Active Directory logins receiving "another user exists with different credentials" #4831

New Issue

OVERLORD · 2026-02-05T09:19:06+03:00

OVERLORD commented

2026-02-05 09:19:06 +03:00

Originally created by @Coros on GitHub (Jun 20, 2024).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I configured LDAP following the setup guide but missed the Active Directory specific directions. Everything has been working for the most part, but a user will occasionally receive an error stating: "A user with email already exists but with different credentials". I've been able to resolve it by changing their external ID to their distinguished name, but that seems to only work for a time until it wants their sAMAccountName again.

I'd like to resolve this problem permanently. I see that changing from standard to OIDC authentication has a similar issue. There's an article on it here: https://www.bookstackapp.com/docs/admin/oidc-auth/#switching-to-oidc-with-existing-users

Is there any documentation on switching from LDAP to Active Directory LDAP? I believe I could populate the external IDs in the database but I'm having trouble getting the appropriate data. The objectGUID binary field is causing me problems.

Exact BookStack Version

24.05.2

Log Content

No response

Hosting Environment

Ubuntu 22.04.4 LTS
Apache 2.4.59
PHP 8.1.2-1ubuntu2.18

Originally created by @Coros on GitHub (Jun 20, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I configured LDAP following the setup guide but missed the Active Directory specific directions. Everything has been working for the most part, but a user will occasionally receive an error stating: "A user with email <email> already exists but with different credentials". I've been able to resolve it by changing their external ID to their distinguished name, but that seems to only work for a time until it wants their sAMAccountName again. I'd like to resolve this problem permanently. I see that changing from standard to OIDC authentication has a similar issue. There's an article on it here: https://www.bookstackapp.com/docs/admin/oidc-auth/#switching-to-oidc-with-existing-users Is there any documentation on switching from LDAP to Active Directory LDAP? I believe I could populate the external IDs in the database but I'm having trouble getting the appropriate data. The objectGUID binary field is causing me problems. ### Exact BookStack Version 24.05.2 ### Log Content _No response_ ### Hosting Environment Ubuntu 22.04.4 LTS Apache 2.4.59 PHP 8.1.2-1ubuntu2.18

OVERLORD added the 🐕 Support label 2026-02-05 09:19:06 +03:00

OVERLORD closed this issue

2026-02-05 09:19:07 +03:00

OVERLORD commented

2026-02-05 09:19:10 +03:00

@ssddanbrown commented on GitHub (Jun 20, 2024):

Hi @Coros,
Sorry, I'm a little confused on the exact scenario here so I have a few extra questions:

What is LDAP_ID_ATTRIBUTE currently set to?
Was it previously set to something different?
What exactly do you mean by "but that seems to only work for a time until it wants their sAMAccountName again."? What part of BookStack is wanting their sAMAccountName? How does that show up?

The objectGUID binary field is causing me problems.

What problems?

Is there any documentation on switching from LDAP to Active Directory LDAP?

No, I try not to document too deeply for other platforms, and ultimately these are both LDAP scenarios, just might be different id values in use I'd guess?

@ssddanbrown commented on GitHub (Jun 20, 2024): Hi @Coros, Sorry, I'm a little confused on the exact scenario here so I have a few extra questions: - What is `LDAP_ID_ATTRIBUTE` currently set to? - Was it previously set to something different? - What exactly do you mean by "but that seems to only work for a time until it wants their sAMAccountName again."? What part of BookStack is wanting their sAMAccountName? How does that show up? > The objectGUID binary field is causing me problems. - What problems? > Is there any documentation on switching from LDAP to Active Directory LDAP? No, I try not to document too deeply for other platforms, and ultimately these are both LDAP scenarios, just might be different id values in use I'd guess?

OVERLORD commented

2026-02-05 09:19:12 +03:00

@Coros commented on GitHub (Jun 20, 2024):

Hi @ssddanbrown .
Sorry..I was rambling a bit there.

Some of our users will receive an error message described in my first post. It seems to be entirely random and I haven't been able to find out why. 90% of our users are able to login without any issues with our current configuration.

I was hoping to correct my LDAP configuration to follow the documented Active Directory settings.

LDAP_ID_ATTRIBUTE is currently set to 'uid'.
The user external ID in BookStack normally their sAMAccountName. When a user reports the login problem, I've been changing the external ID to match their distinguishedName. I'm not sure why this resolves their issue but it does.

After researching the LDAP / Active Directory configuration in Book Stack, I realized my initial setup was incorrect. As a result I want to change LDAP_ID_ATTRIBUTE to `BIN;objectGUID' but that breaks existing accounts unless I update their external ID.

