LDAP Group Sync with Domain Restriction Turned ON #1698

New Issue

Closed

opened 2026-02-05 01:39:10 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 01:39:10 +03:00

Owner

Copy Link

Originally created by @mikeyz24 on GitHub (Apr 30, 2020).

I'm not sure if this is a bug or i'm doing something wrong...
I'm trying to setup AD group sync but it appears that my AD group (role) is not being assigned to new accounts when Domain Restriction setting is turned on.

When a new user signs in with their domain credentials, they always get assigned the Role that is defined in the dropdown for "Default user roler after registration" and the role that is in AD does not get assigned.

If I remove the domain restriction, when a new user signs in, they get assigned the Group they are part of in AD and ALSO the role that is defined in "default user role after registration".

How do I make it so that only the role that the user is a part of in AD gets assigned when they first login?

I'm running v0.29.1
My .ENV file for LDAP has the following settings:

LDAP_USER_FILTER=(&(sAMAccountName=${user}))
LDAP_VERSION=3
LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=true
LDAP_DISPLAY_NAME_ATTRIBUTE=cn

Originally created by @mikeyz24 on GitHub (Apr 30, 2020). I'm not sure if this is a bug or i'm doing something wrong... I'm trying to setup AD group sync but it appears that my AD group (role) is not being assigned to new accounts when Domain Restriction setting is turned on. When a new user signs in with their domain credentials, they always get assigned the Role that is defined in the dropdown for "Default user roler after registration" and the role that is in AD does not get assigned. If I remove the domain restriction, when a new user signs in, they get assigned the Group they are part of in AD and ALSO the role that is defined in "default user role after registration". How do I make it so that only the role that the user is a part of in AD gets assigned when they first login? I'm running v0.29.1 My .ENV file for LDAP has the following settings: ``` LDAP_USER_FILTER=(&(sAMAccountName=${user})) LDAP_VERSION=3 LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_REMOVE_FROM_GROUPS=true LDAP_DISPLAY_NAME_ATTRIBUTE=cn ```

OVERLORD added the 🐛 Bug🚪 Authentication🏭 Back-End labels 2026-02-05 01:39:10 +03:00

OVERLORD closed this issue 2026-02-05 01:39:11 +03:00

OVERLORD commented 2026-02-05 01:39:15 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (May 2, 2020):

Thanks for reporting @mikeyz24.

Can confirm this appears to be a bug in the current logic. The requirement for email confirmation kicks-in and redirects the user just before groups are synced. Applies to both LDAP and SAML2 authentication & group sync. The email confirmation flow then does not re-enforce group sync itself.

Need to change the logic to either sync groups on initial user creation or as part of confirmation flow.

From my testing, the correct groups should still be assigned upon future logins. Alternatively, You may be able to achieve your setup via limiting emails based on domain using the LDAP_USER_FILTER instead of needing to use the BookStack domain restriction option. Something like this:

LDAP_USER_FILTER=(&(sAMAccountName=${user})(mail=*@example.com))

Would need to test that though, My LDAP knowledge is limited.

I'll assign this for the next feature release since it involves authentication therefore needs extra consideration and testing. Might be a small while before a feature release is ready though.

---

For my future reference, It's likely specifically this exception that causes the change in path before group sync:
https://github.com/BookStackApp/BookStack/blob/master/app/Auth/Access/RegistrationService.php#L82

@ssddanbrown commented on GitHub (May 2, 2020): Thanks for reporting @mikeyz24. Can confirm this appears to be a bug in the current logic. The requirement for email confirmation kicks-in and redirects the user just before groups are synced. Applies to both LDAP and SAML2 authentication & group sync. The email confirmation flow then does not re-enforce group sync itself. Need to change the logic to either sync groups on initial user creation or as part of confirmation flow. From my testing, the correct groups should still be assigned upon future logins. Alternatively, You may be able to achieve your setup via limiting emails based on domain using the `LDAP_USER_FILTER` instead of needing to use the BookStack domain restriction option. Something like this: ```bash LDAP_USER_FILTER=(&(sAMAccountName=${user})(mail=*@example.com)) ``` Would need to test that though, My LDAP knowledge is limited. I'll assign this for the next feature release since it involves authentication therefore needs extra consideration and testing. Might be a small while before a feature release is ready though. --- For my future reference, It's likely specifically this exception that causes the change in path before group sync: https://github.com/BookStackApp/BookStack/blob/master/app/Auth/Access/RegistrationService.php#L82

OVERLORD commented 2026-02-05 01:39:24 +03:00

Author

Owner

Copy Link

@mikeyz24 commented on GitHub (May 2, 2020):

Thanks for the response. I just have a followup question then. If i turn off Domain restriction, for me the new user gets the default role + their AD group role. Is this by design or can I make it so that the default role is the AD group the user is a member of?

I have LDAP_REMOVE_FROM_GROUPS=true while testing

@mikeyz24 commented on GitHub (May 2, 2020): Thanks for the response. I just have a followup question then. If i turn off Domain restriction, for me the new user gets the default role + their AD group role. Is this by design or can I make it so that the default role is the AD group the user is a member of? I have LDAP_REMOVE_FROM_GROUPS=true while testing

OVERLORD commented 2026-02-05 01:39:29 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (May 2, 2020):

@mikeyz24 By design. Could always set that to a group without any permissions assigned.

@ssddanbrown commented on GitHub (May 2, 2020): @mikeyz24 By design. Could always set that to a group without any permissions assigned.

OVERLORD commented 2026-02-05 01:39:35 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2020):

I have updated the flow so email confirmation does not stop remaining registration actions, including group sync, to take place. Will be part of v0.30.

Thanks again for reporting @mikeyz24.

@ssddanbrown commented on GitHub (Aug 4, 2020): I have updated the flow so email confirmation does not stop remaining registration actions, including group sync, to take place. Will be part of v0.30. Thanks again for reporting @mikeyz24.

OVERLORD referenced this issue 2026-02-05 10:18:59 +03:00

[PR #1698] [MERGED] Fixing composer install inside docker `app` container #5864

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug 🚪 Authentication 🏭 Back-End

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1698