[Bug]: internal server error when using ldap to login

[jacekjaros]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Environment

Self-hosted

Version

v2.51.4

Database

PostgreSQL

Database Version

16.3

Describe the problem caused by this bug

i add ldap IDP. whan go to login page and hit Login with an external user -> ldap i get empty response to broswer and i see following error in docker logs:

2024/05/15 17:36:56 http: panic serving <MY IP REMOVED>:65234: runtime error: invalid memory address or nil pointer dereference

goroutine 445334 [running]:

net/http.(*conn).serve.func1()

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:1898 +0xbe

panic({0x295a2c0?, 0x7411540?})

	/opt/hostedtoolcache/go/1.22.2/x64/src/runtime/panic.go:770 +0x132

github.com/zitadel/zitadel/internal/api/ui/login.(*Login).ldapProvider(0xc0022d8d10, {0x5581440, 0xc004564c90}, 0xc004177c00)

	/home/runner/work/zitadel/zitadel/internal/api/ui/login/external_provider_handler.go:890 +0x44

github.com/zitadel/zitadel/internal/api/ui/login.(*Login).handleIDP(0xc0022d8d10, {0x557cbc0, 0xc00516adc0}, 0xc0040f7680, 0xc0035e4308, {0xc003ec09ed?, 0x0?})

	/home/runner/work/zitadel/zitadel/internal/api/ui/login/external_provider_handler.go:176 +0x299

github.com/zitadel/zitadel/internal/api/ui/login.(*Login).handleExternalLogin(0xc0022d8d10, {0x557cbc0, 0xc00516adc0}, 0xc0040f7680)

	/home/runner/work/zitadel/zitadel/internal/api/ui/login/external_provider_handler.go:124 +0x85

net/http.HandlerFunc.ServeHTTP(0xc002267e90?, {0x557cbc0?, 0xc00516adc0?}, 0xc0040f77a0?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/internal/api/http/middleware.(*AccessInterceptor).Handle.(*AccessInterceptor).Handle.(*AccessInterceptor).handle.func1.func2({0x557a8d0, 0xc003e390c8}, 0xc0040f7680)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/access_interceptor.go:147 +0x1d2

net/http.HandlerFunc.ServeHTTP(0x5581440?, {0x557a8d0?, 0xc003e390c8?}, 0x55349c0?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/oidc/v3/pkg/op.(*IssuerInterceptor).setIssuerCtx(0x70?, {0x557a8d0, 0xc003e390c8}, 0xc0040f7440, {0x553e440, 0xc0044bf900})

	/home/runner/go/pkg/mod/github.com/zitadel/oidc/v3@v3.21.0/pkg/op/context.go:52 +0x15a

github.com/zitadel/oidc/v3/pkg/op.(*IssuerInterceptor).Handler-fm.(*IssuerInterceptor).Handler.func1({0x557a8d0?, 0xc003e390c8?}, 0xc0041d8101?)

	/home/runner/go/pkg/mod/github.com/zitadel/oidc/v3@v3.21.0/pkg/op/context.go:28 +0x35

net/http.HandlerFunc.ServeHTTP(0xc0037645e8?, {0x557a8d0?, 0xc003e390c8?}, 0xc005260618?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/internal/api/http/middleware.(*userAgentHandler).ServeHTTP(0xc001a10410, {0x557a8d0, 0xc003e390c8}, 0xc0040f7320)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/user_agent_cookie.go:84 +0x23f

github.com/zitadel/zitadel/internal/api/http/middleware.(*headers).ServeHTTP(0xc0044c3b00, {0x557a8d0, 0xc003e390c8}, 0xc0040f7200)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/security_headers.go:80 +0x7b9

github.com/zitadel/zitadel/internal/api/http/middleware.(*cacheInterceptor).Handler.func1({0x5580a00, 0xc003d59ec0}, 0xc0040f7200)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/cache_interceptor.go:76 +0xaf

net/http.HandlerFunc.ServeHTTP(0xc005845e90?, {0x5580a00?, 0xc003d59ec0?}, 0x2842f80?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/internal/api/ui/login.CreateLogin.createCacheInterceptor.func3.1({0x5580a00, 0xc003d59ec0}, 0xc0040f7200)

