"Error getting DN for LDAP user" while using OpenID Connect

Agathold · March 7, 2023, 1:20pm

I configured NextCloud access using Authelia as an OpenID Connect provider.
Nextcloud uses LDAP to authentication users.
When an existing user enters NextCloud, everything is fine.
However, if a new user tries to log in to NextCloud, it is not created, and the error “Error getting DN for LDAP user” appears.

Expected behavior - if the user is not found in Nextcloud, then it will be created automatically using the data received from Authelia.

My config in Authelia:

identity_providers:
  oidc:
    hmac_secret: my_secret
    issuer_private_key: |
      -----BEGIN PRIVATE KEY-----
      1WCdfydvg
      -----END PRIVATE KEY-----
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://example.com
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: nextcloud
        description: NextCloud
        secret: my_secret
        public: false
        authorization_policy: one_factor
        redirect_uris:
          - https://cloud.example.com/index.php/apps/oidc_login/oidc
        scopes:
          - openid
          - profile
          - email
          - groups
        userinfo_signing_algorithm: none

My Nextcloud config:

  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_provider_url' => 'https://auth.example.com',
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => 'secret',
  'oidc_login_auto_redirect' => true,
  'oidc_login_end_session_redirect' => false,
  'oidc_login_button_text' => 'Log in with Authelia',
  'oidc_login_hide_password_form' => false,
  'oidc_login_use_id_token' => true,
  'oidc_login_attributes' => array (
    'id' => 'preferred_username',
    'name' => 'name',
    'mail' => 'email',
    'groups' => 'groups',
    'ldap_uid' => 'preferred_username',
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_use_external_storage' => false,
  'oidc_login_scope' => 'openid profile email groups',
  'oidc_login_proxy_ldap' => true,
  'oidc_login_disable_registration' => false,
  'oidc_login_redir_fallback' => false,
  'oidc_login_alt_login_page' => 'assets/login.php',
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
  'oidc_login_webdav_enabled' => false,
  'oidc_login_password_authentication' => true,
  'oidc_login_public_key_caching_time' => 86400,
  'oidc_login_min_time_between_jwks_requests' => 10,
  'oidc_login_well_known_caching_time' => 86400,
  'oidc_login_update_avatar' => false,

What should I do to fix this behavior?

Best regards!
Sergei