starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-05 00:29:48 +03:00
Code Issues 303 Packages Projects Releases 10 Wiki Activity

LDAP group sync not working #2249

New Issue
Closed
opened 2026-02-05 03:27:58 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-05 03:27:58 +03:00
Owner
Copy Link

Originally created by @4o66 on GitHub (May 17, 2021).

Describe the bug
Bookstack on Docker, LDAP auth to FreeIPA.
Login authentication works just fine, but LDAP_REMOVE_FROM_GROUPS=true kills all group memberships on login (as expected?).
External auth IDs are configured. LDAP search logs from FreeIPA server seem to show the Bookstack is searching properly (the logs show the search, not the results. replicating the search manually shows expected results)

Steps To Reproduce
Steps to reproduce the behavior:
Configure LDAP authentication and verify.
Configure LDAP group synchronization.
(Doesn't work)

Expected behavior
LDAP groups specified in external authentication ID should grant membership in roles.

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): BookStack v21.04.5
  • PHP Version: PHP 7.3.27
  • Hosting Method (Nginx/Apache/Docker): Docker

Additional context
Is is possible for me to see exactly what LDAP responses Bookstack is getting? Next troubleshooting steps?

Originally created by @4o66 on GitHub (May 17, 2021). **Describe the bug** Bookstack on Docker, LDAP auth to FreeIPA. Login authentication works just fine, but LDAP_REMOVE_FROM_GROUPS=true kills all group memberships on login (as expected?). External auth IDs are configured. LDAP search logs from FreeIPA server seem to show the Bookstack is searching properly (the logs show the search, not the results. replicating the search manually shows expected results) **Steps To Reproduce** Steps to reproduce the behavior: Configure LDAP authentication and verify. Configure LDAP group synchronization. (Doesn't work) **Expected behavior** LDAP groups specified in external authentication ID should grant membership in roles. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v21.04.5 - PHP Version: PHP 7.3.27 - Hosting Method (Nginx/Apache/Docker): Docker **Additional context** Is is possible for me to see exactly what LDAP responses Bookstack is getting? Next troubleshooting steps?
OVERLORD added the 🐕 Support label 2026-02-05 03:27:58 +03:00
OVERLORD commented 2026-02-05 03:28:04 +03:00
Author
Owner
Copy Link

@4o66 commented on GitHub (May 17, 2021):

Made change in LdapService.php to try and capture, but not seeing anything in any logs?

    public function syncGroups(User $user, string $username)
    {
        $userLdapGroups = $this->getUserGroups($username);
        ob_start();
        var_dump( $userLdapGroups );
        $contents = ob_get_contents();
        ob_end_clean();
        error_log( $user );
        error_log( $contents );
        $this->syncWithGroups($user, $userLdapGroups);
    }
@4o66 commented on GitHub (May 17, 2021): Made change in LdapService.php to try and capture, but not seeing anything in any logs? ```php public function syncGroups(User $user, string $username) { $userLdapGroups = $this->getUserGroups($username); ob_start(); var_dump( $userLdapGroups ); $contents = ob_get_contents(); ob_end_clean(); error_log( $user ); error_log( $contents ); $this->syncWithGroups($user, $userLdapGroups); } ```
OVERLORD commented 2026-02-05 03:28:07 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (May 17, 2021):

Hi @4o66,
An example of configured "External Authentication ID" and the expected-matching groups's DN may help, Just to ensure the values are set as expected.

In regards to that function, you could dump contents directly to the screen like so:

    public function syncGroups(User $user, string $username)
    {
        $userLdapGroups = $this->getUserGroups($username);
        dd($user, $username, $userLdapGroups);
        $this->syncWithGroups($user, $userLdapGroups);
    }

