AD LDAP: Account not found #3486

New Issue

OVERLORD · 2026-02-05T06:51:57+03:00

OVERLORD commented

2026-02-05 06:51:57 +03:00

Originally created by @Iceholniy on GitHub (Feb 1, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I have made LDAP Active Directory Authentication and all went good till one ordinary user couldnot log in bookstack with his log/pass. There weren't any mistake in symbols cause there were another services where we can login with your AD logpass and all were good.

This scenario was going with LDAP_USER_FILTER=(&(sAMAccountName=${user})) in .env

But when we changed this to LDAP_USER_FILTER=(&(mail=${user})) my ordinary user logged in with no problems

I made this change accidentally but still want to know what could make such problem?

Exact BookStack Version

22.11.1

Log Content

No response

PHP Version

7.4

Hosting Environment

Debian 8.3.0-6

Originally created by @Iceholniy on GitHub (Feb 1, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I have made LDAP Active Directory Authentication and all went good till one ordinary user couldnot log in bookstack with his log/pass. There weren't any mistake in symbols cause there were another services where we can login with your AD logpass and all were good. This scenario was going with **LDAP_USER_FILTER=(&(sAMAccountName=${user}))** in .env But when we changed this to **LDAP_USER_FILTER=(&(mail=${user}))** my ordinary user logged in with no problems I made this change accidentally but still want to know what could make such problem? ### Exact BookStack Version 22.11.1 ### Log Content _No response_ ### PHP Version 7.4 ### Hosting Environment Debian 8.3.0-6

OVERLORD added the 🐕 Support label 2026-02-05 06:51:57 +03:00

OVERLORD closed this issue

2026-02-05 06:51:58 +03:00

OVERLORD commented

2026-02-05 06:51:59 +03:00

@ssddanbrown commented on GitHub (Feb 1, 2023):

Does that user's sAMAccountName exactly match their mail in AD?
Are you sure the user wasn't using their email when they should have been using a username?
Does running the (&(sAMAccountName=${user})) query on AD, replacing ${user} with the exact value the user used for the username field, provide your a result of the user in question?

@ssddanbrown commented on GitHub (Feb 1, 2023): - Does that user's `sAMAccountName` exactly match their `mail` in AD? - Are you sure the user wasn't using their email when they should have been using a username? - Does running the `(&(sAMAccountName=${user}))` query on AD, replacing `${user}` with the exact value the user used for the username field, provide your a result of the user in question?

OVERLORD commented

2026-02-05 06:52:04 +03:00

@Iceholniy commented on GitHub (Feb 1, 2023):

Yes, they are the same
Im sure, I used my username and others with no problem, but this special username was problematic
But search for exact user doesnt find anything. I also remember now that this user long ago was renamed in AD, I dont know his old login. Can this be a problem?

@Iceholniy commented on GitHub (Feb 1, 2023): - Yes, they are the same - Im sure, I used my username and others with no problem, but this special username was problematic - But search for exact user doesnt find anything. I also remember now that this user long ago was renamed in AD, I dont know his old login. Can this be a problem?

OVERLORD commented

2026-02-05 06:52:08 +03:00

@ssddanbrown commented on GitHub (Feb 1, 2023):

Can this be a problem?

Maybe. BookStack isn't doing anything fancy at all, it's really just doing what I had in my third bullet point above, running the set user filter, substituting the ${user} param with the given username at login.
Are you potentially seeing another attribute in AD that doesn't fully align with the actual sAMAccountName behind the scenes? Otherwise I'd have expected you to at least match this in your own environment, when bookstack is not involved at all.

@ssddanbrown commented on GitHub (Feb 1, 2023): > Can this be a problem? Maybe. BookStack isn't doing anything fancy at all, it's really just doing what I had in my third bullet point above, running the set user filter, substituting the `${user}` param with the given username at login. Are you potentially seeing another attribute in AD that doesn't fully align with the actual `sAMAccountName` behind the scenes? Otherwise I'd have expected you to at least match this in your own environment, when bookstack is not involved at all.

OVERLORD commented

2026-02-05 06:52:14 +03:00

@Iceholniy commented on GitHub (Feb 1, 2023):

Thank you a lot, I will do my searches

@Iceholniy commented on GitHub (Feb 1, 2023): Thank you a lot, I will do my searches

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3486