	/home/runner/work/zitadel/zitadel/internal/api/ui/login/login.go:156 +0x10f

net/http.HandlerFunc.ServeHTTP(0x0?, {0x5580a00?, 0xc003d59ec0?}, 0x4?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/gorilla/csrf.(*csrf).ServeHTTP(0xc003d2b200, {0x5580a00, 0xc003d59ec0}, 0xc0040f6fc0)

	/home/runner/go/pkg/mod/github.com/gorilla/csrf@v1.7.2/csrf.go:306 +0x5a2

github.com/zitadel/zitadel/internal/api/ui/login.CreateLogin.createCSRFInterceptor.func2.1({0x5580a00, 0xc003d59ec0}, 0xc0040f6fc0)

	/home/runner/work/zitadel/zitadel/internal/api/ui/login/login.go:140 +0x389

net/http.HandlerFunc.ServeHTTP(0xc0040f6000?, {0x5580a00?, 0xc003d59ec0?}, 0xc0012e2b6c?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/internal/api/http/middleware.(*instanceInterceptor).handleInstance(0xc0022f1ea0, {0x5580a00, 0xc003d59ec0}, 0xc0040f6000, {0x553e440, 0xc00515cd20})

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/instance_interceptor.go:71 +0x7d7

github.com/zitadel/zitadel/internal/api/http/middleware.(*instanceInterceptor).Handler-fm.(*instanceInterceptor).Handler.func1({0x5580a00?, 0xc003d59ec0?}, 0x7171401?)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/instance_interceptor.go:40 +0x35

net/http.HandlerFunc.ServeHTTP(0x5581440?, {0x5580a00?, 0xc003d59ec0?}, 0x7171448?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/saml/pkg/provider.(*IssuerInterceptor).setIssuerCtx(0x120?, {0x5580a00, 0xc003d59ec0}, 0xc0040d3e60, {0x553e440, 0xc00516a6e0})

	/home/runner/go/pkg/mod/github.com/zitadel/saml@v0.1.3/pkg/provider/context.go:51 +0x194

github.com/zitadel/saml/pkg/provider.(*IssuerInterceptor).Handler-fm.(*IssuerInterceptor).Handler.func1({0x5580a00?, 0xc003d59ec0?}, 0x5534901?)

	/home/runner/go/pkg/mod/github.com/zitadel/saml@v0.1.3/pkg/provider/context.go:31 +0x35

net/http.HandlerFunc.ServeHTTP(0x5581440?, {0x5580a00?, 0xc003d59ec0?}, 0x55349c0?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc00408c8f0, {0x557aca0, 0xc003e36fc0}, 0xc0040d3d40, {0x553e440, 0xc00516a700})

	/home/runner/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.50.0/handler.go:214 +0x1243

go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x557aca0?, 0xc003e36fc0?}, 0xc0044c3b90?)

	/home/runner/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.50.0/handler.go:72 +0x35

net/http.HandlerFunc.ServeHTTP(0xc0040d3c20?, {0x557aca0?, 0xc003e36fc0?}, 0x41a0d8?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/gorilla/mux.(*Router).ServeHTTP(0xc0006f2cc0, {0x557aca0, 0xc003e36fc0}, 0xc0040d3b00)

	/home/runner/go/pkg/mod/github.com/gorilla/mux@v1.8.1/mux.go:212 +0x1e2

github.com/zitadel/zitadel/internal/api.(*API).RegisterHandlerOnPrefix.StripPrefix.func1({0x557aca0, 0xc003e36fc0}, 0xc0040d39e0)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2209 +0x262

net/http.HandlerFunc.ServeHTTP(0x2c0a860?, {0x557aca0?, 0xc003e36fc0?}, 0xc?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/internal/api/http/middleware.RobotsTagHandler.func1({0x557aca0, 0xc003e36fc0}, 0xc0040d39e0)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/robots_tag_interceptor.go:12 +0xf0

net/http.HandlerFunc.ServeHTTP(0xc0040d38c0?, {0x557aca0?, 0xc003e36fc0?}, 0x2eb9fc0?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/zitadel/zitadel/cmd/start.startAPIs.WithOrigin.func1.1({0x557aca0, 0xc003e36fc0}, 0xc0040d38c0)

