authelia / authelia Goto Github PK

I'd love to see an option in the config where one could specify which LDAP group has access to what urls, and an default policy 😃

For example (yaml):

access:
  default: [] (default == everyone/anyone)
  users:
    - blog.domain.tld
    - chat.domain.tld
  admin:
    - *.domain.tld (everything)
  superuser:
    - phpmyadmin.domain.tld
    - *.mail.domain.tld (access to mail.domain.tld and all subdomains of mail)

So if my user is in group admin, superuser and users group I get access to all these subdomains or if my user is in group users and superuser I only get access to these urls.

Authelia keeps track of the latest URL where the user comes from so that it can redirect after authentication. In certain scenarii, the redirection URL is an URL to Authelia. So, when the user authenticates he is redirected to the "already logged in" page.

Such a case is for example when the user inputs wrong credentials the first time and good credentials the second time.

Seeing a lot of these recently, which makes POST/XHR requests fail.

Will debug further this weekend, just wondering if you've seen this before @clems4ever?

Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)
Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)
Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)
Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)
Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)
Error
    at IncomingMessage.onAborted (/usr/src/node_modules/raw-body/index.js:269:10)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:188:7)
    at abortIncoming (_http_server.js:381:9)
    at socketOnClose (_http_server.js:375:3)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:191:7)
    at TCP._handle.close [as _onclose] (net.js:511:12)

Logs are not very good right now.
For instance, some parts of the code are not covered and the userid is missing in some other parts.

Hi, i got next error:

root@es1:~# npm install -g authelia
npm ERR! Linux 4.4.0-92-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "install" "-g" "authelia"
npm ERR! node v6.11.2
npm ERR! npm  v3.10.10
npm ERR! path /usr/lib/node_modules/authelia/dist/src/server/index.js
npm ERR! code ENOENT
npm ERR! errno -2
npm ERR! syscall chmod

npm ERR! enoent ENOENT: no such file or directory, chmod '/usr/lib/node_modules/authelia/dist/src/server/index.js'
npm ERR! enoent ENOENT: no such file or directory, chmod '/usr/lib/node_modules/authelia/dist/src/server/index.js'
npm ERR! enoent This is most likely not a problem with npm itself
npm ERR! enoent and is related to npm not being able to find a file.
npm ERR! enoent

npm ERR! Please include the following file with any support request:
npm ERR!     /root/npm-debug.log

Hey,

It would be great if there was a flag that we could pass to /verify so that it will return 302 instead of 401. Usually, app endpoints would return 302 if not logged in, while API endpoints would return 401. NGINX users usually just change 401 error codes to 302s but other apps (like Traefik) just pass on the error if it is not 2XX.

Cheers,
Ben

Running this instance on a docker using Synology Directory Server. I believe the LDAP server should be fine.

HTTP ERROR:
2017/06/16 05:56:51 [error] 17861#17861: *5 upstream timed out (110: Connection timed out) while reading response header from upstream, client: NOPE, server: auth.mydomain.com request: "POST /api/firstfactor HTTP/2.0", upstream: "http://192.168.0.5:8080/api/firstfactor", host: "auth.mydomain.com", referrer: "https://auth.mydomain.com/"

Output from console:

Enter first factor
authelia.js:16477 Form submitted
authelia.js:15607 POST https://auth.mydomain.com/api/firstfactor 504 ()
send @ authelia.js:15607
ajax @ authelia.js:15214
jQuery.(anonymous function) @ authelia.js:15363
(anonymous) @ authelia.js:8
Promise._execute @ authelia.js:1388
Promise._resolveFromExecutor @ authelia.js:3666
Promise @ authelia.js:3262
validate @ authelia.js:7
onFormSubmitted @ authelia.js:40
dispatch @ authelia.js:11247
elemData.handle @ authelia.js:11055

authelia.js:16477 First factor failed.

Nginx-config.

Some worthy info:
Authelia running Docker on Synology on 192.168.0.5 which has FQDN that is NOT valid: coldice.lan
Web-server running on DigitalOcean with valid FQDN domain and Nginx, but it has a IPSec tunnel to my LAN.

Use case:
Log in as harry and go to https://secret.test.local:8080/secret.html
You should see the "already logged in" page.

