H
Homarr4mo ago
schpountz77

SSO Integration with LDAP StartTLS requiered, reverse proxy and self signed certificates

Hi ! Super Homarr project. I would like to expand the use to users of my domain with SSO integration with LDAP. My server requires a connection with Starttls or SSL, functionality that Homarr does not seem to offer for the moment. It would be very useful for my environment with DSM-Synology. I use Homarr with DSM-Synology integrated reverse proxy and self signed certificats.
8 Replies
Cakey Bot
Cakey Bot4mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Meierschlumpf
Meierschlumpf4mo ago
Hey, I guess the ldap server also has a self signed certificate that is not on the general trusted certificate list, correct? Also can you post logs of what errors you get when trying to integrate it with your ldap starttls sso method?
schpountz77
schpountz77OP3mo ago
2025-05-27T17:16:38.879Z error: Read more at https://errors.authjs.dev#credentialssignin name="l" type="CredentialsSignin" kind="signIn" code="credentials" at ih (/app/apps/nextjs/.next/server/chunks/9903.js:411:17390) at async iy (/app/apps/nextjs/.next/server/chunks/9903.js:411:26869) at async ib (/app/apps/nextjs/.next/server/chunks/9903.js:411:31170) at async d (/app/apps/nextjs/.next/server/app/api/auth/[...nextauth]/route.js:1:2815) at async tf.do (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:18835) at async tf.handle (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:23727) at async doRender (/app/node_modules/next/dist/server/base-server.js:1513:42) at async NextNodeServer.renderToResponseWithComponentsImpl (/app/node_modules/next/dist/server/base-server.js:1915:28) at async NextNodeServer.renderPageComponent (/app/node_modules/next/dist/server/base-server.js:2403:24) at async NextNodeServer.renderToResponseImpl (/app/node_modules/next/dist/server/base-server.js:2440:32)
Auth.js | Errors
Authentication for the Web
Meierschlumpf
Meierschlumpf3mo ago
Okay do you also have any other log statement arround this one? in theory the error should only be thrown after a error / warn log statement
schpountz77
schpountz77OP3mo ago
I have this before 2025-05-27T21:42:12.139Z warn: The callback of 'dnsHole' succeeded but took 797.29ms longer than expected (1000ms). This may indicate that your network performance, host performance or something else is too slow. If this happens too often, it should be looked into. 2025-05-27T21:42:15.382Z info: Dispatching request https://mydns-domain/api?output=json&=queue&apikey=REDACTED (5 headers) 2025-05-27T21:42:15.442Z info: Dispatching request https://mydns-domain/control/stats (6 headers) 2025-05-27T21:42:15.517Z info: Dispatching request https://mydns-domain/api?output=json&mode=history&apikey=REDACTED (5 headers) 2025-05-27T21:42:15.864Z info: user [my-user] was not found 2025-05-27T21:42:15.865Z error: Read more at https://errors.authjs.dev#credentialssignin name="l" type="CredentialsSignin" kind="signIn" code="credentials" at ih (/app/apps/nextjs/.next/server/chunks/9903.js:411:17390) at async iy (/app/apps/nextjs/.next/server/chunks/9903.js:411:26869) at async ib (/app/apps/nextjs/.next/server/chunks/9903.js:411:31170) at async d (/app/apps/nextjs/.next/server/app/api/auth/[...nextauth]/route.js:1:2815) at async tf.do (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:18835) at async tf.handle (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:23727) at async doRender (/app/node_modules/next/dist/server/base-server.js:1513:42) at async NextNodeServer.renderToResponseWithComponentsImpl (/app/node_modules/next/dist/server/base-server.js:1915:28) at async NextNodeServer.renderPageComponent (/app/node_modules/next/dist/server/base-server.js:2403:24) at async NextNodeServer.renderToResponseImpl (/app/node_modules/next/dist/server/base-server.js:2440:32)
Auth.js | Errors
Authentication for the Web
Meierschlumpf
Meierschlumpf3mo ago
Okay so then it seems like your user is just not found user [my-user] was not found. We use this to find the user: 
const ldapUser = await client
    .searchAsync({
      base: env.AUTH_LDAP_BASE,
      options: {
        filter: createLdapUserFilter(credentials.name),
        scope: env.AUTH_LDAP_SEARCH_SCOPE,
        attributes: [env.AUTH_LDAP_USERNAME_ATTRIBUTE, env.AUTH_LDAP_USER_MAIL_ATTRIBUTE],
      },
    })
    .then((entries) => entries.at(0));

const createLdapUserFilter = (username: string) => {
  if (env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG) {
    // For example, if the username is doejohn and the extra arg is (sAMAccountType=1234), the filter will be (&(uid=doejohn)(sAMAccountType=1234))
    return `(&(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${username})${env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG})`;
  }

  // For example, if the username is doejohn, the filter will be (uid=doejohn)
  return `(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${username})`;
};
const ldapUser = await client
    .searchAsync({
      base: env.AUTH_LDAP_BASE,
      options: {
        filter: createLdapUserFilter(credentials.name),
        scope: env.AUTH_LDAP_SEARCH_SCOPE,
        attributes: [env.AUTH_LDAP_USERNAME_ATTRIBUTE, env.AUTH_LDAP_USER_MAIL_ATTRIBUTE],
      },
    })
    .then((entries) => entries.at(0));

const createLdapUserFilter = (username: string) => {
  if (env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG) {
    // For example, if the username is doejohn and the extra arg is (sAMAccountType=1234), the filter will be (&(uid=doejohn)(sAMAccountType=1234))
    return `(&(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${username})${env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG})`;
  }

  // For example, if the username is doejohn, the filter will be (uid=doejohn)
  return `(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${username})`;
};
So maybe you'll need to change the search scope or user filter: AUTH_LDAP_SEARCH_SCOPE: base | sub | one -> default base AUTH_LDAP_USERNAME_ATTRIBUTE: any string -> default uid
Zan
Zan3mo ago
connect to hommar as a local user (admin) then add the certificat .
Zan
Zan3mo ago

Did you find this page helpful?