Not able to login on Latest with LDAP

Hi guys,

Sorry to be bothering here with this issue, recently I updated our Discourse installation to latest. We are using the LDAP plugin (, however, users are unable to login.

If you kept your session you will experience no issue whatsoever. However, if you try to login now, when clicking on “Log In” the URL changes to: /auth/failure?message=csrf_detected and we get the error message: Authorization timed out, or you have switched browsers. Please try again..

Does anyone know if there was a recent change that may lead into this situation?


I believe @david may have advice?

1 Like

A question on the side, is there a way to rollback to a previous version? Have been searching around and the consensus is to disable the plugins (or specific plugin at fault). However, I can’t disable this one because that’s the way that my users login into the platform :stuck_out_tongue:

It’s not really supported, but If you have a backup you can delete the postgres data directory, put a commit in the version line in app.yml, rebuild, and restore the backup.

Yep, went for a backup and I’m trying to rebuild using the SHA of the version I had because it’s working iffy.

On the side I still have the latest-stable version trying to see if we can fix it somehow.

I don’t know if @david has any advice as suggested by @codinghorror but I’m willing to try anything since my userbase is locked out (unless they kept their session).

Quick update: Tried to use back up version with a snapshot of the machine as it was at that moment (before the upgrade). Clicking the “Log In” just reloads the main page twice. Tried to rebuild with the exact commit sha I had back then, not lucky, DB Rake error. :no_mouth:

Have been searching for other reports on the LDAP issue, doesn’t seem to be any. Can this be caused by an external soruce?

Last Update:

Issue solved, found the root cause, not discourse-related (sorry guys!). The issue was that the Certificate was updated and served through a HAP, we were not using a HAP before and Discourse was serving it itself, we forgot about this detail, which implied that we got that CORS error.

Lessons learned:

  • Rolling back Discourse is not a thing, better have a backup of the entire machine (that was the case, thankfully).
  • I’m yet to find out why it was so difficult to rebuild with a specific SHA following the instructions I read here, I was unable to do so.
  • Better to always serve the certs from the HAP but don’t forget about it. (As a note for anyone else, it’s necessary to add the flag 'set-header X-Forwarded-Proto https' because Discourse has its own NGINX, and this is where it was failing).
  • The fact that no one was reporting the same issue (even considering that this is a corner-case since the plugin is not official) pointed to that direction (Community as intended :stuck_out_tongue: )
  • The issue only manifested late (to the point that we didn’t remember the Cert change) because of the rebuild triggered by the update, which is where it failed.

Once again, thanks and sorry for the noise!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.