As of now, the documentation is not in sync with the version of the package and the apiDoc comments. This needs to be automatically generated or at least tested using Travis.

The example nginx configuration suggests that there is a X-Forwarded-User and Remote-Groups header sent to the server behind the proxy. However, this is not the case. There is no X-Remote-User and no X-Remote-Groups response header set in the answer coming from the /verify endpoint.
Also looking at the code, I couldn't find anything that would add them. It would be cool if they were set, such that a backend application is able to determine the the username.

location = /secret.html {
            auth_request /auth_verify;
            
            auth_request_set $user $upstream_http_x_remote_user;
            proxy_set_header X-Forwarded-User $user;
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;
            auth_request_set $expiry $upstream_http_remote_expiry;
            proxy_set_header Remote-Expiry $expiry;
        }

Btw: http://scooterlabs.com/echo could be helpful as a backend to see all headers.

@clems4ever Thank you for your great work. This app is amazing.

Hey,

While trying to track down the reason why no DB was being written to disk while using local (still not solved, I think I found an issue with the inMemoryOnly flag.

It's called inMemory here:
https://github.com/clems4ever/authelia/blob/9ac2c808ec259721bf2492ced7b1eb40341c2020/src/server/lib/ServerVariablesHandler.ts#L54

It's called inMemoryOnly here:
https://github.com/clems4ever/authelia/blob/9ac2c808ec259721bf2492ced7b1eb40341c2020/src/server/lib/storage/nedb/NedbCollectionFactory.ts#L8

Cheers,
Ben

P.S. Is your local store tested at all? It doesn't seem to be writing anything at all to disk for me :(

Hey,

It would be nice to be able to configure the two-factor auth that is used. For instance:

• Just U2F
• Just TOTP
• Either

Cheers,
Ben

Hey!

Love the work you're doing here! Is it possible to tag the docker builds with version tags? It would be nice to not be restricted to just latest which can vary on different machines depending on when you last ran a docker pull.

Cheers,
Ben

Currently Authelia seems hardcoded to use /authentication for all calls.

Perhaps this could be made optional? 😄

Hi there,

nice Project!

What do you think about adding OAuth authorization capabilities, so that this project turns into a single sign on web reverse proxy with 2fa? There is a node implementation of Authorization code grant which could be authorized by the existing session.

Notifications on the top right of the screen are ugly and not very user-friendly on mobile devices.
It would be better to integrate them in the inner view (on top of the authentication form for example).

Hello. Just installed authelia with docker-compose and got error like TypeError: Cannot read property ‘auth’ of undefined \\ at Object.get (/usr/src/lib/AuthenticationSession.js:19:21). Spent some time understanding what's wrong until i realised that redis instance was in different network. Since authelia depends only on mongo, redis and openldap, maybe it's posible to add checks and human readable massages in case of similar exceptions to make it easier to set up? Like "mongo/redis/openldap server at <server_address> is unavailable, check your environment"

Hey,

It would be great if it was possible to verify whether a user was in a group (similar to your /verify endpoint but for groups instead of users).

Use-case

When using software such as rancher/traefik/docker-gen, you try and keep all configuration for that service together.

For instance, you add a label to your docker container for traefik like:

traefik.frontend.rule=Host:test.traefik.io

and that will expose your application on the host test.traefik.io.

Custom labels can be used by docker-gen (and soon traefik will do something similar) to generate blocks to insert into their nginx configuration. One example of this would be adding a label such as virtual.auth.group: admin would generate a block to add to nginx such as:

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;

            proxy_pass        http://authelia/verify?group=admin;
        }

and this would make it so only people in the admin group can access the secured endpoints.

