LDAP Issues when migrating from invites to Active Directory

Describe the problem/error/question:

I started on the community edition on-premise and migrated to the business edition because I need the extra features. I had about 6 users that I used the invite feature. Once we upgraded to business, i successfully setup the LDAP connection. We are using the same email that we used before the LDAP connection. Each user logged on successfully except for one. It told him that his password was incorrect. If he used the incorrect password, it told him that there was already a user that existed. If he used the correct password, it said the password was incorrect.

image435×299 12.7 KB

I decided to delete the user from the user list. He can now logon, but he is automatically an admin and he does NOT show up in the user list.

How do i troubleshoot this?

Also, if I run a test synchronization, i get a success, but if I run it, I get an error, but the toast notification says success.

Also, as a paying customer is this the best method for getting support?

Screenshot 2026-02-12 1153161503×451 27 KB

Information on your n8n setup

• n8n version: 2.7.4
• Database (default: SQLite): Postgres
• n8n EXECUTIONS_PROCESS setting (default: own, main): Not applicable
• Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
• Operating system: Rocky Linux 8.10

hi @mdjohnso, welcom to the n8n community.
Could you please share a snippet of the docker logs at the moment you run Run synchronization (you may mask the DN/domain), and let me know which attributes you configured in LDAP for Email and User ID (e.g., mail, userPrincipalName, objectGUID, dn)?

Screenshot 2026-02-12 133927821×799 23.8 KB

I am watching the docker logs and I don’t see anything when I sync. I might have it configured incorrectly?

The docs say that the logging level is set to information. Should I see anything during the sync, if I have not set anything for logging in my Docker composer?

To troubleshoot, enable debug logging by setting n8n_log_level=debug, then restart, run and inpesct.
check the logs for duplicates, this looks like a conflict in the DB

Running some things today. I will do it tomorrow morning. Thank you for helping. I will have more tomorrow.

Users return by the query {“users”:[{“dn”:“CN=Tim Dempsey,OU=Employee,OU=ITM Users,OU=ITM,DC=blah.org,DC=org",“sn”:“Dempsey”,“givenName”:“Timothy”,“uid”:“tcdempse”,“mail”:"[email protected]”},{“dn”:“CN=Matthew Johnson,OU=Employee,OU=ITM Users,OU=ITM,DC=blah.org,DC=org",“sn”:“Johnson”,“givenName”:“Matthew”,“mail”:"[email protected]”,“uid”:},{“dn”:“CN=Caleb Santos,OU=Employee,OU=ITM Users,OU=ITM,DC=blah.org,DC=org",“sn”:“Santos”,“givenName”:“Caleb”,“mail”:"[email protected]”,“uid”:},{“dn”:“CN=Matthew Walters,OU=Employee,OU=ITM Users,OU=ITM,DC=blah.org,DC=org",“sn”:“Walters”,“givenName”:“Matthew”,“mail”:"[email protected]”,“uid”:},{“dn”:“CN=David Sorto,OU=Employee,OU=ITM Users,OU=ITM,DC=blah.org,DC=org",“sn”:“Sorto”,“givenName”:“David”,“mail”:"[email protected]”,“uid”:}],“file”:“ldap.service.ee.js”,“function”:“runSync”}

2026-02-13T15:02:52.613Z | debug | LDAP - Users to process {“created”:4,“updated”:1,“disabled”:1,“file”:“ldap.service.ee.js”,“function”:“runSync”}

2026-02-13T15:02:52.640Z [Rudder] debug: no existing flush timer, creating new one

2026-02-13T15:02:52.640Z | debug | LDAP - Synchronization finished successfully {“file”:“ldap.service.ee.js”,“function”:“runSync”}

2026-02-13T15:03:02.639Z [Rudder] debug: in flush

2026-02-13T15:03:02.639Z [Rudder] debug: cancelling existing flushTimer…

David Sorto is the user that is able to logon, get admin rights, and does not show up in the users list

Here is what is strange.

When he is logged on, he sees himself and all the users except me ([email protected]).

When I logon, I see all the users except him.

Also, when he logs on, I get logged out and have to logon again.

Logs are the same for each logon:

2026-02-13T15:31:14.413Z | debug | Skipped browserId check on /types/nodes.json {“file”:“auth.service.js”,“function”:“validateBrowserId”}
2026-02-13T15:31:14.439Z [Rudder] debug: no existing flush timer, creating new one
2026-02-13T15:31:14.849Z | debug | Skipped browserId check on /types/credentials.json {“file”:“auth.service.js”,“function”:“validateBrowserId”

I really need this fixed.

If this is the proper channel for paying customers to get support, I would hope I would have an answer or more steps.

Please advise…

Looking at that LDAP query output you posted, I see a couple issues that might explain what’s going on. First, some of those email addresses have a trailing space after them ("[email protected] ") which would cause matching problems against existing users in the database since “[email protected]” != "[email protected] ". Second, Matthew Johnson’s entry shows `“uid”: ` which looks like it got cut off or is actually empty, and if you’re using uid as your User ID attribute that would definitely cause sync failures.

The ghost admin situation where a user can log in but doesn’t show in the user list is weird, I’d check your postgres database directly to see what’s actually in the user table for that person. Something like `SELECT * FROM “user” WHERE email ILIKE ‘%their-email%’;` to see if there’s orphaned or duplicate records. When you deleted them from the UI it might not have fully cleaned up whatever LDAP created.

For the sync showing success toast but error in the UI, that’s probably a race condition in the frontend more than an actual problem, the debug logs should tell you what’s really happening during sync. Make sure you’re looking at the n8n container logs right when you click sync, not before.

And yeah for paid support you should email [email protected] directly, you’ll get faster response there than on the forum for business edition issues.

Hope this helps you!

Just wanted to update you and to thank you.

The issue was the using the “uid” in the “ID” attribute mapping.

I changed it to “ sAMAccountName”. I also deleted both users for good measure and had both users logon again and it was fixed.

Thank you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.