Get LDAP group syncing to work #2714

New Issue

OVERLORD · 2026-02-05T04:53:46+03:00

OVERLORD commented

2026-02-05 04:53:46 +03:00

Originally created by @33masterman33 on GitHub (Mar 21, 2022).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Logging in through ldap users works just fine and it even creates new users automatically. However none of the groups I have set on my LDAP server sync over. I know for a fact that my memberOf is working properly. I even tried setting the role name to the same thing as the external auth and the group name inside ldap. I don't know what else to do. Any help would be appreciated.

My ldap structure is ou=groups for the groups. Groups are like cn=admin. Users are in ou=people. Users are stored as uid=username.

Heres my environmental values.

AUTH_METHOD=ldap
LDAP_SERVER=192.168.0.21
LDAP_BASE_DN="ou=members,dc=redacted,dc=com"
LDAP_DN="cn=ro,dc=redacted,dc=com"
LDAP_PASS="ro"
LDAP_DISPLAY_NAME_ATTRIBUTE=displayName
LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=false
LDAP_USER_FILTER=(|(mail=${user})(uid=${user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=uid
LDAP_START_TLS=true
LDAP_TLS_INSECURE=true
LDAP_AUTO_CONFIRM_EMAIL=true

Exact BookStack Version

v22.02.3-ls7

Log Content

No response

PHP Version

No response

Hosting Environment

Docker through portainer.

Originally created by @33masterman33 on GitHub (Mar 21, 2022). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Logging in through ldap users works just fine and it even creates new users automatically. However none of the groups I have set on my LDAP server sync over. I know for a fact that my memberOf is working properly. I even tried setting the role name to the same thing as the external auth and the group name inside ldap. I don't know what else to do. Any help would be appreciated. My ldap structure is ou=groups for the groups. Groups are like cn=admin. Users are in ou=people. Users are stored as uid=username. Heres my environmental values. ``` AUTH_METHOD=ldap LDAP_SERVER=192.168.0.21 LDAP_BASE_DN="ou=members,dc=redacted,dc=com" LDAP_DN="cn=ro,dc=redacted,dc=com" LDAP_PASS="ro" LDAP_DISPLAY_NAME_ATTRIBUTE=displayName LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_REMOVE_FROM_GROUPS=false LDAP_USER_FILTER=(|(mail=${user})(uid=${user})) LDAP_VERSION=3 LDAP_ID_ATTRIBUTE=uid LDAP_START_TLS=true LDAP_TLS_INSECURE=true LDAP_AUTO_CONFIRM_EMAIL=true ``` ### Exact BookStack Version v22.02.3-ls7 ### Log Content _No response_ ### PHP Version _No response_ ### Hosting Environment Docker through portainer.

OVERLORD added the 🐕 Support label 2026-02-05 04:53:46 +03:00

OVERLORD closed this issue

2026-02-05 04:53:50 +03:00

OVERLORD commented

2026-02-05 04:53:57 +03:00

@ssddanbrown commented on GitHub (Mar 21, 2022):

Hi @33masterman33,

Are your groups located within the DN ou=members,dc=redacted,dc=com on your LDAP system or are they located outside of this? Just wondering if the configured base DN is limiting visibility of the LDAP tree where groups are located.

@ssddanbrown commented on GitHub (Mar 21, 2022): Hi @33masterman33, Are your groups located within the DN `ou=members,dc=redacted,dc=com` on your LDAP system or are they located outside of this? Just wondering if the configured base DN is limiting visibility of the LDAP tree where groups are located.

OVERLORD commented

2026-02-05 04:54:05 +03:00

@33masterman33 commented on GitHub (Mar 21, 2022):

Hi @33masterman33,

Are your groups located within the DN ou=members,dc=redacted,dc=com on your LDAP system or are they located outside of this? Just wondering if the configured base DN is limiting visibility of the LDAP tree where groups are located.

Hi @ssddanbrown, thanks for responding. My groups are located outside of members under the root of the ldap tree. The group applying is working because I was able to allow users of one group login to my servers management page but not other users. Is bookstack only compatible with nested groups or is my configuration wrong?

