LDAP connection problem: LDAP Search: LDAP Result Code 201 "Filter Compile Error": ldap: finished compiling filter with extra at end: %!(EXTRA string=sxxxxx)

Hi SyncThing’ers :slight_smile: I have issues setting up my LDAP authentication.

The error that appears when I try to login via web UI:

Jan  7 10:04:17 syncthing syncthing[18437]: [LQSRP] WARNING: LDAP Search: LDAP Result Code 201 "Filter Compile Error": ldap: finished compiling filter with extra at end: %!(EXTRA string=sxxxxx)
Jan  7 10:04:17 syncthing syncthing[18437]: [LQSRP] INFO: Wrong credentials supplied during API authorization from xx.xx.xx.xx:60787

This is my setup:

Using these LDAP attributes on the LDAP hosts command line I can read the user:

ldapsearch -W -D "uid=sxxxxx,cn=users,dc=fxxxd,dc=de" -b "cn=users,dc=fxxxd,dc=de" "(&(|(objectclass=person))(|(memberof=cn=app_syncthing_users,cn=groups,dc=fxxxd,dc=de)))"

I read posts like this one (How to use Syncthing with OpenLDAP?) where the solution finally was to restart the app. But that did not work out for me. How can I track down the compile errors root cause?

And another question: When LDAP is enabled, how can I distinguish between an admin user and a standard user? Is this even possible?

One finding: If I pass a user that is valid I get the above error message:

Jan  7 10:54:43 syncthing syncthing[112]: [LQSRP] WARNING: LDAP Search: LDAP Result Code 201 "Filter Compile Error": ldap: finished compiling filter with extra at end: %!(EXTRA string=sxxxx)
Jan  7 10:54:43 syncthing syncthing[112]: [LQSRP] INFO: Wrong credentials supplied during API authorization from 10.10.10.2:61306

If I pass an invalid user there is no compile error:

Jan  7 10:53:42 syncthing syncthing[112]: [LQSRP] WARNING: LDAP Bind: LDAP Result Code 49 "Invalid Credentials":
Jan  7 10:53:42 syncthing syncthing[112]: [LQSRP] INFO: Wrong credentials supplied during API authorization from 10.10.10.2:61302

You need a %s placeholder for where the user name is inserted into the filter.

https://docs.syncthing.net/users/ldap.html#enforcing-group-membership

1 Like

Hi Jakob, just in this moment I came to the same conclusion after I dug into the code base. Argh. I did not read the manual carefully enough. But I also wouldn’t expect this limitation. Thank you for answering.