LDAP Group Sync using recursive Groups #4900

New Issue

Closed

opened 2026-02-05 09:24:47 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2026-02-05 09:24:47 +03:00

Owner

Copy Link

Originally created by @Golden-Chicken97 on GitHub (Aug 2, 2024).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

Hello, our team is having issues getting recursive Group syncing to work with LDAP.

Our Company uses LDAP-ressources, which are part of roles to manage user permissions without having users tied to the ressources directly. This is important to us as you can assign a user to multiple ressources at once with just one click.
The concept can be seen here:

This requires a recursive LDAP query like this, so the LDAP will search recursively:
"(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"

However we are not able to make a query, which works in an LDAP Browser, to be usable in Bookstack.

When dumping User details at login, the sections "parsed_direct_user_groups" and "parsed_recursive_user_groups" are identical.

"parsed_direct_user_groups": [
"Role_test"
]
"parsed_recursive_user_groups": [
"Role_test"
]

Syncing Bookstack-roles with direct user groups does work and we have been syncing our groups by assigning users to LDAP-roles for testing purposes until now. However this defeats the purpose of using roles completely.

We have tried adjusting the "LDAP_USER_FILTER" like the example below, but the result is still the same.
"(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"
Setting the LDAP_GROUP_ATTRIBUTE to the following did not work and Bookstack was dumping no Groups at all.
LDAP_GROUP_ATTRIBUTE="memberOf:1.2.840.113556.1.4.1941:"

Am I misunderstanding the purpose of "parsed_recursive_user_groups" meaning that Bookstack has no way to search recursively or is there something we have overlooked?

Exact BookStack Version

v24.02.3

Log Content

No Error in the logs

Hosting Environment

PHP 8.2.20, Apache/2.4.61 (Debian), Debian 12.6

Originally created by @Golden-Chicken97 on GitHub (Aug 2, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hello, our team is having issues getting recursive Group syncing to work with LDAP. Our Company uses LDAP-ressources, which are part of roles to manage user permissions without having users tied to the ressources directly. This is important to us as you can assign a user to multiple ressources at once with just one click. The concept can be seen here:  This requires a recursive LDAP query like this, so the LDAP will search recursively: `"(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"` However we are not able to make a query, which works in an LDAP Browser, to be usable in Bookstack. When dumping User details at login, the sections "parsed_direct_user_groups" and "parsed_recursive_user_groups" are identical. ``` "parsed_direct_user_groups": [ "Role_test" ] "parsed_recursive_user_groups": [ "Role_test" ] ``` Syncing Bookstack-roles with direct user groups does work and we have been syncing our groups by assigning users to LDAP-roles for testing purposes until now. However this defeats the purpose of using roles completely. We have tried adjusting the "LDAP_USER_FILTER" like the example below, but the result is still the same. `"(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"` Setting the LDAP_GROUP_ATTRIBUTE to the following did not work and Bookstack was dumping no Groups at all. `LDAP_GROUP_ATTRIBUTE="memberOf:1.2.840.113556.1.4.1941:"` Am I misunderstanding the purpose of "parsed_recursive_user_groups" meaning that Bookstack has no way to search recursively or is there something we have overlooked? ### Exact BookStack Version v24.02.3 ### Log Content No Error in the logs ### Hosting Environment PHP 8.2.20, Apache/2.4.61 (Debian), Debian 12.6

OVERLORD added the 🐕 Support label 2026-02-05 09:24:47 +03:00

OVERLORD closed this issue 2026-02-05 09:24:48 +03:00

OVERLORD commented 2026-02-05 09:24:50 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 2, 2024):

Hi @Golden-Chicken97,
BookStack handles recursive LDAP groups by additional requests, to look up the membership of originally found groups.
The LDAP_USER_FILTER is irrelevant for this.

This isn't a part of the system I often check though, and looking back to confirm the logic I can see some questionable parts in the logic which I don't like and need to double check.
I'll try to dive deeper into this soon, but it may be a little while due to needing to emulate an LDAP environment with multi-group hierarchy.

@ssddanbrown commented on GitHub (Aug 2, 2024): Hi @Golden-Chicken97, BookStack handles recursive LDAP groups by additional requests, to look up the membership of originally found groups. The `LDAP_USER_FILTER` is irrelevant for this. This isn't a part of the system I often check though, and looking back to confirm the logic I can see some questionable parts in the logic which I don't like and need to double check. I'll try to dive deeper into this soon, but it may be a little while due to needing to emulate an LDAP environment with multi-group hierarchy.

OVERLORD commented 2026-02-05 09:24:51 +03:00

Author

Owner

Copy Link

@Golden-Chicken97 commented on GitHub (Aug 5, 2024):

Thank You in advance for your fast response and for taking on this problem.
We really appreciate it.

@Golden-Chicken97 commented on GitHub (Aug 5, 2024): Thank You in advance for your fast response and for taking on this problem. We really appreciate it.

OVERLORD commented 2026-02-05 09:24:53 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 29, 2024):

Hi again @Golden-Chicken97,
Sorry for the delay. I've just released BookStack v24.05.4 which included changes to the to LDAP logic I mentioned needing to double check, so I'd advise updating to that since any explanation from here will be specific to the v24.05.4 and later logic.

When BookStack looks up groups, it will first get the direct groups belonging to the user (commonly the users memberOf).
For each group found, it will then lookup that groups own group memberships via a query using the group DN. The same attribute is considered for groups and users (LDAP_GROUP_ATTRIBUTE, typically memberOf).
This will then recursively continue until all groups have been found.
The first element of the DN (typically CN) for all founds groups will then be considered for sync.

@ssddanbrown commented on GitHub (Aug 29, 2024): Hi again @Golden-Chicken97, Sorry for the delay. I've just released [BookStack v24.05.4](https://www.bookstackapp.com/blog/bookstack-release-v24-05-4/) which included changes to the to LDAP logic I mentioned needing to double check, so I'd advise updating to that since any explanation from here will be specific to the v24.05.4 and later logic. When BookStack looks up groups, it will first get the direct groups belonging to the user (commonly the users `memberOf`). For each group found, it will then lookup that groups own group memberships via a query using the group DN. The same attribute is considered for groups and users (`LDAP_GROUP_ATTRIBUTE`, typically `memberOf`). This will then recursively continue until all groups have been found. The first element of the DN (typically CN) for all founds groups will then be considered for sync.

OVERLORD commented 2026-02-05 09:24:54 +03:00

Author

Owner

Copy Link

@Golden-Chicken97 commented on GitHub (Sep 11, 2024):

Thank you, @ssddanbrown for the professional and quick response.

We updated to the new version v24.05.4. After the update, syncing using recursive groups worked immediatly. Even though no changes were made to our config!

It really impressed us how fast and professionally issues are handled by you, considering the scope of this project.

@Golden-Chicken97 commented on GitHub (Sep 11, 2024): Thank you, @ssddanbrown for the professional and quick response. We updated to the new version v24.05.4. After the update, syncing using recursive groups worked immediatly. Even though no changes were made to our config! It really impressed us how fast and professionally issues are handled by you, considering the scope of this project.

OVERLORD commented 2026-02-05 09:24:56 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 11, 2024):

@Golden-Chicken97 Thanks for the kind words, and good to hear things are working now!
Now things appear to be working, I'll go ahead and close this off.

@ssddanbrown commented on GitHub (Sep 11, 2024): @Golden-Chicken97 Thanks for the kind words, and good to hear things are working now! Now things appear to be working, I'll go ahead and close this off.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4900