LDAP / local permission ACL on shelves,books,page #2013

New Issue

OVERLORD · 2026-02-05T02:27:33+03:00

OVERLORD commented

2026-02-05 02:27:33 +03:00

Originally created by @leewx95 on GitHub (Jan 6, 2021).

Hi team,

With LDAP, is there a way to map to a LDAP group and enable permission and ACL onto shelves, books, page?
e.g.
User Group A to have read/write access to Shelve
User Group B to have read access to Shelve A
User Group C will not be able to know Shelve A exist
similar for the sub-levels: books, pages

If not possible, is there a way to do this without LDAP?
Regardless, still hope to have this feature with LDAP 👍

Originally created by @leewx95 on GitHub (Jan 6, 2021). Hi team, With LDAP, is there a way to map to a LDAP group and enable permission and ACL onto shelves, books, page? e.g. User Group A to have read/write access to Shelve User Group B to have read access to Shelve A User Group C will not be able to know Shelve A exist similar for the sub-levels: books, pages If not possible, is there a way to do this without LDAP? Regardless, still hope to have this feature with LDAP 👍

OVERLORD closed this issue

2026-02-05 02:27:34 +03:00

OVERLORD commented

2026-02-05 02:27:40 +03:00

@ssddanbrown commented on GitHub (Jan 7, 2021):

Hi @leewx95,
You should already have a "Permissions" option on shelves, books, chapters and pages. This is all role-based. It's possible to sync roles with LDAP.

Book & chapter permissions will auto-cascade to children unless they themselves have custom permissions set.

@ssddanbrown commented on GitHub (Jan 7, 2021): Hi @leewx95, You should already have a "Permissions" option on shelves, books, chapters and pages. This is all role-based. It's possible to sync roles with LDAP. Book & chapter permissions will auto-cascade to children unless they themselves have custom permissions set.

OVERLORD commented

2026-02-05 02:27:45 +03:00

@leewx95 commented on GitHub (Jan 7, 2021):

After searching for more, i found that mapping can be done with these options. I will give it a try.

#AUTH_METHOD=ldap

Meanwhile, I had to turn this off only then I can see the permission settings on each item. The global setting for roles do not appear as well when I am in ldap auth mode. How can I see the permission settings in ldap mode?

Considering when we put this to production, to do troubleshooting on permissions we would need to edit auto_method. That will interrupt user's session as it is back to local user login method.

@leewx95 commented on GitHub (Jan 7, 2021): After searching for more, i found that mapping can be done with [these options](https://www.bookstackapp.com/docs/admin/ldap-auth/#ldap-group-sync). I will give it a try. #AUTH_METHOD=ldap Meanwhile, I had to turn this off only then I can see the permission settings on each item. The global setting for roles do not appear as well when I am in ldap auth mode. How can I see the permission settings in ldap mode? Considering when we put this to production, to do troubleshooting on permissions we would need to edit auto_method. That will interrupt user's session as it is back to local user login method.

OVERLORD commented

2026-02-05 02:27:49 +03:00

@leewx95 commented on GitHub (Jan 7, 2021):

Ok, i managed to map the Domain Admin LDAP group, to have the full rights. Now the admin users are able to view Object and Global Permission settings. I think this should settle what I need.

Thanks for the guidance!

@leewx95 commented on GitHub (Jan 7, 2021): Ok, i managed to map the Domain Admin LDAP group, to have the full rights. Now the admin users are able to view Object and Global Permission settings. I think this should settle what I need. Thanks for the guidance!

OVERLORD commented

2026-02-05 02:27:52 +03:00

@leewx95 commented on GitHub (Jan 7, 2021):

One last thing, is there any way to import a list of LDAP groups into bookstack? maybe writing straight into the database
I have a list of 100+ groups, will save alot of work if I can import in one go

@leewx95 commented on GitHub (Jan 7, 2021): One last thing, is there any way to import a list of LDAP groups into bookstack? maybe writing straight into the database I have a list of 100+ groups, will save alot of work if I can import in one go

OVERLORD commented

2026-02-05 02:27:57 +03:00

@ssddanbrown commented on GitHub (Jan 10, 2021):

@leewx95 Not officially, You could go direct via database but you'll need to be careful to also build the related tables which could be tricky.

I'd be tempted to advise against it and just add specific roles when functionally required if possible. 100+ BookStack roles would be quite a lot and the role count is an aspect that can have a performance impact in BookStack (Since we keep a generated table of item to role access for permission lookups that would have to be updated on each item create/delete/permission-update/role-change).

@ssddanbrown commented on GitHub (Jan 10, 2021): @leewx95 Not officially, You could go direct via database but you'll need to be careful to also build the related tables which could be tricky. I'd be tempted to advise against it and just add specific roles when functionally required if possible. 100+ BookStack roles would be quite a lot and the role count is an aspect that can have a performance impact in BookStack (Since we keep a generated table of item to role access for permission lookups that would have to be updated on each item create/delete/permission-update/role-change).

OVERLORD commented

2026-02-05 02:27:59 +03:00

@leewx95 commented on GitHub (Jan 11, 2021):

OK I'll look for workaround in terms of designing the LDAP group setup.
Thanks Dan.

@leewx95 commented on GitHub (Jan 11, 2021): OK I'll look for workaround in terms of designing the LDAP group setup. Thanks Dan.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2013