You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of LDAP in Syncthing has a bug that makes it impossible for users to log in with their LDAP account if a domain controller password is needed, because there is no way to specify a DC password for the DC user ID request.
Details:
When configuring Syncthing to use LDAP authentication, it is necessary to send a request to the domain controller to retrieve the user ID. Normally, this would require entering a domain controller password to authenticate the request. However, Syncthing does not currently provide a way to specify such a password, which causes authentication to fail and prevents users from logging in with their LDAP accounts.
Expected behavior:
The LDAP integration should provide an option to specify a domain controller password to perform authentication for the user ID query. This way, users can successfully access their LDAP accounts and log in via Syncthing.
It should work like in the ldapsearch example below for the user John Doe
# request all users and filter for 'John Doe' to find out the distinguished name (dn)
ldapsearch -x -D 'CN=ldapquery,OU=Service Accounts,OU=User,DC=YOUR_DOMAIN,DC=ads' -b DC=YOUR_DOMAIN,DC=ads -w 'DC_PASSWORD' -H ldap://xxx.xxx.xxx.xxx "(CN=John Doe)"# this returns something like # dn: CN=John Doe,OU=CH,OU=User,DC=YOUR_DOMAIN,DC=ads# the return will be used after the -D
ldapsearch -x -D 'CN=John Doe,OU=CH,OU=User,DC=YOUR_DOMAIN,DC=ads' -w 'USER_PASSWORD' -H ldap://xxx.xxx.xxx.xxx
# extended LDIF## LDAPv3# base <> (default) with scope subtree# filter: (objectclass=*)# requesting: ALL## search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-03100221, problem 2001 (NO_OBJECT), data 0, best
match of:
''
something like this
Bonus:
It would be nice if you can configure the filter "(CN=John Doe)", so you can filter for every LDAP object key you want,
i.e. "(EMAIL=john.doe.mail.com)".
So people could log in with their e-mail or whatever.
This is where the "Search Filter" field comes into play, right?
Syncthing version
v1.27.18
Platform & operating system
Linux amd64
Browser version
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered:
peponi
added
bug
A problem with current functionality, as opposed to missing functionality (enhancement)
needs-triage
New issues needed to be validated
labels
Apr 25, 2024
calmh
added
enhancement
New features or improvements of some kind, as opposed to a problem (bug)
and removed
bug
A problem with current functionality, as opposed to missing functionality (enhancement)
needs-triage
New issues needed to be validated
labels
Apr 25, 2024
What happened?
Problem:
The current implementation of LDAP in Syncthing has a bug that makes it impossible for users to log in with their LDAP account if a domain controller password is needed, because there is no way to specify a DC password for the DC user ID request.
Details:
When configuring Syncthing to use LDAP authentication, it is necessary to send a request to the domain controller to retrieve the user ID. Normally, this would require entering a domain controller password to authenticate the request. However, Syncthing does not currently provide a way to specify such a password, which causes authentication to fail and prevents users from logging in with their LDAP accounts.
Expected behavior:
The LDAP integration should provide an option to specify a domain controller password to perform authentication for the user ID query. This way, users can successfully access their LDAP accounts and log in via Syncthing.
It should work like in the ldapsearch example below for the user John Doe
something like this
Bonus:
It would be nice if you can configure the filter
"(CN=John Doe)"
, so you can filter for every LDAP object key you want,i.e.
"(EMAIL=john.doe.mail.com)"
.So people could log in with their e-mail or whatever.
This is where the "Search Filter" field comes into play, right?
Syncthing version
v1.27.18
Platform & operating system
Linux amd64
Browser version
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered: