LDAP group sync fail when member name is Special characters #1979

New Issue

OVERLORD · 2026-02-05T02:23:12+03:00

OVERLORD commented

2026-02-05 02:23:12 +03:00

Originally created by @csongs on GitHub (Dec 17, 2020).

Describe the bug

My user's ldap info like this:

memberOf (5): 
CN=\#IT,OU=XXXX Groups,DC=my,DC=company; 
CN=VPN_XXXX_202001,DC=my,DC=company; 
CN=\#Temp_Notice,OU=Never Expired,DC=my,DC=company; 
CN=!50-SW_Dep1(開發一部),OU=Div2-SW AP Dep1,DC=my,DC=company; 
CN=XXXX_MIS,DC=my,DC=company;

I create these roles in BookStack, and log in again

RoleName	#IT	#IT	IT	VPN_XXXX_202001	!50-SW_Dep1(開發一部)	!50-SW_Dep1	50-SW_Dep1(開發一部)	XXXX_MIS
User In Role				V				V

I hope all LDAP group sync success

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): BookStack v0.30.4
config (updated by 2020/12/18)

# LDAP Settings
LDAP_SERVER=ldaps://ldap.my.company:3269
LDAP_BASE_DN="DC=my,DC=company"
LDAP_DN=XXXXXX
LDAP_PASS=XXXXXX
LDAP_USER_FILTER="(&(objectCategory=Person)(sAMAccountName=${user}))"
LDAP_VERSION=3
LDAP_OPT_REFERRALS=0
LDAP_ID_ATTRIBUTE=BIN;objectGUID
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
## If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #)
## Only set this option if debugging or you're absolutely sure it's required for your setup.
LDAP_TLS_INSECURE=true
## Enable LDAP group sync, Set to 'true' to enable.
LDAP_USER_TO_GROUPS=true
## LDAP user attribute containing groups, Defaults to 'memberOf'.
LDAP_GROUP_ATTRIBUTE=memberOf
## Remove users from roles that don't match LDAP groups.
LDAP_REMOVE_FROM_GROUPS=false

Originally created by @csongs on GitHub (Dec 17, 2020). **Describe the bug** My user's ldap info like this: ``` memberOf (5): CN=\#IT,OU=XXXX Groups,DC=my,DC=company; CN=VPN_XXXX_202001,DC=my,DC=company; CN=\#Temp_Notice,OU=Never Expired,DC=my,DC=company; CN=!50-SW_Dep1(開發一部),OU=Div2-SW AP Dep1,DC=my,DC=company; CN=XXXX_MIS,DC=my,DC=company; ``` I create these roles in BookStack, and log in again | RoleName | \#IT | #IT | IT | VPN_XXXX_202001 | !50-SW_Dep1(開發一部) | !50-SW_Dep1 | 50-SW_Dep1(開發一部) | XXXX_MIS | |-------------- |------ |----- |---- |----------------- |--------------------------- |---------------- |------------------------- |---------- | | User In Role | | | | V | | | | V | I hope all LDAP group sync success **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.30.4 - config (updated by 2020/12/18) ```yml # LDAP Settings LDAP_SERVER=ldaps://ldap.my.company:3269 LDAP_BASE_DN="DC=my,DC=company" LDAP_DN=XXXXXX LDAP_PASS=XXXXXX LDAP_USER_FILTER="(&(objectCategory=Person)(sAMAccountName=${user}))" LDAP_VERSION=3 LDAP_OPT_REFERRALS=0 LDAP_ID_ATTRIBUTE=BIN;objectGUID LDAP_EMAIL_ATTRIBUTE=mail LDAP_DISPLAY_NAME_ATTRIBUTE=cn ## If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #) ## Only set this option if debugging or you're absolutely sure it's required for your setup. LDAP_TLS_INSECURE=true ## Enable LDAP group sync, Set to 'true' to enable. LDAP_USER_TO_GROUPS=true ## LDAP user attribute containing groups, Defaults to 'memberOf'. LDAP_GROUP_ATTRIBUTE=memberOf ## Remove users from roles that don't match LDAP groups. LDAP_REMOVE_FROM_GROUPS=false ```

OVERLORD closed this issue

2026-02-05 02:23:14 +03:00

OVERLORD commented

2026-02-05 02:23:16 +03:00

@ssddanbrown commented on GitHub (Dec 17, 2020):

Hi @csongs,

Could you confirm what LDAP system is in use? (Active Directory? OpenLDAP?)

