Solved How to debug Cloudron directory server?
I have been toying on and off with an instance of authentik and the next step would be to fill it with users. For this I wanted to configure my Cloudron system as the "LDAP source" in Auhtentik. But somehow I am not getting users listed.
The authentik system is a vm on my home network and from my workstation on the same network I can also successfully execute
ldapsearch -v -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -w xxx -H ldaps://my.xxx.xx:636
And since I had to first set
export LDAPTLS_REQCERT=neveron the vm authentik is running on I expect an ssl issue. Weirdly
openssl s_client -connect my.xxx.xx:636is able to connect.
Now I am looking for some logging. Authentik does not seem to log anything (I am asking the same question about log locations in their Discord), so I was wondering if Cloudron may have some logging that I am missing. I already did a
journalctl -u box, but that did not give much info.
PS: Authentik also offers the ability to write password changes back into its upstream ldap. Would this work with Cloudron or is the current ldap interface read only?
Generally unless there is a bug, SSL should works fine there. Also you are saying using the
ldapsearchtool you get a userlisting?
There are no further debugging options out of the box, however you can manually add
console.log()s in the
/home/yellowtent/box/src/userdirectory.jsfor debugging purpose. After changing the file you have to
systemctl restart boxfor them to go live. This is a bit hacky but at least you can put logs as you see fit to check if authentik is even reaching the server and such.
@nebulon yes, I have the feeling that it is somehow ssl related, in which case no logging is expected as the general connection fails. On the other hand this is written in the ldap configuration in authentik:
When connecting to an LDAP Server with TLS, certificates are not checked by default.
I have progressed a good bit and have now an ldap error in authentik. Debugging further.
Just to close this topic up. It seems one mayor factor seems to have been that the "worker" in authentik was stuck and therefore did not attempt to connect to process the ldap connection. After it started processing the connection it ran into some python tracebacks because of missing attributes. I could not get the sync to run, but then anyways decided to do it the other way around and use authentik as my primary source of users and connect my Cloudron to authentik instead.
The final switch is still pending however as Cloudron already has an ldap source configured, which I am going to decommission soon.