🐛 Bug Report: LDAP pocket-id admin group doesn't work with LLDAP #137

New Issue

Closed

opened 2025-10-07 23:54:34 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2025-10-07 23:54:34 +03:00

Owner

Copy Link

Originally created by @rtozer on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

Thanks for a great project.

I've been trying to switch to using LLDAP to manage users.
I've got it hooked up, users and groups are syncing correctly. The pocket_id_admins group I created is synced and the group members are correctly reflected in pocket-id as expected, and I've set that group name in the "Admin Group Name" field in the config, but my user is not being made an admin in pocket-id.

to reproduce:

1. create a group in LLDAP
2. assign users you want to be admin in pocket-id to that group
3. set your config Admin Group Name field to the group name
4. sync ldap

Expected behavior

members of the group in LLDAP specified in the 'Admin Group Name' in Pocket-ID config should be granted admin privileges in Pocket-ID

Actual Behavior

no users are made admins

Version and Environment

Version: 1.5.0
Env: Docker

I'm not a GO dev, or familiar with the inner workings of LDAP, but I did spot a hard-coded attribute name in the code that checks for admins.
ldap_service.go:332

		isAdmin := false
		for _, group := range value.GetAttributeValues("memberOf") {
			if getDNProperty(dbConfig.LdapAttributeGroupName.Value, group) == dbConfig.LdapAttributeAdminGroup.Value {
				isAdmin = true
				break
			}
		}

Should that 'memberOf' be the 'Group Members Attribute' defined in the config (or env: LDAP_ATTRIBUTE_GROUP_MEMBER)?
For LLDAP it is 'member' which would explain why my admin access is not being granted.

Log Output

No response

Originally created by @rtozer on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps Thanks for a great project. I've been trying to switch to using LLDAP to manage users. I've got it hooked up, users and groups are syncing correctly. The pocket_id_admins group I created is synced and the group members are correctly reflected in pocket-id as expected, and I've set that group name in the "Admin Group Name" field in the config, but my user is not being made an admin in pocket-id. to reproduce: 1. create a group in LLDAP 2. assign users you want to be admin in pocket-id to that group 3. set your config Admin Group Name field to the group name 4. sync ldap ### Expected behavior members of the group in LLDAP specified in the 'Admin Group Name' in Pocket-ID config should be granted admin privileges in Pocket-ID ### Actual Behavior no users are made admins ### Version and Environment Version: 1.5.0 Env: Docker I'm not a GO dev, or familiar with the inner workings of LDAP, but I did spot a hard-coded attribute name in the code that checks for admins. ldap_service.go:332 ``` isAdmin := false for _, group := range value.GetAttributeValues("memberOf") { if getDNProperty(dbConfig.LdapAttributeGroupName.Value, group) == dbConfig.LdapAttributeAdminGroup.Value { isAdmin = true break } } ``` Should that 'memberOf' be the 'Group Members Attribute' defined in the config (or env: LDAP_ATTRIBUTE_GROUP_MEMBER)? For LLDAP it is 'member' which would explain why my admin access is not being granted. ### Log Output _No response_

OVERLORD added the bug label 2025-10-07 23:54:34 +03:00

OVERLORD closed this issue 2025-10-07 23:54:36 +03:00

OVERLORD commented 2025-10-07 23:54:37 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Here is the pocket id config, my lldap instance its pretty much stock, the only difference may be the avatar attrubute, but i think avatar should work out of the box as well.

Another thing to note i exclude the ldap_* groups from being imported as i dont use them for pocket id, so if you want those you would have to modify the group search filter from (&(objectClass=groupOfNames)(!(cn=*ldap*))) to (&(objectClass=groupOfNames))

@kmendell commented on GitHub: <img width="1285" height="753" alt="Image" src="https://github.com/user-attachments/assets/69f63fc8-eb7e-41ce-a9b8-12ef3abcf0b1" /> Here is the pocket id config, my lldap instance its pretty much stock, the only difference may be the avatar attrubute, but i think avatar should work out of the box as well. Another thing to note i exclude the ldap_* groups from being imported as i dont use them for pocket id, so if you want those you would have to modify the group search filter from `(&(objectClass=groupOfNames)(!(cn=*ldap*)))` to `(&(objectClass=groupOfNames))`

OVERLORD commented 2025-10-07 23:54:37 +03:00

Author

Owner

Copy Link

@rtozer commented on GitHub:

Thanks for your help. Your config worked for me!
I had taken my attribute names from the user and group schemas in lldap, so my username, first name, last name and group name attributes were different - everything else the same.
In fact I've just changed them all back, except for the group name and it still works, so it's specifically the group name that it didn't like - I used 'display_name' from the schema instead of 'cn'.

I added your template to exclude the ldap groups - makes sense.

Thanks again.

@rtozer commented on GitHub: Thanks for your help. Your config worked for me! I had taken my attribute names from the user and group schemas in lldap, so my username, first name, last name and group name attributes were different - everything else the same. In fact I've just changed them all back, except for the group name and it still works, so it's specifically the group name that it didn't like - I used 'display_name' from the schema instead of 'cn'. I added your template to exclude the ldap groups - makes sense. Thanks again.

OVERLORD commented 2025-10-07 23:54:38 +03:00

Author

Owner

Copy Link

@rtozer commented on GitHub:

Thanks for the quick response.
Ok, that's good. If it works for you like that, then there's probably something wrong with my config elsewhere - maybe something I need to do in LLDAP.
So yes, I'd appreciate it if you could share your working config, thank you.

@rtozer commented on GitHub: Thanks for the quick response. Ok, that's good. If it works for you like that, then there's probably something wrong with my config elsewhere - maybe something I need to do in LLDAP. So yes, I'd appreciate it if you could share your working config, thank you.

OVERLORD commented 2025-10-07 23:54:39 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

I use lldap and i was playing around with this yesterday, i chnaged that to mthe attribtute for the groups, but nobody was admin in the group, its a bit weird how lldap does stuff memberOf is used to get group memberships when seraching users, but member is used other places.

Either way i cant reproduce it i can share the way i have things setup if that would help.

@kmendell commented on GitHub: I use lldap and i was playing around with this yesterday, i chnaged that to mthe attribtute for the groups, but nobody was admin in the group, its a bit weird how lldap does stuff memberOf is used to get group memberships when seraching users, but member is used other places. Either way i cant reproduce it i can share the way i have things setup if that would help.

OVERLORD commented 2025-10-07 23:54:39 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Also most of the placeholder values in pocket id are from lldap, so you can use that as a guide :)

@kmendell commented on GitHub: Also most of the placeholder values in pocket id are from lldap, so you can use that as a guide :)

OVERLORD commented 2025-10-07 23:54:41 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

You're welcome! Let us know if you have more issues

@kmendell commented on GitHub: You're welcome! Let us know if you have more issues

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/restrict-email-one-time-access

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#137