LDAP integration error: ldap_bind: Operations error (1) when searching directory with bind user #17056
Description
Describe the bug
ldap_bind: Operations error (1) when executing a search in LDAP directory with bind user.
To Reproduce
- Create LDAP application, provider and outpost. Follow the guide to the letter, including the flow setup. See below for the flow blueprint.
- Create service user, add it to the LDAP provider with 'Search full LDAP directory' permission. OR use standard akadmin superuser.
- run following command to list the directory
assumptions:
provider created with following Base DNDC=ldap,DC=domain,DC=ext
ldapsearch -x -H ldap://your_outpost_address:3389 -D 'cn=<akadmin|your bind user>,ou=<users|your bind user group>,dc=ldap,dc=domain,dc=ext' -w '<akadmin password|bind user token' -b 'dc=ldap,dc=domain,dc=ext' '(objectClass=user)'
- Observe
ldap_bind: Operations error (1)
Expected behavior
A clear and concise description of what you expected to happen.
To be honest I don't know as this never worked 😅
i assume listing of all users, or smething other than ldap_bind: Operations error (1)
Screenshots
If applicable, add screenshots to help explain your problem.
Logs
Output of docker-compose logs or kubectl logs respectively.
Nginx logs
Seems that request that fails the chain is /api/v3/core/users/me/ according to the nginx logs.
LDAP Outpost logs
Note the failed to get user info also mentioned in #4138.
[
{
"cidr": "10.0.0.0/8",
"event": "Using remote IP from proxy protocol",
"level": "trace",
"remoteAddr": "10.89.0.1",
"timestamp": "2025-09-26T15:24:06-04:00"
},
{
"bindDN": "cn=service-ldap-reader,ou=ldap readers,dc=ldap,dc=domain,dc=ext",
"client": "10.89.0.1",
"component": "ak-stage-identification",
"event": "Got challenge",
"flow": "ldap-authentication-flow",
"level": "debug",
"requestId": "5abcce19-e4ff-4e51-b00d-8ec4b5a97845",
"timestamp": "2025-09-26T15:24:07-04:00"
},
{
"bindDN": "cn=service-ldap-reader,ou=ldap readers,dc=ldap,dc=domain,dc=ext",
"client": "10.89.0.1",
"component": "xak-flow-redirect",
"event": "Got response",
"flow": "ldap-authentication-flow",
"level": "debug",
"requestId": "5abcce19-e4ff-4e51-b00d-8ec4b5a97845",
"timestamp": "2025-09-26T15:24:09-04:00"
},
{
"bindDN": "cn=service-ldap-reader,ou=ldap readers,dc=ldap,dc=domain,dc=ext",
"client": "10.89.0.1",
"event": "User has access",
"level": "info",
"requestId": "5abcce19-e4ff-4e51-b00d-8ec4b5a97845",
"timestamp": "2025-09-26T15:24:09-04:00"
},
{
"bindDN": "cn=service-ldap-reader,ou=ldap readers,dc=ldap,dc=domain,dc=ext",
"client": "10.89.0.1",
"error": "403 Forbidden",
"event": "failed to get user info",
"level": "warning",
"requestId": "5abcce19-e4ff-4e51-b00d-8ec4b5a97845",
"timestamp": "2025-09-26T15:24:09-04:00"
},
{
"bindDN": "cn=service-ldap-reader,ou=ldap readers,dc=ldap,dc=domain,dc=ext",
"client": "10.89.0.1",
"event": "Bind request",
"level": "info",
"requestId": "5abcce19-e4ff-4e51-b00d-8ec4b5a97845",
"timestamp": "2025-09-26T15:24:09-04:00",
"took-ms": 3487
}
]Version and Deployment (please complete the following information):
- authentik version: 2025.8.3
- Deployment: manual docker/podman
Additional context
Add any other context about the problem here.
Some outpost requests don't respect the set AUTHENTIK_WEB__PATH.
See #13674 (comment) for details.
My temp workaround:
location ^~ /api/v3/ {
proxy_pass https://authentik/your-authentik-web-path/api/v3/;
# rest of the proxy config
}
location ^~ /your-authentik-web-path/ {
proxy_pass https://authentik;
# rest of the proxy config
}
Exported ldap-authentication-flow
Below is the authentication flow that is being used.
default-authentication-flow won't work. my understanding is the separate password flow: LDAP seem to require having the password flow defined in identification stage.
context: {}
entries:
- attrs:
authentication: require_outpost
denied_action: message_continue
designation: authentication
layout: stacked
name: ldap-authentication-flow
policy_engine_mode: any
title: ldap-authentication-flow
conditions: []
identifiers:
pk: 4e2b13a6-473c-42a8-8208-9aba31d8d542
slug: ldap-authentication-flow
model: authentik_flows.flow
permissions: []
state: present
- attrs:
case_insensitive_matching: true
password_stage: 8d788a28-98e8-4542-8994-8c56b6489faa # ldap-authentication-password
pretend_user_exists: true
show_matched_user: true
user_fields:
- username
- email
conditions: []
identifiers:
name: ldap-identification-stage
pk: c0dbbb59-b60e-4031-91c9-1172df0cc24c
model: authentik_stages_identification.identificationstage
permissions: []
state: present
- attrs:
backends:
- authentik.core.auth.InbuiltBackend
- authentik.core.auth.TokenBackend
- authentik.sources.ldap.auth.LDAPBackend
failed_attempts_before_cancel: 5
conditions: []
identifiers:
name: ldap-authentication-password
pk: 8d788a28-98e8-4542-8994-8c56b6489faa
model: authentik_stages_password.passwordstage
permissions: []
state: present
- attrs:
geoip_binding: bind_continent
network_binding: bind_asn
remember_device: days=30
remember_me_offset: seconds=0
session_duration: seconds=0
conditions: []
identifiers:
name: ldap-authentication-login
pk: 96348e28-b04e-43a4-93b1-4d1c1fb2057c
model: authentik_stages_user_login.userloginstage
permissions: []
state: present
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: true
conditions: []
identifiers:
order: 10
pk: fb437359-46e5-4bfd-9166-856409b85699
stage: c0dbbb59-b60e-4031-91c9-1172df0cc24c # ldap-identification-stage
target: 4e2b13a6-473c-42a8-8208-9aba31d8d542 # ldap-authentication-flow
model: authentik_flows.flowstagebinding
permissions: []
state: present
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
conditions: []
identifiers:
order: 30
pk: 28c4c5b3-4e5f-4322-97c8-4074057d951b
stage: 96348e28-b04e-43a4-93b1-4d1c1fb2057c #ldap-authentication-login
target: 4e2b13a6-473c-42a8-8208-9aba31d8d542 # ldap-authentication-flow
model: authentik_flows.flowstagebinding
permissions: []
state: present
metadata:
labels:
blueprints.goauthentik.io/generated: 'true'
name: authentik Export - 2025-09-26 19:28:42.140137+00:00
version: 1