starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-11 19:06:22 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

LDAP group sync - no query for memberOf #3313

New Issue
Closed
opened 2026-02-05 06:20:39 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-05 06:20:39 +03:00
Owner
Copy Link

Originally created by @ZAck1387 on GitHub (Oct 27, 2022).

Describe the Bug

Hi there,

I am currently testing bookstack for the first Time. Please help me for some guidance here.

LDAP server: for my test environment is based on Microsoft AD (2012 R2).

LDAP login works, but it do not try to query the LDAP group attributes of the user who tries to login and therefor fails any matching.
The debug log looks like this and totally missing the "memberOf" attribute:

{"details_from_ldap":{"count":0,"dn":"CN=Bookstack Tester,OU=bookstack,DC=test,DC=local"},"parsed_direct_user_groups":[],"parsed_recursive_user_groups":[]}

I have also tried other group attributes, User filters or updating php to 8.1.12.

That is my config:

AUTH_METHOD=ldap
LDAP_SERVER=ldaps://test.local:636
LDAP_BASE_DN="OU=bookstack,DC=test,DC=local"
LDAP_DN="CN=Service Bookstack,OU=bookstack,DC=test,DC=local"
LDAP_PASS="password1"
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
LDAP_USER_FILTER=(&(userPrincipalName=${user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=BIN;objectGUID
LDAP_START_TLS=false
LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto

LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=true

LDAP_DUMP_USER_GROUPS=true

Steps to Reproduce

Login with user with above mentioned config
the debugger will show no memberOf

Expected Behaviour

Expected behaviour would be even if matching does not work it does at least list the memberOf groups of the user who tries to login as mentioned in release bookstack 22.03

https://www.bookstackapp.com/blog/bookstack-release-v22-03/

For example:

{
  "details_from_ldap": {
    "0": "memberof",
    "memberof": {
      "0": "cn=Editor,ou=Users,o=abc123,dc=jumpcloud,dc=com",
      "1": "cn=Wizards,ou=Users,o=abc123,dc=jumpcloud,dc=com",
      "2": "cn=All Users,ou=Users,o=abc123,dc=jumpcloud,dc=com",
      "count": 3
    },
    "count": 1,
    "dn": "uid=bjacobs,ou=Users,o=abc123,dc=jumpcloud,dc=com"
  },
  "parsed_direct_user_groups": [
    "Editor",
    "Wizards",
    "All Users"
  ],
  "parsed_recursive_user_groups": [
    "Editor",
    "Wizards",
    "All Users"
  ]
}

Screenshots or Additional Context

No response

Browser Details

Edge 106 64-bit win10; Firefox 106.0.2 64-bit win 10

Exact BookStack Version

22.10.1

PHP Version

8.1.11 + 8.1.12

Hosting Environment

Alma Linux 8.6

Originally created by @ZAck1387 on GitHub (Oct 27, 2022). ### Describe the Bug Hi there, I am currently testing bookstack for the first Time. Please help me for some guidance here. LDAP server: for my test environment is based on Microsoft AD (2012 R2). LDAP login works, but it do not try to query the LDAP group attributes of the user who tries to login and therefor fails any matching. The debug log looks like this and totally missing the "memberOf" attribute: ```json {"details_from_ldap":{"count":0,"dn":"CN=Bookstack Tester,OU=bookstack,DC=test,DC=local"},"parsed_direct_user_groups":[],"parsed_recursive_user_groups":[]} ``` I have also tried other group attributes, User filters or updating php to 8.1.12. That is my config: ```env AUTH_METHOD=ldap LDAP_SERVER=ldaps://test.local:636 LDAP_BASE_DN="OU=bookstack,DC=test,DC=local" LDAP_DN="CN=Service Bookstack,OU=bookstack,DC=test,DC=local" LDAP_PASS="password1" LDAP_EMAIL_ATTRIBUTE=mail LDAP_DISPLAY_NAME_ATTRIBUTE=cn LDAP_USER_FILTER=(&(userPrincipalName=${user})) LDAP_VERSION=3 LDAP_ID_ATTRIBUTE=BIN;objectGUID LDAP_START_TLS=false LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_REMOVE_FROM_GROUPS=true LDAP_DUMP_USER_GROUPS=true ``` ### Steps to Reproduce Login with user with above mentioned config the debugger will show no memberOf ### Expected Behaviour Expected behaviour would be even if matching does not work it does at least list the memberOf groups of the user who tries to login as mentioned in release bookstack 22.03 https://www.bookstackapp.com/blog/bookstack-release-v22-03/ For example: <details> ```json { "details_from_ldap": { "0": "memberof", "memberof": { "0": "cn=Editor,ou=Users,o=abc123,dc=jumpcloud,dc=com", "1": "cn=Wizards,ou=Users,o=abc123,dc=jumpcloud,dc=com", "2": "cn=All Users,ou=Users,o=abc123,dc=jumpcloud,dc=com", "count": 3 }, "count": 1, "dn": "uid=bjacobs,ou=Users,o=abc123,dc=jumpcloud,dc=com" }, "parsed_direct_user_groups": [ "Editor", "Wizards", "All Users" ], "parsed_recursive_user_groups": [ "Editor", "Wizards", "All Users" ] } ``` </details> ### Screenshots or Additional Context _No response_ ### Browser Details Edge 106 64-bit win10; Firefox 106.0.2 64-bit win 10 ### Exact BookStack Version 22.10.1 ### PHP Version 8.1.11 + 8.1.12 ### Hosting Environment Alma Linux 8.6
OVERLORD added the 🐛 Bug label 2026-02-05 06:20:39 +03:00
OVERLORD commented 2026-02-05 06:20:50 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Oct 27, 2022):

