LDAP groups: use specific groups DN instead of memberOf attribute #3954

New Issue

Closed

opened 2026-02-05 07:57:13 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 07:57:13 +03:00

Owner

Copy Link

Originally created by @jko-nic on GitHub (Aug 7, 2023).

Describe the feature you'd like

Currently, LDAP group support depends on using LDAP_GROUP_ATTRIBUTE (as written in wiki), which has to be set for every user (and contain groups which is the user member of. Our OpenLDAP installation uses different approach - we have ou=People (with employees) and ou=Group containing groups and their members. For every other (10+) system this is not problematic and we can set that group membership information is located in ou=Group.

I know we can set up memberOf overlay, but doing this change to such critical part of our infrastructure because of wiki software we are currently testing seems, honestly, like a good reason to choose something else. So I would like to know if there is something, such as undocumented settings or planning feature solving this particular problem an the part of BookStack (for example adding something like LDAP_GROUP_DN option to search groups within).

Describe the benefits this would bring to existing BookStack users

Avoid changes in OpenLDAP schema, using dedicated groups DN to maintain clean LDAP schema without "duplicated" group membership information.

Can the goal of this request already be achieved via other means?

Partially yes, but it requires changing LDAP schema, which is really not desired.

Have you searched for an existing open/closed issue?

• I have searched for existing issues and none cover my fundemental request

How long have you been using BookStack?

0 to 6 months

Additional context

We are currently testing Bookstack and installed v23.06.2.

Originally created by @jko-nic on GitHub (Aug 7, 2023). ### Describe the feature you'd like Currently, LDAP group support depends on using `LDAP_GROUP_ATTRIBUTE` (as written in [wiki](https://www.bookstackapp.com/docs/admin/ldap-auth/)), which has to be set for every user (and contain groups which is the user member of. Our OpenLDAP installation uses different approach - we have `ou=People` (with employees) and `ou=Group` containing groups and their members. For every other (10+) system this is not problematic and we can set that group membership information is located in `ou=Group`. I know we can set up `memberOf` overlay, but doing this change to such critical part of our infrastructure because of wiki software we are currently testing seems, honestly, like a good reason to choose something else. So I would like to know if there is something, such as undocumented settings or planning feature solving this particular problem an the part of BookStack (for example adding something like `LDAP_GROUP_DN` option to search groups within). ### Describe the benefits this would bring to existing BookStack users Avoid changes in OpenLDAP schema, using dedicated groups DN to maintain clean LDAP schema without "duplicated" group membership information. ### Can the goal of this request already be achieved via other means? Partially yes, but it requires changing LDAP schema, which is really not desired. ### Have you searched for an existing open/closed issue? - [X] I have searched for existing issues and none cover my fundemental request ### How long have you been using BookStack? 0 to 6 months ### Additional context We are currently testing Bookstack and installed v23.06.2.

OVERLORD added the 🔨 Feature Request🚪 Authentication labels 2026-02-05 07:57:13 +03:00

OVERLORD closed this issue 2026-02-05 07:57:15 +03:00

OVERLORD commented 2026-02-05 07:57:21 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 8, 2023):

Thanks for the request @jko-nic.

To be perfectly honest, I really wouldn't want to add additional options for LDAP group handling.
From requests and experiences, the memberOf style scheme is most commonplace and desired for this kind of use case, and I don't think this specific DN-style of group management has been requested before.
I wouldn't want to increase the scope of what we're supporting with some significant desire/demand, and based on the lack of similar request over the years, I don't think that demand is there.

I would however be open to adding a logical theme system event allowing custom group handling where desired, but use of this would likely require PHP knowledge on your side to implement and maintain going forward.

@ssddanbrown commented on GitHub (Aug 8, 2023): Thanks for the request @jko-nic. To be perfectly honest, I really wouldn't want to add additional options for LDAP group handling. From requests and experiences, the `memberOf` style scheme is most commonplace and desired for this kind of use case, and I don't think this specific DN-style of group management has been requested before. I wouldn't want to increase the scope of what we're supporting with some significant desire/demand, and based on the lack of similar request over the years, I don't think that demand is there. I would however be open to adding a [logical theme system](https://github.com/BookStackApp/BookStack/blob/development/dev/docs/logical-theme-system.md) event allowing custom group handling where desired, but use of this would likely require PHP knowledge on your side to implement and maintain going forward.

OVERLORD commented 2026-02-05 07:57:26 +03:00

Author

Owner

Copy Link

@jko-nic commented on GitHub (Aug 9, 2023):

Thank you @ssddanbrown for your comment,
your reaction was quick and complete, so I am now more able to understand your point of view. Managing internally duplicate structure od LDAP groups handling seems like a big no-go, especially when all use cases seems covered and nobody else had this request before.

Thank you very much for your time and attention, the rest is on our own so I am closing this issue.

@jko-nic commented on GitHub (Aug 9, 2023): Thank you @ssddanbrown for your comment, your reaction was quick and complete, so I am now more able to understand your point of view. Managing internally duplicate structure od LDAP groups handling seems like a big no-go, especially when all use cases seems covered and nobody else had this request before. Thank you very much for your time and attention, the rest is on our own so I am closing this issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🚪 Authentication 🔨 Feature Request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3954