I've finally figured out how to get objectGUID in the correct format that BookStack expects so I should now be able to export a list of users, get their properly formatted objectGUID from AD and then insert it into the external ID attribute field in the database. Then I can make the LDAP_ID_ATTRIBUTE change and everything should work.

@Coros commented on GitHub (Jun 20, 2024): Hi @ssddanbrown . Sorry..I was rambling a bit there. Some of our users will receive an error message described in my first post. It seems to be entirely random and I haven't been able to find out why. 90% of our users are able to login without any issues with our current configuration. I was hoping to correct my LDAP configuration to follow the documented Active Directory settings. `LDAP_ID_ATTRIBUTE` is currently set to 'uid'. The user external ID in BookStack normally their sAMAccountName. When a user reports the login problem, I've been changing the external ID to match their distinguishedName. I'm not sure why this resolves their issue but it does. After researching the LDAP / Active Directory configuration in Book Stack, I realized my initial setup was incorrect. As a result I want to change `LDAP_ID_ATTRIBUTE` to `BIN;objectGUID' but that breaks existing accounts unless I update their external ID. I've finally figured out how to get objectGUID in the correct format that BookStack expects so I should now be able to export a list of users, get their properly formatted objectGUID from AD and then insert it into the `external ID attribute` field in the database. Then I can make the `LDAP_ID_ATTRIBUTE` change and everything should work.

OVERLORD commented

2026-02-05 09:19:13 +03:00

@Coros commented on GitHub (Jun 20, 2024):

I was able to get the objectGUID value populated for each of my users and flipped the switch. Everything appears to be working currently.

@Coros commented on GitHub (Jun 20, 2024): I was able to get the objectGUID value populated for each of my users and flipped the switch. Everything appears to be working currently.

OVERLORD commented

2026-02-05 09:19:16 +03:00

@WiMaGit commented on GitHub (Sep 13, 2024):

Hello @Coros,

can you please share your Settings here? I have been trying a long time to get LDAP with Active Directory Server 2019 working, but without success. I get the Error: 'failed' => 'These credentials do not match our records.',
Below is my setup. The used user to search the server seams to be OK, because if I change something on it, I get another error.

AUTH_METHOD=ldap

LDAP_SERVER=xxx.xxx.xxx.xxx:389

LDAP_BASE_DN="OU=xxxxxxxxxxxxxxx,OU=xxxxxxxxxxxxxx,DC=xxxxxxxxxx,DC=local"

LDAP_DN="CN=xxxxxxxxxx,OU=xxxxxxxx,OU=Benutzer,OU=xxxxxxxx,DC=xxxxxxxx,DC=local"
LDAP_PASS="xxxxxxxxxxxxxxxxxxxx"

LDAP_USER_FILTER=(&(sAMAccountName={user}))

LDAP_VERSION=3

LDAP_ID_ATTRIBUTE=BIN;objectGUID

LDAP_EMAIL_ATTRIBUTE=mail

LDAP_DISPLAY_NAME_ATTRIBUTE=cn

LDAP_THUMBNAIL_ATTRIBUTE=null

LDAP_START_TLS=false

LDAP_TLS_INSECURE=true

LDAP_DUMP_USER_DETAILS=true

@WiMaGit commented on GitHub (Sep 13, 2024): Hello @Coros, can you please share your Settings here? I have been trying a long time to get LDAP with Active Directory Server 2019 working, but without success. I get the Error: `'failed' => 'These credentials do not match our records.',` Below is my setup. The used user to search the server seams to be OK, because if I change something on it, I get another error. ``` AUTH_METHOD=ldap LDAP_SERVER=xxx.xxx.xxx.xxx:389 LDAP_BASE_DN="OU=xxxxxxxxxxxxxxx,OU=xxxxxxxxxxxxxx,DC=xxxxxxxxxx,DC=local" LDAP_DN="CN=xxxxxxxxxx,OU=xxxxxxxx,OU=Benutzer,OU=xxxxxxxx,DC=xxxxxxxx,DC=local" LDAP_PASS="xxxxxxxxxxxxxxxxxxxx" LDAP_USER_FILTER=(&(sAMAccountName={user})) LDAP_VERSION=3 LDAP_ID_ATTRIBUTE=BIN;objectGUID LDAP_EMAIL_ATTRIBUTE=mail LDAP_DISPLAY_NAME_ATTRIBUTE=cn LDAP_THUMBNAIL_ATTRIBUTE=null LDAP_START_TLS=false LDAP_TLS_INSECURE=true LDAP_DUMP_USER_DETAILS=true ```

OVERLORD referenced this issue

2026-02-05 10:31:40 +03:00

[PR #4831] [CLOSED] Implement OIDC_AUTO_REGISTER setting #6416

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4831