Cheers,
Ben

Hi, I've tried to deploy following the 'Getting started' and it fails. Authelia container is sat in a state of permanent restart with logs showing:

autheliamaster_auth "node index.js /etc/a" 34 minutes ago Restarting (1) 6 minutes ago

Error: Cannot find module '/usr/src/index.js'
at Function.Module._resolveFilename (module.js:470:15)
at Function.Module._load (module.js:418:25)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:427:7)
at startup (bootstrap_node.js:151:9)
at bootstrap_node.js:542:3
module.js:472
throw err;
^

when installing with NPM it returns:

npm install -g authelia
npm WARN deprecated [email protected]: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm ERR! Linux 4.4.0-79-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "install" "-g" "authelia"
npm ERR! node v4.2.6
npm ERR! npm v3.5.2
npm ERR! path /usr/local/lib/node_modules/authelia/src/index.js
npm ERR! code ENOENT
npm ERR! errno -2
npm ERR! syscall chmod

npm ERR! enoent ENOENT: no such file or directory, chmod '/usr/local/lib/node_modules/authelia/src/index.js'
npm ERR! enoent ENOENT: no such file or directory, chmod '/usr/local/lib/node_modules/authelia/src/index.js'
npm ERR! enoent This is most likely not a problem with npm itself
npm ERR! enoent and is related to npm not being able to find a file.
npm ERR! enoent

Also it wants the src folder to exist within dist/

ERROR: Service 'auth' failed to build: lstat dist/src: no such file or directory

I don't think I've done anything incorrectly? But if so I would appreciate pointing in the correct direction.

Cheers,

As of now, configuration is not deeply checked and some issue might be discovered during runtime.
For example, bad regexp in ACL is not detected at startup.

When registring for a new totp token the url thats sent looks like

https://auth.domain.tldundefined?identity_token=<....token....>&redirect=https://sub.domain.tld/

Should be

https://auth.domain.tld/totp-register?identity_token=<....token....>&redirect=https://sub.domain.tld/

An exporter tracking the regulation system would allow an admin to check if there are lot of brute forces for example.
It would also help with scalability allowing one to estimate the number of Authelia instances required for a given amount of users.
Or also tracking Authelia's performance in realtime for monitoring and alerting purposes.

Hi,

I have testing authelia and have it working fine with the exception I cannot read group information from an apacheDS ldap server. If I set access control in the config template to set a default domain or to allocate a domain to a user specifically - all works fine. But not if I want to determine access via a group member.

Other LDAP attributes are returned just fine : dn mail etc

There are no error messages - by increasing the log level to debug and adding a few extra log entries I can see the group dn & query are al lconstructed correctly - just no data is ever returned.

Do you have any pointers ?

Thanks

Hey,

I have programs that want access to authed endpoints. It would be good if you could generate tokens which can be set as a header (or maybe a cookie but I think that is less standard).

The header is usually called "Authorization" and the value is usually "Bearer <token>".

Tokens for authentication usually consist of:

• Name. You usually want to know what the token is for.
• Access restrictions. For Authelia that would probably be:
  • No user access or group access (used for authorisation only. Might not be useful currently?)
  • User access but no group access (used for generic user access which doesn't belong to a group. Maybe this one isn't useful?)
  • No user access but selected group access (used for restricting to a single application)
  • User access and all groups (this is really just the above bullet but you don't need to type in the group names. This is basically an "admin" token for the user)
• Expiry. Sometimes you want temporary tokens, sometimes permanent tokens. You'd probably want to make it selectable between:
  • Custom end date
  • Forever
• Revocation. You need to be able to revoke compromised tokens.

Note: This would require a front-end "management" interface for Authelia.
Note: Expired/revoked tokens are usually left in the UI with the "status" of expired/revoked so it is easy to see why a token has stopped working (and for audit purposes).

Cheers,
Ben

The current LDAP configuration allows to set a base_dn and an additional DN for each groups and users. It would be very helpful, if one could configure an LDAP filter string like user_filter and group_filter.

Background:
On my LDAP server the group membership property is uniqueMember instead of member, which doesn't work with the current implementation. This could be handled with a custom filter with some kind of replacement strings for user DN's.
Code location

Forward auth has been implemented in Traefik, which is supposed to be similar too ngx_http_auth_request_module which Authelia depends on in NGINX.
traefik/traefik#1972
traefik/traefik#2110

Sample traefik.toml config:

defaultEntryPoints = ["https"]
[entryPoints]
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.auth.forward]
  address = "https://auth.domain.tld/verify"

However Traefik stalls indefinitely when this option is enabled in Traefik and sending forward auth to Authelia. I don't know if this is related to traefik/traefik#2127, or if it's an different issue. It seem's like whatever Authelia responds isn't parsed properly by Traefik.

