LDAP issue with search filter


I’m using the latest version 1.22.1 of SyncThing and I have an issue with the search filter in the LDAP configuration.

I’m using the following search filter: (&(uid=%s)(o=Example)(ou=devs)(objectClass=inetOrgPerson)) It’s quite standard and very similar to the documentation, only I don’t use memberOf as my setup is not meant to work that way.
However, when I set the search filter with (uid=%s) the GUI seems to bypass login entirely, there are no related logs, and I can just access the GUI and use it.

So I tried to remove the search filter, which seems to work since I get the little popup to login, but then SyncThing try to do a search with something like (EXTRA string=userName), which doesn’t work as it’s not supposed to with my openldap setup.

My complete config is as follow:


I’m using a similar filter (without (uid=%s)) with other services and I tried a query against my openldap with this exact filter, which was successful.

I think there could be a bug here, but I prefer to start a topic in case I missed something.

Thanks for your help. D

Looks reasonable to me, assuming the example stuff is correct for your environment. Maybe look at Syncthing logs to see if there’s anything relevant. Also assuming you set Syncthing to actually use LDAP, which is a separate option outside the ldap config.

Thanks for this super fast answer :slight_smile:

I watched the logs while I was trying different things and as soon as I add (uid=%s) to the search filter there is no more LDAP related logs in SyncThing, and the login popup doesn’t show up anymore. :confused:

Also, I restarted SyncThing instance between each try to make sure the changes where correctly applied.

Is there a way to raise the log level in the config.xml or with the GUI?

That might just mean it works, because your browser cached the credentials you filled in. Try it in incognito or another browser.

Ok… :upside_down_face:

Thank you for your help, we can close this topic. I have another issue to solve, my setup should not allow for the credential to remain in memory, so I didn’t think it could come from that.

Thanks again!