I am trying to configure Grommunio with LDAP, but I keep getting the error:
list index out of range
when trying to import.
From the command-line:
pelmail02:~ # grommunio-admin ldap info
Successfully connected to prod-auth:389 as cn=ldapservice,ou=users,dc=domain,dc=co
But any other commands also return an index error:
pelmail02:~ # grommunio-admin ldap search
An error occurred: IndexError('list index out of range',).
I cannot find anywhere that grommunio actually logs LDAP events, and I cannot figure out what the issue is. Checking the logs from my LDAP provider, I see the requests sent to it:
"baseDN":"","bindDN":"cn=ldapservice,ou=users,dc=domain,dc=co","client":"192.168.1.219","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"9eb44e07-068a-45e6-b458-c4b7db2f755d","scope":"Base Object","timestamp":"2022-10-29T21:12:57Z","took-ms":0}
{"baseDN":"ou=users,dc=domain,dc=co","bindDN":"cn=ldapservice,ou=users,dc=domain,dc=co","client":"192.168.1.219","event":"Search request","filter":"(&(|(cn=* *))(objectClass=user))","level":"info","requestId":"a68eb2a2-996f-463c-9e22-0d8c52163d8f","scope":"Whole Subtree","timestamp":"2022-10-29T21:12:57Z","took-ms":0}
{"baseDN":"ou=users,dc=domain,dc=co","bindDN":"cn=ldapservice,ou=users,dc=domain,dc=co","client":"192.168.1.219","event":"Search request","filter":"(&(entryUUID=darrinw)(objectClass=user))","level":"info","requestId":"35ad487b-66e1-4ae0-bedf-894097ded6b7","scope":"Whole Subtree","timestamp":"2022-10-29T21:12:57Z","took-ms":0}
{"baseDN":"ou=users,dc=domain,dc=co","bindDN":"cn=ldapservice,ou=users,dc=domain,dc=co","client":"192.168.1.219","event":"Search request","filter":"(&(|(cn=*user*))(objectClass=user))","level":"info","requestId":"3ed748a6-e3f2-4a1d-8d30-3eb87a854a61","scope":"Whole Subtree","timestamp":"2022-10-29T21:12:57Z","took-ms":0}
Using ldapsearch I can successfully bind and return a search.
I would like to know though, on the search filter, there should be an option to remove part of the search filter, i.e. the (&(|(cn=*user*))(objectClass=user))
. You should be able to remove portions of it, i.e. the first part. However, attempting to do so in the UI returns an error if I attempt to remove LDAP search Attribute.
Ultimately, we want to use our SSO for authentication, and seems LDAP is currently the only option. I see in the roadmap Keycloak support is being integrated, but for those of us using another IDP outside of Keycloak, what are we left to do? Unless the integration will allow oidc or SAML. Or is the Keycloak implementation, from what it reads, using the Keycloak API