Re: Why do I get "passdb_backend=unknown" for a subset of requests

16 Dec 2025 · */*

      Hello Christian,
Thank you for your fast answer.
Sorry that I missed adding some basic information, I realized after I had sent the message:
Originally:
OS: Debian 13.2
Version: nauthilus      1.11.3       amd64 (from github package: {sha256}3eba20ed95001c7d321516915079c1861ed41389b672ca1aab5518cbde708527)
Now:
OS: Debian 13.2
Version: nauthilus      1.11.4       amd64 (from github package: {sha256}7e249215dbf0e82632e6f955dcd7449d735d60c586d5aa13324b32dc584850d0)
After installing the updated package and restarting the service, I still see the same behavior.
Dec 16 12:52:47 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T12:52:47.538Z level=NOTICE msg="Authentication request has failed" instance=nauthilus session=36vabD3LkHy0cvnV50UWamrPhfH mode=auth backend_name=N/A protocol=imap oidc_cid=N/A local_ip=N/A port=N/A client_ip=1.2.3.4 client_port=N/A client_host=N/A tls_protocol=N/A tls_cipher=N/A auth_method=plain username=user2@example.org passdb_backend=unknown current_password_retries=1 account_passwords_seen=0 total_passwords_seen=0 user_agent=N/A client_id=N/A brute_force_bucket=N/A feature=N/A status_message="Invalid login or password" uri_path=/api/v1/auth/nginx authenticated=fail authz=true authn=false latency=2.556ms
curl -v -X POST -H "Auth-User: user2@example.org" -H "Auth-Method: plain" -H "Auth-Protocol: imap" "http://192.168.0.6:9443/api/v1/auth/nginx?mode=no-auth"

Trying 192.168.0.6:9443...
Connected to 192.168.0.6 (192.168.0.6) port 9443
using HTTP/1.x

...
POST /api/v1/auth/nginx?mode=no-auth HTTP/1.1
Host: 192.168.0.6:9443
User-Agent: curl/8.14.1
Accept: */*
Auth-User: user2@example.org
Auth-Method: plain
Auth-Protocol: imap

Request completely sent off

< HTTP/1.1 200 OK
< Auth-Port: 143
< Auth-Server: 192.168.0.5
< Auth-Status: OK
< Auth-User: user2@example.org
< X-Nauthilus-Memory-Cache: Miss
< X-Nauthilus-Session: 36vb8ONSo0MJTjECvOKOQbpd4Fh
< Date: Tue, 16 Dec 2025 12:57:11 GMT
< Content-Length: 0
<

Connection #0 to host 192.168.0.6 left intact

Is there anything else that you might suggest or observe?
Are there any flags in the 1.11 branch (similar to "server.dedup.in_process_enabled") that might (need to) be set?
Is there any more information that I might be able to supply to assist?
What we do not understand and cannot explain is this "passdb_backend=unknown".
It is like for some request instances there is a null pointer for the server … and typing this and seeing the logs, I note:
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #1 is free" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapPoolImpl).u>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #2 is free" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapPoolImpl).u>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #3 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #4 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #5 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #6 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #7 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="LDAP free/busy state #8 is busy or closed" instance=nauthilus pool=auth debug_module=ldappool function=github.com/croessner/nauthilus/server/backend/ldappool.(*ldapP>
Dec 16 13:34:43 hostpack-nauthilus-01 nauthilus[71980]: time=2025-12-16T13:34:43.796Z level=DEBUG msg="State open connections" instance=nauthilus pool=auth needClosing=0 openConnections=2 idlePoolSize=2 debug_module=ldappool function=github.com/croessner/nauthilus/ser>
Could these "busy or closed" LDAP instances #3-#8 be causing the "unknown" backend?
Regards,
Chris M.

From: Christian Rößner
Sent: Tuesday, December 16, 2025 12:19
To: Christopher Moules
Cc: Main list for Nauthilus users
Subject: Re: [Nauthilus-users] Why do I get "passdb_backend=unknown" for a subset of requests
Hi,
...
Am 16.12.2025 um 11:35 schrieb Christopher Moules via Nauthilus-users nauthilus-users@lists.nauthilus.org:
Hello,
 We are trying to deploy Nauthilus as a replacement to some legacy software, initially as a nginx ‘auth_http’ service.
 Initially, we are working with a configuration based on your “Getting started” example:
https://nauthilus.org/docs/about/getting-started#basic-configuration
 We have 2 backends: LDAP and Redis Cache (KeyDB in practice):
  backends:
    - cache
    - ldap  # Or "lua" if using Lua backend
 All testing performed worked fine.
After going into production, we had a small but significant percentage of connections that were failed with:
status_message="Invalid login or password"
passdb_backend=unknown
 Initially, it looked like they were just “valid” failed logins, but we received a number of tickets so we looked closer at the logs.
We noted that the affected logins/accounts had this “passdb_backend=unknown” as opposed to “passdb_backend=ldap” or “passdb_backend=cache”.
 Performing debugging with cURL and the “?mode=no-auth” we are able to get ‘positive’ results and seeing that the users are found in the LDAP DB.
 We are unable to see why for some requests Nauthilus is not finding the user.
Some anonymised debug logs:
…
I had some issues in 1.10.x and <1.11.4 with Request-deduplication.
If you use 1.10.x, can you set server.dedup.in_process_enabled to false or better give 1.11.4 a try.
Kind regards
Christian Rößner
Rößner-Network-Solutions
Zertifizierter ITSiBe / CISO
Marburger Str. 70a, 36304 Alsfeld
Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

Christopher Moules

Christian Rößner

tags (0)

participants (1)