v0.26.2 LDAP Group Sync for IDM instead of AD #1219

New Issue

OVERLORD · 2026-02-05T00:17:31+03:00

OVERLORD commented

2026-02-05 00:17:31 +03:00

Originally created by @chris-jeon on GitHub (Jun 11, 2019).

I am quite new to Linux as well as LDAP configurations, so please bear with me. I have successfully installed BookStack. I successfully authenticated against LDAP, but can't figure out the LDAP Group Synchronization.

Problem

I am unable to connect and match the specified roles from BookStack onto groups of my company's IDM database; I assume that the problem lies within how I have my LDAP_USER_FILTER set as just LDAP_USER_FILTER=(&(uid=${user}). However, the only way for me to log-in with the correct credentials is to have that as my user filter.

I've already put in the specific CN of the groups into External Authentication ID's for those specific roles, and still have no luck. I've searched within every single issue whether it's closed or open for a similar issue, but most of them are dealing with Active Directories instead of IDM so no luck there for me either. I left the LDAP_DN and LDAP_PASS as false because I didn't necessarily need an admin to access BookStack.

I've tried several ways to reword the LDAP_USER_FILTER similar to #973 but because that issue deals with AD, I wasn't completely sure what to do.

LDAP_USER_FILTER=(&(uid=${user})(|(memberOf=cn=GROUP,cn=ACCOUNTS,dc=...,dc=...))

Searching the query of my domain, our database doesn't use OU and only CN as its hierarchy (if you were wondering why I haven't used OU)

Potential issue

If using OpenLDAP you’ll need to setup the memberof overlay.

I am currently using OpenLDAP and I've found a module which had the memberof overlay without me setting it up, so I'm not exactly sure if that's the issue there.

Originally created by @chris-jeon on GitHub (Jun 11, 2019). I am quite new to Linux as well as LDAP configurations, so please bear with me. I have successfully installed BookStack. I successfully authenticated against LDAP, but can't figure out the LDAP Group Synchronization. ### **Problem** I am unable to connect and match the specified roles from BookStack onto groups of my company's IDM database; I assume that the problem lies within how I have my LDAP_USER_FILTER set as just LDAP_USER_FILTER=(&(uid=${user}). However, the only way for me to log-in with the correct credentials is to have that as my user filter. I've already put in the specific CN of the groups into External Authentication ID's for those specific roles, and still have no luck. I've searched within every single issue whether it's closed or open for a similar issue, but most of them are dealing with Active Directories instead of IDM so no luck there for me either. I left the LDAP_DN and LDAP_PASS as false because I didn't necessarily need an admin to access BookStack. I've tried several ways to reword the LDAP_USER_FILTER similar to #973 but because that issue deals with AD, I wasn't completely sure what to do. - LDAP_USER_FILTER=(&(uid=${user})(|(memberOf=cn=GROUP,cn=ACCOUNTS,dc=...,dc=...)) Searching the query of my domain, our database doesn't use OU and only CN as its hierarchy (if you were wondering why I haven't used OU) ![Screenshot (6)](https://user-images.githubusercontent.com/46938547/59305425-dd0e6280-8c5f-11e9-9c08-b8385bf43eff.png) **Potential issue** > If using OpenLDAP you’ll need to setup the memberof overlay. I am currently using OpenLDAP and I've found a module which had the memberof overlay without me setting it up, so I'm not exactly sure if that's the issue there.

OVERLORD added the 🐕 Support label 2026-02-05 00:17:31 +03:00

OVERLORD closed this issue

2026-02-05 00:17:34 +03:00

OVERLORD commented

2026-02-05 00:17:38 +03:00

@ssddanbrown commented on GitHub (Jun 12, 2019):

Hi @chris-jeon,
Thanks for the detail and sorry to hear you're experiencing difficulty setting this up.

