This a few minutes ago I saw this in my logs:
Jun 12 09:02:11 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (|(mail=john-doe)(username=john-doe)) (from 172.18.0.43:48982) Running docker ps | grep 48982 doesn't return anything. Why would there be a search for a username that is in one of my apps? And whose user doesn't have an email address on my cloudron (except for their own email address they used to register in the respective app)?
A little earlier there were these lines:
Jun 12 09:00:00 box:ldap user search: dn ou=users, dc=cloudron, scope one, filter (&(&(objectclass=user))(|(username=)(mail=))) (from 172.18.0.4:55868) Jun 12 09:00:00 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (|(username=me)) (from 172.18.0.4:55868), followed by Jun 12 09:01:37 box:ldap user search: dn ou=users, dc=cloudron, scope sub, filter (&(objectclass=user)(|(username=me)(mail=me))) (from 172.18.0.16:57074)
And why does the internal IP keep changing? Are these all internal IPs of my different apps just querying the LDAP server? Makes sense, but why the one user, randomly (or does that show that this user actually simply just logged in)? Thank you!
This appears to be someone/bot trying out common usernames in one of your apps. Unfortunately this is not too uncommon, but also not an a real issue if you have strong passwords. The requests will be rate-limited as well to prevent proper brute-force attacks.
The internal IP is associated to an app, it may or may not change when an app is restarted. However the ldap logs might indicate there are multiple apps configured to use LDAP. The port is actually dynamic per request, so that is the reason why it does not show in docker ps/inspect