I'm going to use this issue to track the problem. Do you have any ideas @clems4ever?

Solving this would remove the NGINX dependency entirely in an Traefik environment when using Authelia

Today, the user of the server is authenticating per subdomain. Indeed the session cookie has a limited scope (the subdomain). To allow real SSO accros subdomains, the session cookie must have a wider scope (the domain scope).
After the change, redirections have been reworked and the readme updated to ask the user to add lines to /etc/hosts to test authelia accross multiple domains.

Lovely piece of software you got here, trying it out right now.

One thing I noticed is you hardcoded the userDN to CN in some places like here, while this might work fine with openldap it does not with FreeIPA.

Changeing cn to uid on lines 14, 24 and 52 fixed it for me (only tested with FreeIPA).

Currently there's nothing on /. How about adding an default route that sends user to /login if not authenticated?

I've temporarly solved this with nginx and:

    location / {
        proxy_set_header  X-Original-URI $request_uri;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_pass http://auth/;
        rewrite ^/$ /login redirect; break;
    }

However if an default route existed I could drop my backend NGINX proxy all together in favor of my frontend proxy Træfik

Currently I have Træfik-->NGINX-->Authelia, but with this fix I could Træfik-->Authelia. Big wins 😸

Hey,

It would be great if there was a flag to either deny or allow non-listed subdomains in config. I want everything to call out to Authelia by default and only ask for people to login to those in the config. I think the valid options for this flag would be:

• No auth needed
• Logged in
• Always deny

Cheers,
Ben

P.S. Sorry for all the feature requests, I'm just trying to dump all of the information out of my brain before I forget!

So I was thinking it would be handy if it were possible to use email as an alternate or perhaps backup second factor authentication pathway? Similar to the use of SMS.

Email is probably not as secure as U2F or maybe even a OTP generator but it removes the need for a separate app or device to take advantage of 2FA. Could be optionally enabled.

Basically, one would like to use Authelia as a basic auth server with a shiny UI :).
Could be done directly in nginx but the UI would be missing.

Somehow, this doesn't work:

Parse configuration file: /etc/auth-server/config.yml
{ port: '80',
  ldap_url: 'ldap://ipa.xxxxx.local',
  ldap_users_dn: 'cn=users,cn=accounts,dc=xxxxx,dc=local',
  ldap_user: 'uid=xxxxx,cn=sysaccounts,cn=etc,dc=xxxxx,dc=local',
  ldap_password: 'xxxxx',
  session_secret: 'xxxxx',
  session_max_age: xxxxx,
  store_directory: '/var/lib/auth-server/store',
  logs_level: 'debug',
  notifier: { filesystem: { filename: '/var/lib/auth-server/notifications/notification.txt' } } }
Listening on 80...
info: 1st factor: Starting authentication of user "joel"
debug: 1st factor: Start bind operation against LDAP
debug: 1st factor: username=joel
debug: 1st factor: base_dn=cn=users,cn=accounts,dc=xxxxx,dc=local
info: 1st factor: LDAP binding successful
debug: 1st factor: Retrieve email from LDAP
debug: 1st factor: document={"dn":"uid=joel,cn=users,cn=accounts,dc=xxxxx,dc=local","controls":[],"mail":"[email protected]"}
debug: 1st factor: Retrieved email is [email protected]
info: POST 2ndfactor totp: Initiate TOTP validation for user joel
debug: POST 2ndfactor totp: Fetching secret for user joel
debug: POST 2ndfactor totp: TOTP secret is {"userid":"xxxxx","secret":{"ascii":"s!yoi0)}kooTrJ>!4qsmmFs4kF,/LK,I","hex":"xxxxx","base32":"xxxxx","otpauth_url":"otpauth://totp/SecretKey?secret=xxxxx"},"_id":"xxxxx"}
debug: POST 2ndfactor totp: TOTP validation succeeded

