Is there a count limit for tokens? #1191

Pierre-Lannoy · 2025-06-13T08:21:44Z

Pierre-Lannoy
Jun 13, 2025

Hello all!

I'm currently working on an cross-integration with Pilos and WHMCS.
I've made many tests with GraphQL and each query/mutation was starting with a call to auth/login/simple to get a new fresh token (and, so I was not using refresh token). It is not the final behavior, il plan to cache token and refresh token to do things right but, that was my tests ;)
After many tests (so after generating many new tokens) I've experiment a 401 to obtain new token (with same method, always same user, password and admin group).

As nothing has changed in my config, I wonder if I've reached some kind of limit in token generation… Do you think it's the case? If so, do you have some hint to "reset" the token list?

Thank you for your help,
Pierre

Pierre-Lannoy · 2025-06-13T08:32:29Z

Pierre-Lannoy
Jun 13, 2025
Author

In case you're wondering, it is fully reproducible like that (with a user admin that can open a session on web frontend):

curl --location 'http://127.0.0.1:17170/auth/simple/login' \
--header 'Content-Type: application/json' \
--data-raw '{
    "username": "uid=<redacted>,ou=people,dc=<redacted>,dc=eu",
    "password": "<redacted>"
}'

`Authentication error for user "uid=<redacted>,ou=people,dc=<redacted>,dc=eu"`

0 replies

nitnelave · 2025-06-13T08:51:33Z

nitnelave
Jun 13, 2025
Maintainer

There is no token limit or any kind of rate limiting implemented in LLDAP.

The only thing is that we store the active sessions so it grows the DB (there's a cleanup job for outdated tokens), but I doubt you're hitting the limits of the DB

Are you maybe getting to LLDAP through a proxy that has rate limiting?

0 replies

Pierre-Lannoy · 2025-06-13T08:54:17Z

Pierre-Lannoy
Jun 13, 2025
Author

Yes, I do, but my example with curl is on local machine (so, without proxy).
What is really strange is the behavior is for all admins, not only the one which I used to do my tests…

8 replies

Pierre-Lannoy Jun 13, 2025
Author

Just done it… No luck :/

For the records, I'm using LLDAP with docker with the following docker-compose.yml file:

  ldapdb:
    image: "mariadb:11"
    environment:
      MYSQL_DATABASE: "${DB_DATABASE}"
      MYSQL_USER: "${DB_USERNAME}"
      MYSQL_PASSWORD: "${DB_PASSWORD}"
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
    volumes:
      - "./ldapdb:/var/lib/mysql"
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      interval: 5s
      retries: 12
      timeout: 5s
  lldap:
    image: lldap/lldap:stable
    env_file: .env
    ports:
      - "127.0.0.1:3890:3890"
      - "127.0.0.1:17170:17170"
    volumes:
      - "./lldap/data:/data"
    depends_on:
      ldapdb:
        condition: service_healthy
    environment:
      - UID=1000
      - GID=1000
      - TZ=Europe/Paris
      - LLDAP_JWT_SECRET=${LDAP_JWT_SECRET}
      - LLDAP_KEY_SEED=${LDAP_KEY_SEED}
      - LLDAP_LDAP_BASE_DN=${LDAP_LDAP_BASE_DN}
      - LLDAP_LDAP_USER_PASS=${LDAP_LDAP_USER_PASS}
      - LLDAP_DATABASE_URL=mysql://${DB_USERNAME}:${DB_PASSWORD}@ldapdb:${DB_PORT}/${DB_DATABASE}
      - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true
      - LLDAP_SMTP_OPTIONS__SERVER=${MAIL_HOST}
      - LLDAP_SMTP_OPTIONS__PORT=${MAIL_PORT}
      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS
      - LLDAP_SMTP_OPTIONS__USER=${MAIL_USERNAME}
      - LLDAP_SMTP_OPTIONS__PASSWORD=${MAIL_PASSWORD}
      - LLDAP_SMTP_OPTIONS__FROM=${MAIL_FROM_NAME} <${MAIL_FROM_ADDRESS}>

nitnelave Jun 13, 2025
Maintainer

Can you log in through the web frontend?

If so, there's probably a typo in your script in the user/domain or something, and it cannot find the user.

Pierre-Lannoy Jun 13, 2025
Author

I can confirm:

user can authenticate and query via LDAP (with ldapsearch)
user can authenticate on LLDAP web frontend
using LLDAP as IdP for Pilos (local on same machine) is working (yes, everybody can log in Pilos)

But nobody (even initial admin user) can't use the /auth/simple/login endpoint to get token. With my script, Postman or cUrl, the error is:

Authentication error for user "uid=admin,ou=people,dc=<redacted>,dc=eu"

nitnelave Jun 13, 2025
Maintainer

Just re-read your initial message: when you use GraphQL, no need to specify a full DN (and, as you found out, you shouldn't!). Just user=username will work

Pierre-Lannoy Jun 13, 2025
Author

Ohhhhhhh. OMG!
That was just that!

Thank you so much !

Uh oh!

Is there a count limit for tokens? #1191

Uh oh!

Pierre-Lannoy Jun 13, 2025

Replies: 3 comments · 8 replies

Uh oh!

Pierre-Lannoy Jun 13, 2025 Author

Uh oh!

nitnelave Jun 13, 2025 Maintainer

Uh oh!

Pierre-Lannoy Jun 13, 2025 Author

Uh oh!

Pierre-Lannoy Jun 13, 2025 Author

Uh oh!

Uh oh!

nitnelave Jun 13, 2025 Maintainer

Uh oh!

Uh oh!

Pierre-Lannoy Jun 13, 2025 Author

Uh oh!

nitnelave Jun 13, 2025 Maintainer

Uh oh!

Pierre-Lannoy Jun 13, 2025 Author

Pierre-Lannoy
Jun 13, 2025

Replies: 3 comments 8 replies

Pierre-Lannoy
Jun 13, 2025
Author

nitnelave
Jun 13, 2025
Maintainer

Pierre-Lannoy
Jun 13, 2025
Author

Pierre-Lannoy Jun 13, 2025
Author

nitnelave Jun 13, 2025
Maintainer

Pierre-Lannoy Jun 13, 2025
Author

nitnelave Jun 13, 2025
Maintainer

Pierre-Lannoy Jun 13, 2025
Author