Hello Christian,
Thank you for your fast answer.
Sorry that I missed adding some basic information, I realized after I had sent the message:
Originally:
OS: Debian 13.2
Version: nauthilus 1.11.3 amd64 (from github package: {sha256}3eba20ed95001c7d321516915079c1861ed41389b672ca1aab5518cbde708527)
Now:
OS: Debian 13.2
Version: nauthilus 1.11.4 amd64 (from github package: {sha256}7e249215dbf0e82632e6f955dcd7449d735d60c586d5aa13324b32dc584850d0)
After installing the updated package and restarting the service, I still see the same behavior.
Dec 16 12:52:47 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T12:52:47.538Z level=NOTICE msg="Authentication request has failed" instance=nauthilus session=36vabD3LkHy0cvnV50UWamrPhfH mode=auth backend_name=N/A protocol=imap oidc_cid=N/A local_ip=N/A
port=N/A client_ip=1.2.3.4 client_port=N/A client_host=N/A tls_protocol=N/A tls_cipher=N/A auth_method=plain username=user2@example.org passdb_backend=unknown current_password_retries=1 account_passwords_seen=0 total_passwords_seen=0 user_agent=N/A client_id=N/A
brute_force_bucket=N/A feature=N/A status_message="Invalid login or password" uri_path=/api/v1/auth/nginx authenticated=fail authz=true authn=false latency=2.556ms
curl -v -X POST -H "Auth-User: user2@example.org" -H "Auth-Method: plain" -H "Auth-Protocol: imap" "http://192.168.0.6:9443/api/v1/auth/nginx?mode=no-auth"
* Trying 192.168.0.6:9443...
* Connected to 192.168.0.6 (192.168.0.6) port 9443
* using HTTP/1.x
> POST /api/v1/auth/nginx?mode=no-auth HTTP/1.1
> Host: 192.168.0.6:9443
> User-Agent: curl/8.14.1
> Accept: */*
> Auth-User: user2@example.org
> Auth-Method: plain
> Auth-Protocol: imap
>
* Request completely sent off
< HTTP/1.1 200 OK
< Auth-Port: 143
< Auth-Server: 192.168.0.5
< Auth-Status: OK
< Auth-User: user2@example.org
< X-Nauthilus-Memory-Cache: Miss
< X-Nauthilus-Session: 36vb8ONSo0MJTjECvOKOQbpd4Fh
< Date: Tue, 16 Dec 2025 12:57:11 GMT
< Content-Length: 0
<
* Connection #0 to host 192.168.0.6 left intact
Is there anything else that you might suggest or observe?
Are there any flags in the 1.11 branch (similar to "server.dedup.in_process_enabled") that might (need to) be set?
Is there any more information that I might be able to supply to assist?
What we do not understand and cannot explain is this "passdb_backend=unknown".
It is like for some request instances there is a null pointer for the server … and typing this and seeing the logs, I note:
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #1 is free" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapPoolImpl).u>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #2 is free" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapPoolImpl).u>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #3 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #4 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #5 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #6 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #7 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #8 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="State open connections" instance=nauthilus pool=auth needClosing=0 openConnections=2 idlePoolSize=2 debug_module=ldappool function=github.com/croessner/nauthilus/ser>
Could these "busy or closed" LDAP instances #3-#8 be causing the "unknown" backend?
Regards,
Chris M.
From: Christian Rößner
Sent: Tuesday, December 16, 2025 12:19
To: Christopher Moules
Cc: Main list for Nauthilus users
Subject: Re: [Nauthilus-users] Why do I get "passdb_backend=unknown" for a subset of requests
Hi,
> Am 16.12.2025 um 11:35 schrieb Christopher Moules via Nauthilus-users <nauthilus-users@lists.nauthilus.org>:
>
> Hello,
> We are trying to deploy Nauthilus as a replacement to some legacy software, initially as a nginx ‘auth_http’ service.
> Initially, we are working with a configuration based on your “Getting started” example:
>
https://nauthilus.org/docs/about/getting-started#basic-configuration
> We have 2 backends: LDAP and Redis Cache (KeyDB in practice):
> backends:
> - cache
> - ldap # Or "lua" if using Lua backend
> All testing performed worked fine.
> After going into production, we had a small but significant percentage of connections that were failed with:
> status_message="Invalid login or password"
> passdb_backend=unknown
> Initially, it looked like they were just “valid” failed logins, but we received a number of tickets so we looked closer at the logs.
> We noted that the affected logins/accounts had this “passdb_backend=unknown” as opposed to “passdb_backend=ldap” or “passdb_backend=cache”.
> Performing debugging with cURL and the “?mode=no-auth” we are able to get ‘positive’ results and seeing that the users are found in the LDAP DB.
> We are unable to see why for some requests Nauthilus is not finding the user.
> Some anonymised debug logs:
…
I had some issues in 1.10.x and <1.11.4 with Request-deduplication.
If you use 1.10.x, can you set server.dedup.in_process_enabled to false or better give 1.11.4 a try.
Kind regards
Christian Rößner
--
Rößner-Network-Solutions
Zertifizierter ITSiBe / CISO
Marburger Str. 70a, 36304 Alsfeld
Mobil: +49 171 9905345
USt-IdNr.: DE225643613,
https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5