Hi @ZAck1387,
This generally sounds like an issue of your LDAP system not returning group details.

  • Are you sure this user is a member of groups which would be listed as their "memberOf" attribute?
  • Do you have any way to query your LDAP system externally, outside of BookStack, to ensure querying the same user, requesting the "memberOf" attribute, provides "memberOf" results?
@ssddanbrown commented on GitHub (Oct 27, 2022): Hi @ZAck1387, This generally sounds like an issue of your LDAP system not returning group details. - Are you sure this user is a member of groups which would be listed as their "memberOf" attribute? - Do you have any way to query your LDAP system externally, outside of BookStack, to ensure querying the same user, requesting the "memberOf" attribute, provides "memberOf" results?
OVERLORD commented 2026-02-05 06:20:55 +03:00
Author
Owner
Copy Link

@ZAck1387 commented on GitHub (Oct 27, 2022):

Hi @ssddanbrown,

thank you for your reply.

  • The user is definitely member of multiple groups. I have checked via the Attribute editor, confirmed the group Attribute and successfully queried over Powershell. And it would be very unusual if not at least be one group, because there always should be one Primary group in MS AD.
  • I currently have no tool to test ldaps queries from linux systems do you have any recommendations?
@ZAck1387 commented on GitHub (Oct 27, 2022): Hi @ssddanbrown, thank you for your reply. - The user is definitely member of multiple groups. I have checked via the Attribute editor, confirmed the group Attribute and successfully queried over Powershell. And it would be very unusual if not at least be one group, because there always should be one Primary group in MS AD. - I currently have no tool to test ldaps queries from linux systems do you have any recommendations?
OVERLORD commented 2026-02-05 06:21:02 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Oct 27, 2022):

@ZAck1387 ldapsearch is fairly common, commonly part of a ldap-utils package (Have no idea about Alma linux though)

@ssddanbrown commented on GitHub (Oct 27, 2022): @ZAck1387 [ldapsearch](https://linux.die.net/man/1/ldapsearch) is fairly common, commonly part of a `ldap-utils` package (Have no idea about Alma linux though)
OVERLORD commented 2026-02-05 06:21:06 +03:00
Author
Owner
Copy Link

@ZAck1387 commented on GitHub (Oct 27, 2022):

@ssddanbrown thank you very much, that was the right direction I needed, and could fix it.

The service user had no permission to read the "memberOf" attribute.

For reference:
I've installed openldap-clients and with the command

ldapsearch -H ldaps://test.local:636 -b "CN=Bookstack Tester,OU=bookstack,DC=test,DC=local" -D "CN=Service Bookstack,OU=bookstack,DC=test,DC=local" -W

I could verify the service user couldn't read the memberOf attribute.

In MS AD added under security permission for specific OU the user with Type "Allow" and Applies to "Descendant User Objects"
"Read memberOf"

@ZAck1387 commented on GitHub (Oct 27, 2022): @ssddanbrown thank you very much, that was the right direction I needed, and could fix it. The service user had no permission to read the "memberOf" attribute. For reference: I've installed openldap-clients and with the command ```env ldapsearch -H ldaps://test.local:636 -b "CN=Bookstack Tester,OU=bookstack,DC=test,DC=local" -D "CN=Service Bookstack,OU=bookstack,DC=test,DC=local" -W ``` I could verify the service user couldn't read the memberOf attribute. In MS AD added under security permission for specific OU the user with Type "Allow" and Applies to "Descendant User Objects" "Read memberOf"
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐛 Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#3313
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?