[LDAP] Only one account in LDAP group can login #4968

New Issue

OVERLORD · 2026-02-05T09:30:12+03:00

OVERLORD commented

2026-02-05 09:30:12 +03:00

Originally created by @florent4014 on GitHub (Sep 28, 2024).

Describe the Bug

It seems that Bookstack only retrieve the first account (in alphabetic order) of an LDAP group thus only permitting logging to this and only account. No errors in logs.

`
- AUTH_METHOD=ldap

- AUTH_METHOD=standard

  - LDAP_SERVER=REDACTED:PORT
  - LDAP_BASE_DN="dc=domain,dc=lan"
  - LDAP_DN="uid=user-bind,ou=People,dc=domain,dc=lan"
  - LDAP_PASS="REDACTED"
  - LDAP_USER_FILTER=(&(memberOf=cn=bookstack,ou=groups,dc=domain,dc=lan))
  - LDAP_VERSION=3
  - LDAP_ID_ATTRIBUTE=uid
  - LDAP_EMAIL_ATTRIBUTE=mail
  - LDAP_DISPLAY_NAME_ATTRIBUTE=cn
  - LDAP_THUMBNAIL_ATTRIBUTE=avatar
  - LDAP_START_TLS=false
  - LDAP_USER_TO_GROUP=true
  - LDAP_GROUP_ATTRIBUTE="memberOf"
  - APP_DEBUG=true

`

Steps to Reproduce

Run a dockerized version of bookstack, with LDAP parameters
Create "bookstack" group in LDAP and put users in it (i.e. Aramis, Athos and Porthos)
Try to connect to Bookstack with Aramis, working !
Try to connect with Athos, not working because second in alphabetic order.
Remove Aramis from group in LDAP
Retry to connect with Athos, now working ! (became first)
Finally try with Porthos, unable to log in
Remove Athos from LDAP group
Retry to connect with Porthos, working because he is now the only one in group so the first one in alphabetic order.

Expected Behaviour

Being able to connect with all members in group

Screenshots or Additional Context

You can read the error message saying "These informations does not match any existing account"

Browser Details

BRAVE Version 1.70.119 Chromium: 129.0.6668.70 (64 bits)

Exact BookStack Version

BookStack v24.05.4

Originally created by @florent4014 on GitHub (Sep 28, 2024). ### Describe the Bug It seems that Bookstack only retrieve the first account (in alphabetic order) of an LDAP group thus only permitting logging to this and only account. No errors in logs. ` - AUTH_METHOD=ldap # - AUTH_METHOD=standard - LDAP_SERVER=REDACTED:PORT - LDAP_BASE_DN="dc=domain,dc=lan" - LDAP_DN="uid=user-bind,ou=People,dc=domain,dc=lan" - LDAP_PASS="REDACTED" - LDAP_USER_FILTER=(&(memberOf=cn=bookstack,ou=groups,dc=domain,dc=lan)) - LDAP_VERSION=3 - LDAP_ID_ATTRIBUTE=uid - LDAP_EMAIL_ATTRIBUTE=mail - LDAP_DISPLAY_NAME_ATTRIBUTE=cn - LDAP_THUMBNAIL_ATTRIBUTE=avatar - LDAP_START_TLS=false - LDAP_USER_TO_GROUP=true - LDAP_GROUP_ATTRIBUTE="memberOf" - APP_DEBUG=true ` ### Steps to Reproduce 1. Run a dockerized version of bookstack, with LDAP parameters 2. Create "bookstack" group in LDAP and put users in it (i.e. Aramis, Athos and Porthos) 3. Try to connect to Bookstack with Aramis, working ! 4. Try to connect with Athos, not working because second in alphabetic order. 5. Remove Aramis from group in LDAP 6. Retry to connect with Athos, now working ! (became first) 7. Finally try with Porthos, unable to log in 8. Remove Athos from LDAP group 9. Retry to connect with Porthos, working because he is now the only one in group so the first one in alphabetic order. ### Expected Behaviour Being able to connect with all members in group ### Screenshots or Additional Context ![image](https://github.com/user-attachments/assets/c3a96a02-05e7-449d-87d3-bb27b8a8bff2) You can read the error message saying "These informations does not match any existing account" ### Browser Details BRAVE Version 1.70.119 Chromium: 129.0.6668.70 (64 bits) ### Exact BookStack Version BookStack v24.05.4

OVERLORD added the 🐛 Bug label 2026-02-05 09:30:12 +03:00

OVERLORD closed this issue

2026-02-05 09:30:14 +03:00

OVERLORD commented

2026-02-05 09:30:16 +03:00

@ssddanbrown commented on GitHub (Sep 28, 2024):

Hi @florent4014,
This is because you're not using the provided username in the user filter at all, so it will just find all users that match the filter and use the first result.

You need to use the {user} placeholder as part of the filter. For example:

LDAP_USER_FILTER=(&(memberOf=cn=bookstack,ou=groups,dc=domain,dc=lan)(uid={user}))

@ssddanbrown commented on GitHub (Sep 28, 2024): Hi @florent4014, This is because you're not using the provided username in the user filter at all, so it will just find all users that match the filter and use the first result. You need to use the `{user}` placeholder as part of the filter. For example: ```bash LDAP_USER_FILTER=(&(memberOf=cn=bookstack,ou=groups,dc=domain,dc=lan)(uid={user})) ```

OVERLORD commented

2026-02-05 09:30:18 +03:00

@florent4014 commented on GitHub (Sep 28, 2024):

Yup that's on me, sorry for taking your time ! The fault was between the chair and the keyboard apparently :)

It's working now, thank you !

@florent4014 commented on GitHub (Sep 28, 2024): Yup that's on me, sorry for taking your time ! The fault was between the chair and the keyboard apparently :) It's working now, thank you !

OVERLORD commented

2026-02-05 09:30:21 +03:00

@ssddanbrown commented on GitHub (Sep 28, 2024):

@florent4014 No worries, good to hear things are working now!

@ssddanbrown commented on GitHub (Sep 28, 2024): @florent4014 No worries, good to hear things are working now!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4968