Skip to content

docs(common-issues): explain LDAP Result Code 49 from IDM volume desync #926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
michaelstingl wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(common-issues): explain LDAP Result Code 49 from IDM volume desync #926

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions docs/admin/resources/common-issues.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,3 +197,49 @@ docker compose restart
#### ⚠️ Recommendation

Admins should avoid using LibreIDM in production and use OpenLDAP instead.

## Login fails with LDAP Result Code 49 (Invalid Credentials)

When using the built-in IDM (LibreIDM), login can fail with `Unexpected HTTP response:
500` in the browser, and the logs show the internal directory rejecting a bind:

```bash
opencloud-1 | {"level":"error","service":"idm","bind_dn":"uid=idp,ou=sysusers,o=libregraph-idm","op":"bind","message":"not found"}
opencloud-1 | {"level":"error","service":"idp","error":"ldap identifier backend logon connect error: LDAP Result Code 49 \"Invalid Credentials\": ","message":"identifier failed to logon with backend"}
```

The built-in IDM seeds its service-account passwords once, at first start, into a
bolt-store on the data volume (`idm.boltdb`), matching the values `opencloud init`
writes into `opencloud.yaml` on the config volume. The bind fails when the two volumes
are no longer from the same `init`. The `idm` line reads either `not found` or
`invalid credentials`; both mean the same mismatch. This usually comes from setting an
internal LDAP password in the environment, or from reusing one volume (for example a
restored or carried-over data volume) without the other.

### Solution

With the built-in IDM, do not set the internal LDAP or service passwords in `.env` or
the environment. Let `opencloud init` generate them, and keep only
`INITIAL_ADMIN_PASSWORD`.

Treat `opencloud.yaml` (config volume) and the data volume as one set. When you back
up, restore, or move the instance, keep them together and from the same point in time.

If you do not need the existing data, remove both volumes so `init` generates a
matching set, then start again:

```bash
docker compose down
docker volume rm opencloud-compose_opencloud-config opencloud-compose_opencloud-data
docker compose up -d
```

:::caution
Deleting `idm.boltdb` alone may not be enough: it is re-seeded from the current config,
but a bind password still set in the environment keeps the two sides out of sync.
:::

### Recommendation

The built-in IDM is intended for testing and small installations. For production, use
an external identity provider, for example Keycloak with an external LDAP.