@33masterman33 commented on GitHub (Mar 21, 2022): > Hi @33masterman33, > > > > Are your groups located within the DN `ou=members,dc=redacted,dc=com` on your LDAP system or are they located outside of this? Just wondering if the configured base DN is limiting visibility of the LDAP tree where groups are located. Hi @ssddanbrown, thanks for responding. My groups are located outside of members under the root of the ldap tree. The group applying is working because I was able to allow users of one group login to my servers management page but not other users. Is bookstack only compatible with nested groups or is my configuration wrong?

OVERLORD commented

2026-02-05 04:54:08 +03:00

@ssddanbrown commented on GitHub (Mar 21, 2022):

Is bookstack only compatible with nested groups or is my configuration wrong?

I'm not really sure what's meant by this. BookStack will lookup the user and nested groups (Not direct memberof groups) using the given base DN. My concern was maybe this was causing some details to be missing from the response due to being outside the base DN. I'm not 100% sure how LDAP systems manage that scenario though, maybe they all just return the memberOf groups anyway. I was thinking that maybe changing the base DN to just dc=redacted,dc=com could provide different results.

The group applying is working because I was able to allow users of one group login to my servers management page but not other users.

I'm not sure what's working here, is this just stating you're able to manually apply roles or are you saying BookStack has managed to assign a role based upon group at login?

The main step of debugging is often to use the ldapsearch command to emulate the BookStack lookup as much as possible, matching the filter, hostname, bind dn/password and base dn, to see exactly what is in the result.

@ssddanbrown commented on GitHub (Mar 21, 2022): > Is bookstack only compatible with nested groups or is my configuration wrong? I'm not really sure what's meant by this. BookStack will lookup the user and nested groups (Not direct memberof groups) using the given base DN. My concern was maybe this was causing some details to be missing from the response due to being outside the base DN. I'm not 100% sure how LDAP systems manage that scenario though, maybe they all just return the memberOf groups anyway. I was thinking that maybe changing the base DN to just `dc=redacted,dc=com` could provide different results. > The group applying is working because I was able to allow users of one group login to my servers management page but not other users. I'm not sure what's working here, is this just stating you're able to manually apply roles or are you saying BookStack has managed to assign a role based upon group at login? The main step of debugging is often to use the `ldapsearch` command to emulate the BookStack lookup as much as possible, matching the filter, hostname, bind dn/password and base dn, to see exactly what is in the result.

OVERLORD commented

2026-02-05 04:54:11 +03:00

@33masterman33 commented on GitHub (Mar 21, 2022):

I also don't know a ton about ldap. I have tried setting the base dn to not have the user group and it still doesn't work. Yes I was also trying to say that if I login with ldap I can apply the groups from bookstack it's just not automatic.

@33masterman33 commented on GitHub (Mar 21, 2022): I also don't know a ton about ldap. I have tried setting the base dn to not have the user group and it still doesn't work. Yes I was also trying to say that if I login with ldap I can apply the groups from bookstack it's just not automatic.

OVERLORD commented

2026-02-05 04:54:14 +03:00

@ssddanbrown commented on GitHub (Mar 30, 2022):

@33masterman33 Today I published BookStack v22.03. Within this is a new debugging option:

LDAP_DUMP_USER_GROUPS=true

This new option it designed to specific help debug in these kind of scenarios.
The "LDAP Group Debugging" section of the post shows what the output of this looks like:
https://www.bookstackapp.com/blog/bookstack-release-v22-03/#ldap-group-debugging

@ssddanbrown commented on GitHub (Mar 30, 2022): @33masterman33 Today I published [BookStack v22.03](https://www.bookstackapp.com/blog/bookstack-release-v22-03/). Within this is a new debugging option: ```bash LDAP_DUMP_USER_GROUPS=true ``` This new option it designed to specific help debug in these kind of scenarios. The "LDAP Group Debugging" section of the post shows what the output of this looks like: https://www.bookstackapp.com/blog/bookstack-release-v22-03/#ldap-group-debugging

OVERLORD commented

2026-02-05 04:54:16 +03:00

@ssddanbrown commented on GitHub (Apr 8, 2022):

Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed respond to my previous comment and this can then be re-opened.

@ssddanbrown commented on GitHub (Apr 8, 2022): Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed respond to my previous comment and this can then be re-opened.

OVERLORD referenced this issue

2026-02-05 10:23:23 +03:00

[PR #2714] [CLOSED] Added Mermaid to MarkdownIt editor #6049

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2714