Or log to the storage/logs/laravel.log file like so:

    public function syncGroups(User $user, string $username)
    {
        $userLdapGroups = $this->getUserGroups($username);
        \Log::info($user, $username);
        \Log::info($username);
        \Log::info($userLdapGroups);
        $this->syncWithGroups($user, $userLdapGroups);
    }
@ssddanbrown commented on GitHub (May 17, 2021): Hi @4o66, An example of configured "External Authentication ID" and the expected-matching groups's DN may help, Just to ensure the values are set as expected. In regards to that function, you could dump contents directly to the screen like so: ```php public function syncGroups(User $user, string $username) { $userLdapGroups = $this->getUserGroups($username); dd($user, $username, $userLdapGroups); $this->syncWithGroups($user, $userLdapGroups); } ``` Or log to the `storage/logs/laravel.log` file like so: ```php public function syncGroups(User $user, string $username) { $userLdapGroups = $this->getUserGroups($username); \Log::info($user, $username); \Log::info($username); \Log::info($userLdapGroups); $this->syncWithGroups($user, $userLdapGroups); } ```
OVERLORD commented 2026-02-05 03:28:10 +03:00
Author
Owner
Copy Link

@4o66 commented on GitHub (May 18, 2021):

Inserting:

\Log::info($user, $username);

Results in a stack trace:

[2021-05-17 21:42:07] production.ERROR: Argument 2 passed to Illuminate\Log\LogManager::info() must be of the type array, string given, called in /var/www/html/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 261 {"exception":"[object] (Symfony\\Component\\Debug\\Exception\\FatalThrowableError(code: 0): Argument 2 passed to Illuminate\\Log\\LogManager::info() must be of the type array, string given, called in /var/www/html/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 261 at /var/www/html/vendor/laravel/framework/src/Illuminate/Log/LogManager.php:589)
[stacktrace]

So I changed it to:

\Log::info($user);

Logging in generated the following log (user name redacted for privacy, matches expected data):

root@aba2596561aa:/var/www# cat /config/www/laravel.log
[2021-05-17 21:46:46] production.INFO: {"id":1,"name":"[REDACTED]","slug":"[REDACTED]"}  
[2021-05-17 21:46:46] production.INFO: [REDACTED]  
[2021-05-17 21:46:46] production.INFO: array (
)

Empty array means to groups detected.
$username does match the UID of the user in the LDAP server.

I am doing some additional debugging and it looks like this is a FreeIPA compatibility problem. Working on isolating now.

@4o66 commented on GitHub (May 18, 2021): Inserting: ``` php \Log::info($user, $username); ``` Results in a stack trace: ``` [2021-05-17 21:42:07] production.ERROR: Argument 2 passed to Illuminate\Log\LogManager::info() must be of the type array, string given, called in /var/www/html/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 261 {"exception":"[object] (Symfony\\Component\\Debug\\Exception\\FatalThrowableError(code: 0): Argument 2 passed to Illuminate\\Log\\LogManager::info() must be of the type array, string given, called in /var/www/html/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 261 at /var/www/html/vendor/laravel/framework/src/Illuminate/Log/LogManager.php:589) [stacktrace] ``` So I changed it to: ``` php \Log::info($user); ``` Logging in generated the following log (user name redacted for privacy, matches expected data): ``` root@aba2596561aa:/var/www# cat /config/www/laravel.log [2021-05-17 21:46:46] production.INFO: {"id":1,"name":"[REDACTED]","slug":"[REDACTED]"} [2021-05-17 21:46:46] production.INFO: [REDACTED] [2021-05-17 21:46:46] production.INFO: array ( ) ``` Empty array means to groups detected. $username does match the UID of the user in the LDAP server. I am doing some additional debugging and it looks like this is a FreeIPA compatibility problem. Working on isolating now.
OVERLORD commented 2026-02-05 03:28:16 +03:00
Author
Owner
Copy Link

@4o66 commented on GitHub (May 18, 2021):

See above pull request.

@4o66 commented on GitHub (May 18, 2021): See above pull request.
OVERLORD commented 2026-02-05 03:28:18 +03:00
Author
Owner
Copy Link

@4o66 commented on GitHub (May 19, 2021):

See notes in above pull request. for FreeIPA as LDAP source, set LDAP_BASE_DN to include cn=accounts

@4o66 commented on GitHub (May 19, 2021): See notes in above pull request. for FreeIPA as LDAP source, set `LDAP_BASE_DN` to include `cn=accounts`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
No Label 🐕 Support
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#2249
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?