I must admin my experience with LDAP is a little weak, only really used it to create and test the BookStack integration. If you query your LDAP server directly via command line are you able to see the memberof attributes in the results. Here's my query and output for reference (Sensitive data replaced):

> ldapsearch -h home -b dc=ldap,dc=example,dc=com -D cn=admin,dc=ldap,dc=example,dc=com -w <password> "(&(uid=dbrown))" uid sn cn memberof
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> with scope subtree
# filter: (&(uid=dbrown))
# requesting: uid sn cn memberof 
#

# Dan Brown, users, ldap.example.com
dn: cn=Dan Brown,ou=users,dc=ldap,dc=example,dc=com
cn: Dan Brown
sn: Brown
uid: dbrown
memberOf: cn=admins,ou=groups,dc=ldap,dc=example,dc=com
memberOf: cn=editor,ou=groups,dc=ldap,dc=example,dc=com
memberOf: cn=admins (bookstack only),ou=groups,dc=ldap,dc=example,dc=com
memberOf: cn=united kingdom,ou=groups,dc=ldap,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I also use OpenLDAP in my testing instead of AD, I remember getting the memberof attribute working correctly was a lot of pain, although much of that could well have been my inexperience with such systems.

@ssddanbrown commented on GitHub (Jun 12, 2019): Hi @chris-jeon, Thanks for the detail and sorry to hear you're experiencing difficulty setting this up. I must admin my experience with LDAP is a little weak, only really used it to create and test the BookStack integration. If you query your LDAP server directly via command line are you able to see the memberof attributes in the results. Here's my query and output for reference (Sensitive data replaced): ``` > ldapsearch -h home -b dc=ldap,dc=example,dc=com -D cn=admin,dc=ldap,dc=example,dc=com -w <password> "(&(uid=dbrown))" uid sn cn memberof # extended LDIF # # LDAPv3 # base <dc=ldap,dc=example,dc=com> with scope subtree # filter: (&(uid=dbrown)) # requesting: uid sn cn memberof # # Dan Brown, users, ldap.example.com dn: cn=Dan Brown,ou=users,dc=ldap,dc=example,dc=com cn: Dan Brown sn: Brown uid: dbrown memberOf: cn=admins,ou=groups,dc=ldap,dc=example,dc=com memberOf: cn=editor,ou=groups,dc=ldap,dc=example,dc=com memberOf: cn=admins (bookstack only),ou=groups,dc=ldap,dc=example,dc=com memberOf: cn=united kingdom,ou=groups,dc=ldap,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` I also use OpenLDAP in my testing instead of AD, I remember getting the `memberof` attribute working correctly was a lot of pain, although much of that could well have been my inexperience with such systems.

OVERLORD commented

2026-02-05 00:17:43 +03:00

@chris-jeon commented on GitHub (Jun 14, 2019):

@ssddanbrown Thank you for the quick reply, yes I am able to see what the memberof attributes are. I'm just confused on how to set it up on the LDAP user_filter portion on the .env file to integrate the roles for the LDAP accounts.

@chris-jeon commented on GitHub (Jun 14, 2019): @ssddanbrown Thank you for the quick reply, yes I am able to see what the memberof attributes are. I'm just confused on how to set it up on the LDAP user_filter portion on the .env file to integrate the roles for the LDAP accounts.

OVERLORD commented

2026-02-05 00:17:46 +03:00

@ssddanbrown commented on GitHub (Jun 14, 2019):

@chris-jeon The LDAP_USER_FILTER is a generic search that BookStack uses when looking up users. This does not really need to consider roles at all.

Upon login, with group sync enabled, BookStack will look up the user, using that filter, then fetch their groups via the same query but requesting the memberOf attribute. BookStack will then iterate over the returned groups to match them with system roles.

@ssddanbrown commented on GitHub (Jun 14, 2019): @chris-jeon The `LDAP_USER_FILTER` is a generic search that BookStack uses when looking up users. This does not really need to consider roles at all. Upon login, with group sync enabled, BookStack will look up the user, using that filter, then fetch their groups via the same query but requesting the `memberOf` attribute. BookStack will then iterate over the returned groups to match them with system roles.

