 2 instances of LLDAP running, and you're changing one and talking to the other
a
I don't think so, because I get logs when I access the front page, for example
I'll make a video 🙂
n
You shouldn't be able to get a 200 response without any logs produced in the lldap container (in verbose mode)
a
I restarted my browser and it spontaneously started working, it now logs things when I do password reset and sends the email 🙂
makes no sense, but hey, it works now 😄
thank you for your help
n
My pleasure!
I don't know what happened here 😄
but it was in a weeeeeird state
a
I wonder if maybe the password reset enabled setting got cached in the browser, or potentially because of me deleting the config folder and then recreating it it could have been in a weird state
also not sure if you're the (or a?) dev or not, but just fyi, password reset on HTTP GET is a minor security vulnerability
not that it'll put me off of course, quite liking this, my first try with ldap and it's already going well 😄
n
yeah, the front-end could have cached that the password reset was not enabled. But then you wouldn't have seen the "Forgot my password" button
a
ah, strange
n
Out of curiosity, how's that a security vulnerability?
I'm essentially the only dev, yes 🙂
a
It enables not nice things like DDOS amplification attacks, for example, I could put an image in an email and then anyone who opens that email would do a password reset on my email
n
We had a couple of good contributors, but I wrote 95+% of the project
a
Nice work 😄
HTTP RFCs basically say that GET should only ever be read only, no actions should be taken, must use a different method, eg POST for this action
source, as apparent, am long time web dev 😂
n
Fair enough, but LLDAP can be brought to its knees with a simple for loop, probably. Or you'll hit your email provider's sending limits quite quickly
a
yea, it's very minor, just generally good practice to always use HTTP POST for forms, nothing that requires running out and fixing
n
All of that to say that LLDAP is not built to be very robust to motivated attacks, you'd have to have a layer at the routing level like fail2ban
yeah, you're right 🙂 It was simpler to dev and debug, but it should be a POST
Can you create an issue for it?
a
Sure 🙂
PreviousNext
Powered by