What is behind this lookup in LDAP?

scooke

This a few minutes ago I saw this in my logs:
Jun 12 09:02:11 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (|(mail=john-doe)(username=john-doe)) (from 172.18.0.43:48982) Running docker ps | grep 48982 doesn't return anything. Why would there be a search for a username that is in one of my apps? And whose user doesn't have an email address on my cloudron (except for their own email address they used to register in the respective app)?
A little earlier there were these lines:
Jun 12 09:00:00 box:ldap user search: dn ou=users, dc=cloudron, scope one, filter (&(&(objectclass=user))(|(username=*)(mail=*))) (from 172.18.0.4:55868) Jun 12 09:00:00 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (|(username=me)) (from 172.18.0.4:55868), followed by Jun 12 09:01:37 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (&(objectclass=user)(|(username=me)(mail=me))) (from 172.18.0.16:57074)
And why does the internal IP keep changing? Are these all internal IPs of my different apps just querying the LDAP server? Makes sense, but why the one user, randomly (or does that show that this user actually simply just logged in)? Thank you!

nebulon

Yes those log lines indicate a login attempt by an app. Each app makes the requests on the Cloudron local network. So different IPs indicate different apps.

In your case it looks like someone/bot tries to login to some or your apps.