goauthentik/authentik

Nested user attributes not exposed as valid LDAP attributes in LDAP Outpost

Open

#16954 opened on Sep 23, 2025

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Python (4,050 stars) (319 forks)batch import
bugbug/confirmedgood first issue

Description

Describe the bug When exposing custom attributes via the LDAP outpost, nested attributes are not returned as individual LDAP attributes. Instead, they appear in a serialized map format that does not seem to comply with LDAP.

To Reproduce Steps to reproduce the behavior:

  1. Configure a user in Authentik with a custom attribute containing nested values, e.g. settings.locale = en.
  2. Query the user via the LDAP outpost using ldapsearch.
  3. Inspect the LDAP response.

See that the attribute is returned as a serialized map string rather than as a proper multi-valued LDAP attribute.

Expected behavior I would expect the LDAP outpost to flatten or map the nested attribute into standard LDAP attributes, for example:

settingsLocale: en

or

settings.locale: en

instead of:

settings: map[locale:en]

Version and Deployment (please complete the following information):

  • authentik version: 2025.8.3
  • Deployment: Docker

Additional context Add any other context about the problem here.

Contributor guide

Tech stack
pythondocker
Domain
backendauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
LDAP attribute structurePython basicsAuthentik outpost configuration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Examine the LDAP outpost code in the 'authentik/outposts/ldap/' directory, specifically the attribute serialization functions. Identify how custom attributes are currently converted to LDAP attributes. Consider implementing a recursive flattening of nested maps into dot separated keys or similar.