LDAPS User Group #3292

New Issue

Closed

opened 2026-02-05 06:16:27 +03:00 by OVERLORD · 7 comments

OVERLORD commented 2026-02-05 06:16:27 +03:00

Owner

Copy Link

Originally created by @mschoon85 on GitHub (Oct 20, 2022).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

Hello,

I'm trying to make sure a certain group has access to bookstack. For some reason it will only work when the user is directly in the OU and not in a group within the OU.

This works:
LDAP_BASE_DN="OU=Admins,OU=Users,DC=companyname,DC=com"

This does not work:
LDAP_BASE_DN="cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com"

CN is the name of the group I'm trying to give access.

I'm also using the following other settings in the .env file:
LDAP_USER_FILTER=(&(sAMAccountName=${user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=sAMAccountName
LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=false

We need this to work before we can start using Bookstack company wide.

Kind regards and thank you in advance,

Michel

Exact BookStack Version

22.09.01

Log Content

No response

PHP Version

8.1.9

Hosting Environment

Windows Server 2022 using instructions on https://www.bookstackapp.com/docs/admin/installation/ ( Manual installation via GIT)

Originally created by @mschoon85 on GitHub (Oct 20, 2022). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hello, I'm trying to make sure a certain group has access to bookstack. For some reason it will only work when the user is directly in the OU and not in a group within the OU. **This works:** LDAP_BASE_DN="OU=Admins,OU=Users,DC=companyname,DC=com" **This does not work:** LDAP_BASE_DN="cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com" CN is the name of the group I'm trying to give access. I'm also using the following other settings in the .env file: LDAP_USER_FILTER=(&(sAMAccountName=${user})) LDAP_VERSION=3 LDAP_ID_ATTRIBUTE=sAMAccountName LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_REMOVE_FROM_GROUPS=false We need this to work before we can start using Bookstack company wide. Kind regards and thank you in advance, Michel ### Exact BookStack Version 22.09.01 ### Log Content _No response_ ### PHP Version 8.1.9 ### Hosting Environment Windows Server 2022 using instructions on https://www.bookstackapp.com/docs/admin/installation/ ( Manual installation via GIT)

OVERLORD added the 🐕 Support label 2026-02-05 06:16:27 +03:00

OVERLORD closed this issue 2026-02-05 06:16:30 +03:00

OVERLORD commented 2026-02-05 06:16:32 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 20, 2022):

Hi @mschoon85,

For some reason it will only work when the user is directly in the OU and not in a group within the OU

What exactly is meant by "it will only work" in this context? Is there an error? Does it just not validate login credentials? Does it just not sync groups?

The LDAP_BASE_DN should be a parent of any groups and users you want to match with, since this is the base of any searches across the LDAP system.
To specific filter/narrow user searches you could instead update the LDAP_USER_FILTER value so it only returns the users you want to allow access.

@ssddanbrown commented on GitHub (Oct 20, 2022): Hi @mschoon85, > For some reason it will only work when the user is directly in the OU and not in a group within the OU What exactly is meant by "it will only work" in this context? Is there an error? Does it just not validate login credentials? Does it just not sync groups? The `LDAP_BASE_DN` should be a parent of any groups and users you want to match with, since this is the base of any searches across the LDAP system. To specific filter/narrow user searches you could instead update the `LDAP_USER_FILTER` value so it only returns the users you want to allow access.

OVERLORD commented 2026-02-05 06:16:35 +03:00

Author

Owner

Copy Link

@mschoon85 commented on GitHub (Oct 20, 2022):

Hi Dan,

Thanks for your fast reply. With "it will only work" I mean that it will not validate the login credentials. The only error I see is that the credentials are not valid.

So what you say is that the LDAP_BASE_DN should be: "OU=Admins,OU=Users,DC=companyname,DC=com" and I should use the LDAP_USER_FILTER to search in G_Admin_Group. Do you have an example for me? I already tried many different ways I could think of. For example:

LDAP_USER_FILTER=(&(objectClass=groupOfNames)(cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))

LDAP_USER_FILTER=(&(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))

LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=\"cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com\"))"

LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))"

LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))

LDAP_USER_FILTER=(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))

LDAP_USER_FILTER=((&(objectClass=Person)(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))

@mschoon85 commented on GitHub (Oct 20, 2022): Hi Dan, Thanks for your fast reply. With "it will only work" I mean that it will not validate the login credentials. The only error I see is that the credentials are not valid. So what you say is that the LDAP_BASE_DN should be: "OU=Admins,OU=Users,DC=companyname,DC=com" and I should use the LDAP_USER_FILTER to search in G_Admin_Group. Do you have an example for me? I already tried many different ways I could think of. For example: ``` LDAP_USER_FILTER=(&(objectClass=groupOfNames)(cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) LDAP_USER_FILTER=(&(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=\"cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com\"))" LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))" LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) LDAP_USER_FILTER=(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) LDAP_USER_FILTER=((&(objectClass=Person)(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) ```

OVERLORD commented 2026-02-05 06:16:42 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 20, 2022):

These things really depend on the structure and linking of items within your LDAP group, in addition to your intended result, so it's hard for me to say for sure.

