mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-05 00:29:48 +03:00
LDAP Connection - Windows Server 2019 AD #1798
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @grootsys24 on GitHub (Jul 24, 2020).
Hello everybody,
I've been trying to connect bookstack to my ldap for 6 hours. It's a fresh setup with the Ubuntu 20.04 LTSB script from the website. I also installed and activated the php-ldap module.
It is a Windows Server 2019 as AD Base 2016
Here are my LDAP settings from the .env
AUTH_METHOD = ldap
LDAP_SERVER = 192.168.68.25*: 389
LDAP_BASE_DN = DC = *, DC = *, DC = *
LDAP_DN = CN = sysldap, CN = Users, DC = *, DC = *, DC = *
LDAP_PASS = passwordfromuser
LDAP_USER_FILTER = (& (sAMAccountName = $ {user}))
LDAP_VERSION = 3
LDAP_ID_ATTRIBUTE = BIN; objectGUID
LDAP_EMAIL_ATTRIBUTE = mail
LDAP_DISPLAY_NAME_ATTRIBUTE = cn
#LDAP_DUMP_USER_DETAILS = true
I always get as feedback when I logon: An unknown error occurred
I can't even get in with the domain admin. Do I somehow need another @ domain when logging in?
Can anyone help me?
@ssddanbrown commented on GitHub (Jul 25, 2020):
Hi @grootsys24,
Details on finding the logs or enabling debug mode can be found here: https://www.bookstackapp.com/docs/admin/debugging/
Might be something in the logs to help you. If not, Enabling debug mode will show any errors instead of the
An unknown error occurredmessage.@grootsys24 commented on GitHub (Jul 25, 2020):
Hi @ssddanbrown
I switched on the debug mode yesterday and tried to find something with it. Unfortunately, I don't understand what the problem is.
The error from debug mode is:
Malformed UTF-8 characters, possibly incorrectly encoded
My Curent DN syntax: OU=AStA-User,DC=,DC=,DC=de
@ssddanbrown commented on GitHub (Jul 25, 2020):
Hi @grootsys24
Can you try with setting the
LDAP_DUMP_USER_DETAILS=falseinstead? Think the binary encoding returned from ad causes issues the that option.Also, if the login in the shared dump is legitimate, you'll need to change that password, ending in the, wherever you use it.
@grootsys24 commented on GitHub (Jul 25, 2020):
Oh, its works thx.
Now my last questions, how set an ldap user admin rights on boockstack ? Or give every user from the ldap that right to see everything that is public
@ssddanbrown commented on GitHub (Jul 26, 2020):
In the settings, under registration, is a "Default Role" option. All new users from LDAP will get this role.
You can setup group sync. If you just want to setup your LDAP admin user as admin, you'll probably be best logging in via LDAP admin account to create the BookStack user, changing
AUTH_METHODback tostandardtemporarily, Using the original admin account to make that LDAP user an admin, switch back theAUTH_METHOD.@grootsys24 commented on GitHub (Jul 26, 2020):
Thx, i have done, and Admin works :)
I have aktivatet group sync, but i think i must change the Base DN? My current DN is OU=AStA-User and in this OU is now Groups the Groups are in a other OU. So I assume that for the Group Think I would have to set the DN further up in the LDAP structure?
@ssddanbrown commented on GitHub (Jul 26, 2020):
@grootsys24 I can't remember for sure, But I think groups will be read directly off the "memberOf" attribute of the user. The base DN is used to search for parent groups though; So, If you'll only map the direct member groups then no need to move the base DN up, If you'll be mapping based on parent groups of the user's groups, you'll need to move the base DN to a common parent node.
@grootsys24 commented on GitHub (Jul 26, 2020):
Okay, but shouldn't that be when the users log in the groups that you have or that exist under the roles? This is currently not happening for me, so I am undecided whether it works properly.
Or do I have to create roles for the LDAP groups and link them to the "Member of" in the External Authentication IDs.
What I miss as a function would be if LDAP is activated that the roles can be read from the groups from the LDAP.
@fofwisdom commented on GitHub (Aug 8, 2020):
I'm using Windows Server 2019 AD and I don't have problem.
If you have space character in DN, use quotes.
@grootsys24 commented on GitHub (Aug 9, 2020):
Hi, thanks for your info. I don't have any spaces in the LDAP groups. Only the groups are in a new organization folder.
I have activated the function in the config file, but until now it does not list any groups in the wiki.
@grootsys24 commented on GitHub (Sep 5, 2020):
I hope someone can help me here. I have a Windows Server 2019 with AD. I have successfully connected BookStak to the AD as LDAP. The login also works.
The only thing that doesn't work is with the LDAP groups. Will the groups from the LDAP be adopted by the bookstack or do I have to create the groups that the bookstack provides in the LDAP?
Can someone explain this to me or help me? My groups are in their own organizational unit in the AD if that is important.
@tiredofit commented on GitHub (Sep 13, 2020):
LDAP groups are based on an attribute in a users id from LDAP. When you look at raw data you will see an attribute that is titled
memberOfor similar. Member is also used quite extensively with AD so perhaps that is the attribute you need to see.Regardless, sanitize an LDAP dump of a user for me and I'll try to help.
@grootsys24 commented on GitHub (Sep 22, 2020):
@tiredofit: Thank you for your explanation. I thought the roles would be created automatically at login if the LDAP group does not yet exist. After I understood it, I got it to work.
@ssddanbrown commented on GitHub (Jan 26, 2021):
Thanks @fofwisdom and @tiredofit for your help here!