OVERLORD commented

2026-02-05 00:17:50 +03:00

@chris-jeon commented on GitHub (Jun 14, 2019):

@ssddanbrown
On the .env file, I would list out the necessary filters like this to LDAP_USER_FILTER:

(&(uid=${users}))(|(memberOf=cn=specific1,cn=groups,cn=accounts,dc=example,dc=com)(memberOf=cn=specific2,cn=groups,cn=accounts,dc=example,dc=com))

If I try to log-in with the filter just like above, I get the error saying

these credentials do not match our records

When I write the filter without the "uid" portion, I get the Bad Search Filter with APP_DEBUG on.

I just need to know how to correctly write out either the memberOf portion or if i need to use the objectClass portion onto the user_filter?

@chris-jeon commented on GitHub (Jun 14, 2019): @ssddanbrown On the .env file, I would list out the necessary filters like this to LDAP_USER_FILTER: > (&(uid=${users}))(|(memberOf=cn=specific1,cn=groups,cn=accounts,dc=example,dc=com)(memberOf=cn=specific2,cn=groups,cn=accounts,dc=example,dc=com)) If I try to log-in with the filter just like above, I get the error saying > these credentials do not match our records When I write the filter without the "uid" portion, I get the Bad Search Filter with APP_DEBUG on. I just need to know how to correctly write out either the memberOf portion or if i need to use the objectClass portion onto the user_filter?

OVERLORD commented

2026-02-05 00:18:01 +03:00

@ssddanbrown commented on GitHub (Jun 15, 2019):

@chris-jeon In your example filter above you have ${users} included within it. This should be ${user}.

Have you tried using your LDAP_USER_FILTER via command line, replacing ${user} with a login username, to see if you get results there?

Just to confirm, you only need to list groups in the LDAP_USER_FILTER if you are purposefully trying to limit any kind of access to BookStack to certain groups. Alternatively you could allow all LDAP users access but only map roles to certain groups so non-matches are left without any permissions.

@ssddanbrown commented on GitHub (Jun 15, 2019): @chris-jeon In your example filter above you have `${users}` included within it. This should be `${user}`. Have you tried using your `LDAP_USER_FILTER` via command line, replacing `${user}` with a login username, to see if you get results there? Just to confirm, you only need to list groups in the `LDAP_USER_FILTER` if you are purposefully trying to limit any kind of access to BookStack to certain groups. Alternatively you could allow all LDAP users access but only map roles to certain groups so non-matches are left without any permissions.

OVERLORD commented

2026-02-05 00:18:14 +03:00

@chris-jeon commented on GitHub (Jun 17, 2019):

@ssddanbrown Sorry, yeah in that filter above, I quickly had changed it to ${user} afterwards, but still doesn't end up working.

Yes, I have tried using my user_filter replaced with my own login username, which only allows my information to be logged in.

If all LDAP_USER_FILTER needs are groups, I'll try it again, but now that I think about it, I'm not exactly sure if the problem lies in the OpenLDAP server not having the memberOf overlay. I assumed because the IDM my company uses is already set with existing log-in information, I wasn't sure if that applied in my case.

If the above sentence is a bit confusing, what I essentially mean is that I never dealt with the memberOf overlay (setting up the slap.d configuration) because I assumed that some of the steps in order to complete the memberOf overlay deals with inputting user accounts which didn't make sense to me as I wouldn't need to if I already have existing accounts through IDM.

@chris-jeon commented on GitHub (Jun 17, 2019): @ssddanbrown Sorry, yeah in that filter above, I quickly had changed it to ${user} afterwards, but still doesn't end up working. Yes, I have tried using my user_filter replaced with my own login username, which only allows my information to be logged in. If all LDAP_USER_FILTER needs are groups, I'll try it again, but now that I think about it, I'm not exactly sure if the problem lies in the OpenLDAP server not having the memberOf overlay. I assumed because the IDM my company uses is already set with existing log-in information, I wasn't sure if that applied in my case. If the above sentence is a bit confusing, what I essentially mean is that I never dealt with the memberOf overlay (setting up the slap.d configuration) because I assumed that some of the steps in order to complete the memberOf overlay deals with inputting user accounts which didn't make sense to me as I wouldn't need to if I already have existing accounts through IDM.