Virtual host sbox:

server {
	listen 192.168.1.11:443 ssl http2;

	server_name sbox.xxxx.local;

	access_log /var/log/nginx/xxxx.local/sbox.xxxx.local-access.log;
	error_log /var/log/nginx/xxxx.local/sbox.xxxx.local-error.log;

	auth_request /authentication/verify;

	auth_request_set $user $upstream_http_x_remote_user;
	proxy_set_header X-Forwarded-User $user;
	auth_request_set $groups $upstream_http_remote_groups;
	proxy_set_header Remote-Groups $groups;
	auth_request_set $expiry $upstream_http_remote_expiry;
	proxy_set_header Remote-Expiry $expiry;

	error_page 401 = @error401;
	location @error401 {
		return 302 https://auth.xxxx.local/authentication/login?redirect=$scheme://$http_host$request_uri;
	}

	location /authentication/ {
		proxy_set_header  X-Original-URI $scheme://$http_host$request_uri;
		proxy_set_header  Host $http_host;
		proxy_set_header  X-Real-IP $remote_addr;

		proxy_pass http://192.168.1.16/authentication/;
	}

	location /authentication/js/ {
		proxy_pass http://192.168.1.16/js/;
	}

	location /authentication/img/ {
		proxy_pass http://192.168.1.16/img/;
	}

	location /authentication/css/ {
		proxy_pass http://192.168.1.16/css/;
	}

	location / {
		include /etc/nginx/proxy_params;
		proxy_http_version 1.1;
		proxy_pass http://10.0.10.5:8112/;
	}
}

Virtual host auth:

server {
	listen 192.168.1.11:443 ssl http2;

	server_name auth.xxxx.local;

	access_log /var/log/nginx/xxxx.local/auth.xxxx.local-access.log;
	error_log /var/log/nginx/xxxx.local/auth.xxxx.local-error.log;

	location / {
		rewrite ^/$ authentication/login redirect; break;
	}

	location /authentication/ {
		proxy_set_header  X-Original-URI $request_uri;
		proxy_set_header  Host $http_host;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_pass http://192.168.1.16/authentication/;
	}

	location /authentication/js/ {
		proxy_pass http://192.168.1.16/js/;
	}

	location /authentication/img/ {
		proxy_pass http://192.168.1.16/img/;
	}

	location /authentication/css/ {
		proxy_pass http://192.168.1.16/css/;
	}
}

I'm out of ideas as to why this doesn't work. I get redirected properly to the auth page, where I auth and get to enter my 2FA. But then I get redirected back to the login page (and not the proper url). I can see the cookie beeing generated and stored within Chrome so that seems OK

The current official image is at 713MB, quite big imo.

Perhaps we can get this a bit smaller? 😄

In it's current state, Authelia is not responsive.

Perhaps we could get a more responsive UI which adapts to small and big screens? 😄

Would like support for "subfolder" ACL.
Nginx conf example:

# Proxy pass for internal blog with Authelia authentication
 location /blog {
        auth_request /auth_verify;

        auth_request_set $user $upstream_http_x_remote_user;
        proxy_set_header X-Forwarded-User $user;
        auth_request_set $groups $upstream_http_remote_groups;
        proxy_set_header Remote-Groups $groups;
        auth_request_set $expiry $upstream_http_remote_expiry;
        proxy_set_header Remote-Expiry $expiry;

        proxy_pass http://192.168.10.13:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

ACL config in Authelia:

access_control:
  groups:
    admins:
      - 'web.mydomain.com/blog
      - 'web.mydomain.com/admin-site'
    blog-view:
      - 'web.mydomain.com/blog'

Using a scalable database instead of NeDB would make the framework scalable and resilient. This is the last missing block before the service is fully scalable and kind of "enterprise ready".

Error messages must always be JSON objects with explicit error types described in the documentation.

Whenever I restart the authelia container it forgets authenticated users, which results in the need to authenticate again.

I'm mounting the container as such:

  auth:
    image: clems4ever/authelia
    restart: always
    depends_on:
      - freeipa
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /path/to/storage/authelia/config.yml:/etc/auth-server/config.yml:ro
      - /path/to/storage/authelia/notifications:/var/lib/auth-server/notifications
      - /path/to/storage/authelia/store:/var/lib/auth-server/store
    networks:
      - backend

Browsing the store folder looking into the files tells me things get stored correctly. So I'm assuming this might be an oversight in the code? Or is this by design?