Out of what's listed, this looked most reasonable:

LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com))
LDAP_BASE_DN="OU=Admins,OU=Users,DC=companyname,DC=com"

Double check that on the login form your are entering a value that would match the sAMAccountName attribute, not any other.

Have you got a way of running an ldap search against your directory via other means? May be useful to test via that method is possible. You should be able to run the LDAP_USER_FILTER value as a search, replacing ${user} with your user's sAMAccountName value,

@ssddanbrown commented on GitHub (Oct 20, 2022): These things really depend on the structure and linking of items within your LDAP group, in addition to your intended result, so it's hard for me to say for sure. Out of what's listed, this looked most reasonable: ```shell LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)) LDAP_BASE_DN="OU=Admins,OU=Users,DC=companyname,DC=com" ``` Double check that on the login form your are entering a value that would match the `sAMAccountName` attribute, not any other. Have you got a way of running an ldap search against your directory via other means? May be useful to test via that method is possible. You should be able to run the `LDAP_USER_FILTER` value as a search, replacing `${user}` with your user's `sAMAccountName` value,

OVERLORD commented 2026-02-05 06:16:47 +03:00

Author

Owner

Copy Link

@mschoon85 commented on GitHub (Oct 20, 2022):

Hi Dan,

Thank you so much! This works perfectly. One last question which you most likely will be able to answer and will not result in me using google for a long time. How can I use the LDAP_USER_FILTER to search users in multiple groups?

@mschoon85 commented on GitHub (Oct 20, 2022): Hi Dan, Thank you so much! This works perfectly. One last question which you most likely will be able to answer and will not result in me using google for a long time. How can I use the LDAP_USER_FILTER to search users in multiple groups?

OVERLORD commented 2026-02-05 06:16:49 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 20, 2022):

How can I use the LDAP_USER_FILTER to search users in multiple groups?

@mschoon85 You could update the boolean logic of the filter to match against multiple groups:

(&(sAMAccountName=${user})(|(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)(memberOf=cn=Group_Two,OU=Admins,OU=Users,DC=companyname,DC=com)))

The & will combine conditions via AND. The | combines via OR. So stating:

user must match username
AND
(Member of G_Admin_Group OR Member of Group_Two)

Be aware I'm not an expert in LDAP, to test invalid/valid conditions yourself. Also could be a limit on filter length but I'm not totally aware of it.
Could always create an additional group in the LDAP system to match against.

@ssddanbrown commented on GitHub (Oct 20, 2022): > How can I use the LDAP_USER_FILTER to search users in multiple groups? @mschoon85 You could update the boolean logic of the filter to match against multiple groups: ``` (&(sAMAccountName=${user})(|(memberOf=cn=G_Admin_Group,OU=Admins,OU=Users,DC=companyname,DC=com)(memberOf=cn=Group_Two,OU=Admins,OU=Users,DC=companyname,DC=com))) ``` The `&` will combine conditions via `AND`. The `|` combines via `OR`. So stating: ``` user must match username AND (Member of G_Admin_Group OR Member of Group_Two) ``` Be aware I'm not an expert in LDAP, to test invalid/valid conditions yourself. Also could be a limit on filter length but I'm not totally aware of it. Could always create an additional group in the LDAP system to match against.

OVERLORD commented 2026-02-05 06:16:53 +03:00

Author

Owner

Copy Link

@mschoon85 commented on GitHub (Oct 20, 2022):

Thanks, Dan! Much appreciated, I got it fully working now. You're the best!

@mschoon85 commented on GitHub (Oct 20, 2022): Thanks, Dan! Much appreciated, I got it fully working now. You're the best!

OVERLORD commented 2026-02-05 06:16:56 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 21, 2022):

Good to hear things are working, Will therefore close this off. Hope BookStack works out for your use case!

@ssddanbrown commented on GitHub (Oct 21, 2022): Good to hear things are working, Will therefore close this off. Hope BookStack works out for your use case!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3292