Also, I see you have the following in your config:

LDAP_GROUP_ATTRIBUTE=BIN;memberOf

Are the memberOf details provided by your LDAP system definitely binary encoded? Just curious on that as I don't think I've heard of that before.

@ssddanbrown commented on GitHub (Dec 17, 2020): Hi @csongs, Could you confirm what LDAP system is in use? (Active Directory? OpenLDAP?) Also, I see you have the following in your config: > LDAP_GROUP_ATTRIBUTE=BIN;memberOf Are the `memberOf` details provided by your LDAP system definitely binary encoded? Just curious on that as I don't think I've heard of that before.

OVERLORD commented

2026-02-05 02:23:20 +03:00

@csongs commented on GitHub (Dec 18, 2020):

@ssddanbrown

Could you confirm what LDAP system is in use? (Active Directory? OpenLDAP?)

Active Directory

Are the memberOf details provided by your LDAP system definitely binary encoded? Just curious on that as I don't think I've heard of that before.

Sorry , confg is LDAP_GROUP_ATTRIBUTE=memberOf
I just try to see if this setting will meet my needs.

@csongs commented on GitHub (Dec 18, 2020): @ssddanbrown >Could you confirm what LDAP system is in use? (Active Directory? OpenLDAP?) Active Directory >Are the memberOf details provided by your LDAP system definitely binary encoded? Just curious on that as I don't think I've heard of that before. Sorry , confg is `LDAP_GROUP_ATTRIBUTE=memberOf` I just try to see if this setting will meet my needs.

OVERLORD commented

2026-02-05 02:23:23 +03:00

@csongs commented on GitHub (Dec 18, 2020):

Hi,
I find Role can set External Authentication IDs,
Reference #1741 , in my case , set \23IT is work
I see ascii code, exclamation mark (! )is convert to '\21' ? I set \2150-SW_Dep1(開發一部) is not work.

@csongs commented on GitHub (Dec 18, 2020): Hi, I find Role can set `External Authentication IDs`, Reference #1741 , in my case , set `\23IT` is work I see ascii code, exclamation mark (`!` )is convert to '\21' ? I set `\2150-SW_Dep1(開發一部)` is not work. ![擷取](https://user-images.githubusercontent.com/14192944/102587089-3e14d180-4146-11eb-85e4-4ad797a132cb.PNG)

OVERLORD commented

2026-02-05 02:23:26 +03:00

@ssddanbrown commented on GitHub (Dec 18, 2020):

@csongs Ah, Good find, was trying to find that issue yesterday but did not have success.

For !50-SW_Dep1(開發一部) I think you might need to use !50-SW_Dep1(\E9\96\8B\E7\99\BC\E4\B8\80\E9\83\A8)

I think you'd need to encode any non-ascii characters also. I've created a little converter app to help here:
https://jsfiddle.net/ssddanbrown/4nkwuxj8/3/

@ssddanbrown commented on GitHub (Dec 18, 2020): @csongs Ah, Good find, was trying to find that issue yesterday but did not have success. For `!50-SW_Dep1(開發一部)` I think you might need to use `!50-SW_Dep1(\E9\96\8B\E7\99\BC\E4\B8\80\E9\83\A8)` I think you'd need to encode any non-ascii characters also. I've created a little converter app to help here: https://jsfiddle.net/ssddanbrown/4nkwuxj8/3/

OVERLORD commented

2026-02-05 02:23:30 +03:00

@csongs commented on GitHub (Dec 21, 2020):

@ssddanbrown , Thanks your little converter app, you are nice.
It's work!

@csongs commented on GitHub (Dec 21, 2020): @ssddanbrown , Thanks your little converter app, you are nice. It's work!

OVERLORD commented

2026-02-05 02:23:34 +03:00

@ssddanbrown commented on GitHub (Dec 21, 2020):

@csongs Awesome, Happy to hear that worked!

@ssddanbrown commented on GitHub (Dec 21, 2020): @csongs Awesome, Happy to hear that worked!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1979