I am totally new to LDAP, but i think my test setup is fine. However, authentication fails at 1st factor. What's strange, that authelia counts it as successful, but then instantly fails. I checked sources and can't find how this is possible: it calls regulator.mark(username, true); and redirects to second factor page, which throws 401. Maybe there's a race condition between writing to database and redirection?

Full debug log for authentication attempt:

debug: 1st factor: Start bind operation against LDAP
debug: 1st factor: username=rast
info: 1st factor: Starting authentication of user "rast"
info: 1st factor: No regulation applied.
debug: LDAP: Bind user 'cn=admin,dc=rast,dc=rocks'
debug: LDAP: searching for user dn of rast
debug: LDAP: Search for '{"scope":"sub","sizeLimit":1,"attributes":["dn"],"filter":"cn=rast"}' in 'ou=users,dc=rast,dc=rocks'
debug: Entry retrieved from LDAP is '{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}'
debug: LDAP: Search ended and results are '[{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}]'.
debug: LDAP: retrieved user dn is cn=rast,ou=users,dc=rast,dc=rocks
debug: LDAP: Bind user 'cn=rast,ou=users,dc=rast,dc=rocks'
debug: LDAP: Unbind user 'cn=rast,ou=users,dc=rast,dc=rocks'
debug: LDAP: Bind user 'cn=admin,dc=rast,dc=rocks'
debug: LDAP: searching for user dn of rast
debug: LDAP: Search for '{"scope":"sub","sizeLimit":1,"attributes":["dn"],"filter":"cn=rast"}' in 'ou=users,dc=rast,dc=rocks'
debug: Entry retrieved from LDAP is '{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}'
debug: LDAP: Search ended and results are '[{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}]'.
debug: LDAP: retrieved user dn is cn=rast,ou=users,dc=rast,dc=rocks
debug: LDAP: Search for '{"scope":"base","sizeLimit":1,"attributes":["mail"]}' in 'cn=rast,ou=users,dc=rast,dc=rocks'
debug: Entry retrieved from LDAP is '{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[],"mail":"[email protected]"}'
debug: LDAP: Search ended and results are '[{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[],"mail":"[email protected]"}]'.
debug: LDAP: emails of user 'rast' are [email protected]
debug: LDAP: searching for user dn of rast
debug: LDAP: Search for '{"scope":"sub","sizeLimit":1,"attributes":["dn"],"filter":"cn=rast"}' in 'ou=users,dc=rast,dc=rocks'
debug: Entry retrieved from LDAP is '{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}'
debug: LDAP: Search ended and results are '[{"dn":"cn=rast,ou=users,dc=rast,dc=rocks","controls":[]}]'.
debug: LDAP: retrieved user dn is cn=rast,ou=users,dc=rast,dc=rocks
debug: LDAP: Search for '{"scope":"sub","attributes":["cn"],"filter":"(&(member=cn=rast,ou=users,dc=rast,dc=rocks)(objectclass=groupOfNames))"}' in 'ou=groups,dc=rast,dc=rocks'
debug: Entry retrieved from LDAP is '{"dn":"cn=test_group,ou=groups,dc=rast,dc=rocks","controls":[],"cn":"test_group"}'
debug: LDAP: Search ended and results are '[{"dn":"cn=test_group,ou=groups,dc=rast,dc=rocks","controls":[],"cn":"test_group"}]'.
debug: LDAP: groups of user rast are test_group
debug: LDAP: Unbind user 'cn=admin,dc=rast,dc=rocks'
info: 1st factor: LDAP binding successful. Retrieved information about user are {"emails":["[email protected]"],"groups":["test_group"]}
debug: 1st factor: Mark successful authentication to regulator.
debug: 1st factor: Redirect to  /secondfactor
debug: AuthSession is {"first_factor":false,"second_factor":false,"groups":[]}
error: Reply with error 401: FirstFactorValidationError: First factor has not been validated yet.

Content of mongo:

> db.authentication_traces.find()
{ "_id" : ObjectId("59b2e79b52768600013940a0"), "userId" : "rast", "date" : ISODate("2017-09-08T18:55:23.620Z"), "isAuthenticationSuccessful" : true }

When user has performed too many wrong authentication, it is locked for a few minutes to avoid brute force.
It would be great if somebody with admin rights could unlock a locked user.