LDAP Outpost goes into infinite loop when requesting Users from a Group that doesn't exist

[gbeaurain-bway]

When requesting the users from a group that doesn't exist, LDAP Outpost goes into an infinite loop. The only way to stop it is to delete the outpost and re-create it.

Example with ldapsearch. The below command works fine:

ldapsearch -x -H ldap://10.229.46.151:389 -D 'cn=ldap-user,ou=users,dc=ldap,dc=goauthentik,dc=io' -w '<password>' -b 'ou=users,dc=ldap,dc=goauthentik,dc=io' '(memberOf=cn=customer,ou=groups,dc=ldap,dc=goauthentik,dc=io)'

Result is:

# extended LDIF
#
# LDAPv3
# base <ou=users,dc=ldap,dc=goauthentik,dc=io> with scope subtree
# filter: (memberOf=cn=customer,ou=groups,dc=ldap,dc=goauthentik,dc=io)
# requesting: ALL
#

<...... results......>

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

Now, if we change the group name from customer to Customer:

ldapsearch -x -H ldap://10.229.46.151:389 -D 'cn=ldap-user,ou=users,dc=ldap,dc=goauthentik,dc=io' -w '<password>' -b 'ou=users,dc=ldap,dc=goauthentik,dc=io' '(memberOf=cn=Customer,ou=groups,dc=ldap,dc=goauthentik,dc=io)'

The ldapsearch queries hang until the LDAP outpost is killed.

In the LDAP outpost logs, we see:

{"baseDN":"ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=ldap-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.127.15","event":"selecting provider for search request","filter":"(memberOf=cn=Customer,ou=groups,dc=ldap,dc=goauthentik,dc=io)","level":"trace","provider":"DC=ldap,DC=goauthentik,DC=io","requestId":"42f22280-45b4-4ba2-945d-5dde8623b1a8","scope":"Whole Subtree","timestamp":"2025-03-14T23:02:22Z"}
{"baseDN":"ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=ldap-user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.11.127.15","event":"routing to default","filter":"(memberOf=cn=Customer,ou=groups,dc=ldap,dc=goauthentik,dc=io)","level":"trace","requestId":"42f22280-45b4-4ba2-945d-5dde8623b1a8","scope":"Whole Subtree","timestamp":"2025-03-14T23:02:22Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:23Z"}
{"error":"400 Bad Request","event":"failed to fetch page","level":"warning","logger":"authentik.outpost.ldap.searcher.direct","page":1,"timestamp":"2025-03-14T23:02:24Z"}

In the server logs we see:

{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "141a3bb9bcab48d8870235929dfed01f", "runtime": 118, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.070527", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}
{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "ebaf510a3568444dad6378988d344a6e", "runtime": 117, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.260415", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}
{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "5fe214459ef7403b9f9704be61c665e6", "runtime": 76, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.444453", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}
{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "79707b01aaa84f079f1b96dad59e8cd9", "runtime": 75, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.563219", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}
{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "5b735ab12e414c67ac811a9d11a8aac8", "runtime": 77, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.686587", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}
{"auth_via": "api_token", "domain_url": "10.229.46.151", "event": "/api/v3/core/users/?groups_by_name=Customer&include_groups=true&page=1&page_size=100", "host": "10.229.46.151:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1236725, "remote": "172.19.0.1", "request_id": "3947986cec7342168d89a625a5a76861", "runtime": 77, "schema_name": "public", "scheme": "http", "status": 400, "timestamp": "2025-03-14T23:02:23.808532", "user": "ak-outpost-fd6fa081be4a4783b9abcb9c6afcf127", "user_agent": "goauthentik.io/outpost/2025.2.1"}

Running the same API query in PostMan gets:

The query sends back a 400. That doesn't seems right. The query doesn't fail, it has no data to return. We should get a 200. Or LDAP Outpost should be able to handle that 400 and deduce that there is no result and reply to the LDAP query with numResponses: 0.

• authentik version: [2025.2.1]
• Deployment: [docker-compose]

[rissson]

Are both your outpost and authentik server on the same version?

[gbeaurain-bway]

Hi,
Yes, they are on the same version: 2025.2.1

[MrBE4R]

Hi,

This has been here since at least 2024.12.2 and unfortunately the previous report did not get much love.

Cheers.