OVERLORD commented

2026-02-05 00:18:20 +03:00

@chris-jeon commented on GitHub (Jun 18, 2019):

Update:

I've tried putting in just the groups within the user_filter, but had no luck, still gives me credential issues. Now as I'm losing my hope, I can't 100% tell if it's a syntax problem, or a problem within the IDM of how the memberOf is set up for the specific groups.

My ldapsearch queries show all the necessary groups for a user, and I copy it down to the LDAP_USER_FILTER word for word, and giving me credential mismatch, confuses me to why it doesn't work.

One of my coworkers thinks that it's just a syntax issue, but I've been trying to tackle this problem through many tries on fixing the syntax, but have had no luck :/

@chris-jeon commented on GitHub (Jun 18, 2019): Update: I've tried putting in just the groups within the user_filter, but had no luck, still gives me credential issues. Now as I'm losing my hope, I can't 100% tell if it's a syntax problem, or a problem within the IDM of how the memberOf is set up for the specific groups. My ldapsearch queries show all the necessary groups for a user, and I copy it down to the LDAP_USER_FILTER word for word, and giving me credential mismatch, confuses me to why it doesn't work. One of my coworkers thinks that it's just a syntax issue, but I've been trying to tackle this problem through many tries on fixing the syntax, but have had no luck :/

OVERLORD commented

2026-02-05 00:18:23 +03:00

@ssddanbrown commented on GitHub (Jun 20, 2019):

@chris-jeon Sorry to hear you have not yet been able to solve this and apologies for the limited support I can provide here.

Does login work if you use a really simple LDAP_USER_FILTER, like the default LDAP_USER_FILTER=(&(uid=${user})) ?

Knowing that would confirm if this is anything to do with the memberOf overlay or group sync.

@ssddanbrown commented on GitHub (Jun 20, 2019): @chris-jeon Sorry to hear you have not yet been able to solve this and apologies for the limited support I can provide here. Does login work if you use a really simple LDAP_USER_FILTER, like the default `LDAP_USER_FILTER=(&(uid=${user}))` ? Knowing that would confirm if this is anything to do with the `memberOf` overlay or group sync.

OVERLORD commented

2026-02-05 00:18:30 +03:00

@chris-jeon commented on GitHub (Jun 21, 2019):

Update

@ssddanbrown
I've figured out the problem on why it wasn't group syncing. All this time, I thought it was just a syntax error (was spinning my wheels for about 3 days) on LDAP_USER_FILTER.

Researching even more into LDAP, I figured out that the IDM that my company uses deals with Posixgroups. Meaning, the memberof overlay is required to set up the group sync, but looking more into it, it's apparently a difficult and tedious process to get it working.

So, I've basically given up on the group sync for now, since BookStack is up and running, only problem is when people sign-in for the first time, they won't be assigned the roles according to their groups. Thank you for your support regardless of the result!

@chris-jeon commented on GitHub (Jun 21, 2019): **Update** @ssddanbrown I've figured out the problem on why it wasn't group syncing. All this time, I thought it was just a syntax error (was spinning my wheels for about 3 days) on `LDAP_USER_FILTER`. Researching even more into LDAP, I figured out that the IDM that my company uses deals with Posixgroups. Meaning, the memberof overlay is required to set up the group sync, but looking more into it, it's apparently a difficult and tedious process to get it working. So, I've basically given up on the group sync for now, since BookStack is up and running, only problem is when people sign-in for the first time, they won't be assigned the roles according to their groups. Thank you for your support regardless of the result!

OVERLORD commented

2026-02-05 00:18:32 +03:00

@ssddanbrown commented on GitHub (Jun 22, 2019):

@chris-jeon Glad to hear you got to the bottom of the mystery!

Since there doesn't appear to be an issue or omission of BookStack itself I'll close this issue.

@ssddanbrown commented on GitHub (Jun 22, 2019): @chris-jeon Glad to hear you got to the bottom of the mystery! Since there doesn't appear to be an issue or omission of BookStack itself I'll close this issue.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1219