How to debug Cloudron directory server?
-
Hi everyone,
I have been toying on and off with an instance of authentik and the next step would be to fill it with users. For this I wanted to configure my Cloudron system as the "LDAP source" in Auhtentik. But somehow I am not getting users listed.
The authentik system is a vm on my home network and from my workstation on the same network I can also successfully execute
ldapsearch -v -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -w xxx -H ldaps://my.xxx.xx:636And since I had to first set
export LDAPTLS_REQCERT=neveron the vm authentik is running on I expect an ssl issue. Weirdlyopenssl s_client -connect my.xxx.xx:636is able to connect.Now I am looking for some logging. Authentik does not seem to log anything (I am asking the same question about log locations in their Discord), so I was wondering if Cloudron may have some logging that I am missing. I already did a
journalctl -u box, but that did not give much info.PS: Authentik also offers the ability to write password changes back into its upstream ldap. Would this work with Cloudron or is the current ldap interface read only?
-
Generally unless there is a bug, SSL should works fine there. Also you are saying using the
ldapsearchtool you get a userlisting?There are no further debugging options out of the box, however you can manually add
console.log()s in the/home/yellowtent/box/src/userdirectory.jsfor debugging purpose. After changing the file you have tosystemctl restart boxfor them to go live. This is a bit hacky but at least you can put logs as you see fit to check if authentik is even reaching the server and such. -
Generally unless there is a bug, SSL should works fine there. Also you are saying using the
ldapsearchtool you get a userlisting?There are no further debugging options out of the box, however you can manually add
console.log()s in the/home/yellowtent/box/src/userdirectory.jsfor debugging purpose. After changing the file you have tosystemctl restart boxfor them to go live. This is a bit hacky but at least you can put logs as you see fit to check if authentik is even reaching the server and such.@nebulon yes, I have the feeling that it is somehow ssl related, in which case no logging is expected as the general connection fails. On the other hand this is written in the ldap configuration in authentik:
When connecting to an LDAP Server with TLS, certificates are not checked by default.
-
@nebulon yes, I have the feeling that it is somehow ssl related, in which case no logging is expected as the general connection fails. On the other hand this is written in the ldap configuration in authentik:
When connecting to an LDAP Server with TLS, certificates are not checked by default.
-
Just to close this topic up. It seems one mayor factor seems to have been that the "worker" in authentik was stuck and therefore did not attempt to connect to process the ldap connection. After it started processing the connection it ran into some python tracebacks because of missing attributes. I could not get the sync to run, but then anyways decided to do it the other way around and use authentik as my primary source of users and connect my Cloudron to authentik instead.
The final switch is still pending however as Cloudron already has an ldap source configured, which I am going to decommission soon.
-
F fbartels marked this topic as a question on
-
-
Just to close this topic up. It seems one mayor factor seems to have been that the "worker" in authentik was stuck and therefore did not attempt to connect to process the ldap connection. After it started processing the connection it ran into some python tracebacks because of missing attributes. I could not get the sync to run, but then anyways decided to do it the other way around and use authentik as my primary source of users and connect my Cloudron to authentik instead.
The final switch is still pending however as Cloudron already has an ldap source configured, which I am going to decommission soon.
@fbartels said in How to debug Cloudron directory server?:
Just to close this topic up. It seems one mayor factor seems to have been that the "worker" in authentik was stuck and therefore did not attempt to connect to process the ldap connection. After it started processing the connection it ran into some python tracebacks because of missing attributes. I could not get the sync to run, but then anyways decided to do it the other way around and use authentik as my primary source of users and connect my Cloudron to authentik instead.
The final switch is still pending however as Cloudron already has an ldap source configured, which I am going to decommission soon.
Would you mind sharing your ldap configuration in Authentik with us?
-
I think @Sam_uk would be interested in this thread as he's been exploring things like Authentik too.
-
I have to confess that I have not yet made that switch. While I decommissioned the old ldap I did not spend further time on connecting my Cloudron to Authentik. The reason behind this is that the hardware my authentik is running on is not really stable. Random crashes (sometimes weeks apart). Therefore I have not yet connected external services to it.
-
I have to confess that I have not yet made that switch. While I decommissioned the old ldap I did not spend further time on connecting my Cloudron to Authentik. The reason behind this is that the hardware my authentik is running on is not really stable. Random crashes (sometimes weeks apart). Therefore I have not yet connected external services to it.
-
@fbartels understood, but just giving me the values you entered in Authentik would safe me some time
@andreasdueren i think I just followed their documentation: https://goauthentik.io/docs/providers/ldap/generic_setup