	/home/runner/work/zitadel/zitadel/internal/api/http/middleware/origin_interceptor.go:23 +0xa5

net/http.HandlerFunc.ServeHTTP(0xc0040d37a0?, {0x557aca0?, 0xc003e36fc0?}, 0xc002ce2860?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2166 +0x29

github.com/gorilla/mux.(*Router).ServeHTTP(0xc0006f3d40, {0x557aca0, 0xc003e36fc0}, 0xc0040d3680)

	/home/runner/go/pkg/mod/github.com/gorilla/mux@v1.8.1/mux.go:212 +0x1e2

golang.org/x/net/http2/h2c.h2cHandler.ServeHTTP({{0x553e2e0?, 0xc0006f3d40?}, 0xc00101a140?}, {0x557aca0, 0xc003e36fc0}, 0xc0040d3680)

	/home/runner/go/pkg/mod/golang.org/x/net@v0.24.0/http2/h2c/h2c.go:125 +0x68f

net/http.serverHandler.ServeHTTP({0xc0044c3860?}, {0x557aca0?, 0xc003e36fc0?}, 0x6?)

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:3137 +0x8e

net/http.(*conn).serve(0xc00531f7a0, {0x5581440, 0xc000d1e4b0})

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:2039 +0x5e8

created by net/http.(*Server).Serve in goroutine 887

	/opt/hostedtoolcache/go/1.22.2/x64/src/net/http/server.go:3285 +0x4b4

To reproduce

on fresh instance:

• add ldap IDP
• go to login page
• hit login via ldap icon

Screenshots

Expected behavior

one of:

• login success
• error in logs pointing where is the issue

Operating System

dockers from official repo working on latest ubuntu lts

Relevant Configuration

ldap config are attached in screenshots

Additional Context

No response

[fregux]

Hi,

I had exactly the same issue. after some research, it seem that it was a go issue.
on a redit thread, they say to close and reopen the browser. and it works for me.

https://www.reddit.com/r/golang/comments/1cdlyye/comment/l1cxspl/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

hope this will help,
Regards

[jacekjaros]

to be frank if error related to memory addresses inside application can be triggered by specific client/browser request this issue should have higher priority ;)

[muhlemmer]

@jacekjaros when I follow our own guide https://zitadel.com/docs/guides/integrate/identity-providers/openldap to setup LDAP, using a fresh zitadel v2.51.4 and default config, I'm unable to reproduce your issue.

Looking at the line that created the panic:

zitadel/internal/api/ui/login/external_provider_handler.go

Line 890 in 89b9fd0

password, err := crypto.DecryptString(identityProvider.LDAPIDPTemplate.BindPassword, l.idpConfigAlg)

It could be that somehow LDAPIDPTemplate or BindPassword is nil. (or null from the database).

Can you run the following query in the zitadel database to check the state (replace OpenLDAP with the name you set to your IDP):

select i.id, i.name, l.idp_id, l.bind_password
from projections.idp_templates6 i
left join projections.idp_templates6_ldap2 l on l.idp_id = i.id
where i.name = 'OpenLDAP';

With my setup the output looks like:

         id         |   name   |       idp_id       |                                                     bind_password                                                     
--------------------+----------+--------------------+-----------------------------------------------------------------------------------------------------------------------
 269257804412400370 | OpenLDAP | 269257804412400370 | {"KeyID": "idpConfigKey", "Crypted": "B3jOx8ZZxlLpG475pScFhbGgtavxfdchYjVfx6o=", "Algorithm": "aes", "CryptoType": 0}
(1 row)

[jacekjaros]

hi @muhlemmer,

you are right about empty password in my setup.

zitadel=# select i.id, i.name, l.idp_id, l.bind_password
from projections.idp_templates6 i
left join projections.idp_templates6_ldap2 l on l.idp_id = i.id
where i.name = 'ldap';
         id         | name | idp_id | bind_password 
--------------------+------+--------+---------------
 267237125580128261 | ldap |        | 
(1 row)

let me check with configuration, with added bind password. i will post update after test.

thanks,
jacek