🐛 Bug Report: LDAP user uuid not matching PocketID user sub . #387

Closed
opened 2026-02-04 19:22:29 +03:00 by OVERLORD · 2 comments
Owner

Originally created by @hqo998 on GitHub (Jul 20, 2025).

Reproduction steps

I have a user that exists in LLDAP with a uuid of
e27fea52-10ad-3430-b465-67bb43a02280 when I sync the users to PocketID, the sub token has changed to
66791b7d-035a-47b4-947e-48e595291368. I've tried changing the variable for the User Unique Identifier Attribute to different attributes but had no luck in getting them to match.

Not sure if this is even intended behaviour, quite new to SSO systems.

Image Image Image

Expected behavior

I would expect the UUID to match the sub token.

Actual Behavior

Pocket ID sub doesn't match LDAP uuid.

Version and Environment

Pocket ID 1.6.2

Log Output

2025-07-20 11:19:14.657270+00:002025/07/20 21:19:14 github.com/pocket-id/pocket-id/backend/internal/service/user_service.go:247 duplicated key not allowed
2025-07-20 11:19:14.657283+00:00[0.062ms] [rows:0] INSERT INTO `users` (`id`,`created_at`,`username`,`email`,`first_name`,`last_name`,`is_admin`,`locale`,`ldap_id`,`disabled`) VALUES (?,?,?,?,?,?,?,?,?,?)
2025-07-20 11:19:14.657283+00:002025/07/20 21:19:14 Skipping creating LDAP user 'charles': username is already in use
2025-07-20 11:19:14.707367+00:00[GIN] 2025/07/20 - 21:19:14 | 204 |  235.871352ms |  162.158.39.219 | POST     "/api/application-configuration/sync-ldap"
2025-07-20 11:19:15.021211+00:002025-07-20T11:19:15.021211213Z
2025-07-20 11:19:15.021274+00:002025/07/20 21:19:15 github.com/pocket-id/pocket-id/backend/internal/service/user_service.go:247 duplicated key not allowed
2025-07-20 11:19:15.021295+00:00[0.067ms] [rows:0] INSERT INTO `users` (`id`,`created_at`,`username`,`email`,`first_name`,`last_name`,`is_admin`,`locale`,`ldap_id`,`disabled`) VALUES (?,?,?,?,?,?,?,?,?,?)
2025-07-20 11:19:15.021309+00:002025/07/20 21:19:15 Skipping creating LDAP user 'charles': username is already in use
2025-07-20 11:19:15.066622+00:00[GIN] 2025/07/20 - 21:19:15 | 204 |  166.988347ms |  162.158.39.219 | POST     "/api/application-configuration/sync-ldap"

Pocket ID has pre-existing local user Charles that conflicts with LDAP, believed to be unrelated but that user as you see in the logs doesn't get updated to match LDAP

Originally created by @hqo998 on GitHub (Jul 20, 2025). ### Reproduction steps I have a user that exists in LLDAP with a uuid of e27fea52-10ad-3430-b465-67bb43a02280 when I sync the users to PocketID, the sub token has changed to 66791b7d-035a-47b4-947e-48e595291368. I've tried changing the variable for the User Unique Identifier Attribute to different attributes but had no luck in getting them to match. Not sure if this is even intended behaviour, quite new to SSO systems. <img width="938" height="1076" alt="Image" src="https://github.com/user-attachments/assets/282a5e1a-5bab-4260-80b1-fddd2e27bf99" /> <img width="1122" height="692" alt="Image" src="https://github.com/user-attachments/assets/c7ef572a-ec41-4bd3-83de-05cb4ce41b2a" /> <img width="964" height="1104" alt="Image" src="https://github.com/user-attachments/assets/57685a1e-7c56-4d46-9c7a-5a56ea5d148a" /> ### Expected behavior I would expect the UUID to match the sub token. ### Actual Behavior Pocket ID sub doesn't match LDAP uuid. ### Version and Environment Pocket ID 1.6.2 ### Log Output ``` 2025-07-20 11:19:14.657270+00:002025/07/20 21:19:14 github.com/pocket-id/pocket-id/backend/internal/service/user_service.go:247 duplicated key not allowed 2025-07-20 11:19:14.657283+00:00[0.062ms] [rows:0] INSERT INTO `users` (`id`,`created_at`,`username`,`email`,`first_name`,`last_name`,`is_admin`,`locale`,`ldap_id`,`disabled`) VALUES (?,?,?,?,?,?,?,?,?,?) 2025-07-20 11:19:14.657283+00:002025/07/20 21:19:14 Skipping creating LDAP user 'charles': username is already in use 2025-07-20 11:19:14.707367+00:00[GIN] 2025/07/20 - 21:19:14 | 204 | 235.871352ms | 162.158.39.219 | POST "/api/application-configuration/sync-ldap" 2025-07-20 11:19:15.021211+00:002025-07-20T11:19:15.021211213Z 2025-07-20 11:19:15.021274+00:002025/07/20 21:19:15 github.com/pocket-id/pocket-id/backend/internal/service/user_service.go:247 duplicated key not allowed 2025-07-20 11:19:15.021295+00:00[0.067ms] [rows:0] INSERT INTO `users` (`id`,`created_at`,`username`,`email`,`first_name`,`last_name`,`is_admin`,`locale`,`ldap_id`,`disabled`) VALUES (?,?,?,?,?,?,?,?,?,?) 2025-07-20 11:19:15.021309+00:002025/07/20 21:19:15 Skipping creating LDAP user 'charles': username is already in use 2025-07-20 11:19:15.066622+00:00[GIN] 2025/07/20 - 21:19:15 | 204 | 166.988347ms | 162.158.39.219 | POST "/api/application-configuration/sync-ldap" ``` Pocket ID has pre-existing local user Charles that conflicts with LDAP, believed to be unrelated but that user as you see in the logs doesn't get updated to match LDAP
OVERLORD added the bug label 2026-02-04 19:22:29 +03:00
Author
Owner

@kmendell commented on GitHub (Jul 21, 2025):

This is most likley because it uses the Pocket ID Id attribute vs the ldapID attribute. The ldapId one is what is used to identify the user from ldap in pocket id. Otherwise the ID generated by pocket id is used for the authentication.

@kmendell commented on GitHub (Jul 21, 2025): This is most likley because it uses the Pocket ID `Id` attribute vs the `ldapID` attribute. The ldapId one is what is used to identify the user from ldap in pocket id. Otherwise the ID generated by pocket id is used for the authentication.
Author
Owner

@stonith404 commented on GitHub (Jul 21, 2025):

Yes, this behavior is intended. The ID returned by Pocket ID gets generated by Pocket ID and doesn't get imported from LDAP.

@stonith404 commented on GitHub (Jul 21, 2025): Yes, this behavior is intended. The ID returned by Pocket ID gets generated by Pocket ID and doesn't get imported from LDAP.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#387