Change LDAP External Authentication ID from distinguishedName to objectGUID #500

New Issue

Closed

opened 2026-02-04 20:35:05 +03:00 by OVERLORD · 15 comments

OVERLORD commented 2026-02-04 20:35:05 +03:00

Owner

Copy Link

Originally created by @jk-95 on GitHub (Nov 14, 2017).

Originally assigned to: @ssddanbrown on GitHub.

For Bug Reports

• BookStack Version v0.18.5
• PHP Version: 7.0.22-0
• MySQL Version: 14.14

Expected Behavior

To have the ability to change user's External Authentication ID from distinguishedName to objectGUID when using LDAP authentication with Microsoft AD.

Current Behavior

Currently when a user is moved to a different OU in AD their distinguishedName will change and BookStack will throw this error when that user tries to log in A user with the email user@domain.com already exists but with different credentials.. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one.

If objectGUID was used instead this issue wouldn't occur as the user's objectGUID doesn't change when moving OUs or renaming the account etc.

Steps to Reproduce

Register a user in BookStack using LDAP authentication - note the user's External Authentication ID is their distinguishedName in AD. Move the user to a different OU in AD - their distinguishedName will have changed so they can no longer sign in to BookStack. When they try to sign in they get the following error; A user with the email user@domain.com already exists but with different credentials.. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one.

Originally created by @jk-95 on GitHub (Nov 14, 2017). Originally assigned to: @ssddanbrown on GitHub. ### For Bug Reports * BookStack Version v0.18.5 * PHP Version: 7.0.22-0 * MySQL Version: 14.14 ##### Expected Behavior To have the ability to change user's External Authentication ID from distinguishedName to objectGUID when using LDAP authentication with Microsoft AD. ##### Current Behavior Currently when a user is moved to a different OU in AD their distinguishedName will change and BookStack will throw this error when that user tries to log in `A user with the email user@domain.com already exists but with different credentials.`. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one. If objectGUID was used instead this issue wouldn't occur as the user's objectGUID doesn't change when moving OUs or renaming the account etc. ##### Steps to Reproduce Register a user in BookStack using LDAP authentication - note the user's External Authentication ID is their distinguishedName in AD. Move the user to a different OU in AD - their distinguishedName will have changed so they can no longer sign in to BookStack. When they try to sign in they get the following error; `A user with the email user@domain.com already exists but with different credentials.`. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one.

OVERLORD added the 🛠️ Enhancement📖 Docs Update🚪 Authentication🏭 Back-End labels 2026-02-04 20:35:05 +03:00

OVERLORD closed this issue 2026-02-04 20:35:10 +03:00

OVERLORD commented 2026-02-04 20:35:18 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 19, 2017):

Hi @JamesKetley, Thanks for reporting this issue.

BookStack will try to use a uid LDAP attribute and will fall back to using dn if a uid is not provided. This can be seen here.

I have double checked this behaviour via my OpenLDAP setup. Unfortunately I do not have an AD instance available for me to test against. It would be ideal of someone could check if AD provides a uid attribute and, if not, what the alternative would be.

@ssddanbrown commented on GitHub (Nov 19, 2017): Hi @JamesKetley, Thanks for reporting this issue. BookStack will try to use a `uid` LDAP attribute and will fall back to using `dn` if a `uid` is not provided. [This can be seen here](https://github.com/BookStackApp/BookStack/blob/master/app/Services/LdapService.php#L52). I have double checked this behaviour via my OpenLDAP setup. Unfortunately I do not have an AD instance available for me to test against. It would be ideal of someone could check if AD provides a `uid` attribute and, if not, what the alternative would be.

OVERLORD commented 2026-02-04 20:35:24 +03:00

Author

Owner

Copy Link

@timconner commented on GitHub (Mar 4, 2018):

@ssddanbrown The best attribute for Active Directory would be objectGUID as JamesKetley mentioned. That attribute remains unchanged throughout the lifetime of the account in Active Directory.

A lot of LDAP authentication systems will have a toggle for specifying that the target LDAP is Active Directory which will allow for the subtle differences.

@timconner commented on GitHub (Mar 4, 2018): @ssddanbrown The best attribute for Active Directory would be `objectGUID ` as JamesKetley mentioned. That attribute remains unchanged throughout the lifetime of the account in Active Directory. A lot of LDAP authentication systems will have a toggle for specifying that the target LDAP is Active Directory which will allow for the subtle differences.

OVERLORD commented 2026-02-04 20:35:32 +03:00

Author

Owner

Copy Link

@ellisgeek commented on GitHub (Jun 26, 2018):

@ssddanbrown Unfortunately AD does not populate the uid attribute and does not support entryUUID either. I agree with @timconner that having a toggle for Active Directory would be the best solution as there are annoying subtle differences like this.

Alternatively checking for objectGUID after uid and before distinguishedName would work.

@ellisgeek commented on GitHub (Jun 26, 2018): @ssddanbrown Unfortunately AD does not populate the `uid` attribute and does not support `entryUUID` either. I agree with @timconner that having a toggle for Active Directory would be the best solution as there are annoying subtle differences like this. Alternatively checking for `objectGUID` after `uid` and before `distinguishedName` would work.

OVERLORD commented 2026-02-04 20:35:49 +03:00

Author

Owner

Copy Link

@FMCUSystemAdmins commented on GitHub (Jun 20, 2019):

Register a user in BookStack using LDAP authentication - note the user's External Authentication ID is their distinguishedName in AD. Move the user to a different OU in AD - their distinguishedName will have changed so they can no longer sign in to BookStack. When they try to sign in they get the following error; A user with the email user@domain.com already exists but with different credentials.. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one.

Inadvertently experienced this, can confirm same behavior and fix. Agree with using of objectGUID attribute instead of DN.

@FMCUSystemAdmins commented on GitHub (Jun 20, 2019): > Register a user in BookStack using LDAP authentication - note the user's External Authentication ID is their distinguishedName in AD. Move the user to a different OU in AD - their distinguishedName will have changed so they can no longer sign in to BookStack. When they try to sign in they get the following error; `A user with the email user@domain.com already exists but with different credentials.`. The fix is to repoint the user's External Authentication ID from the old distinguishedName to the new one. Inadvertently experienced this, can confirm same behavior and fix. Agree with using of objectGUID attribute instead of DN.

OVERLORD commented 2026-02-04 20:35:55 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 27, 2019):

Thanks for the confirmation everyone.

Would probably be best to make this configurable instead of a toggle, so it can adjust for all systems, then we can update the AD sample in the docs to include this with objectGUID set as the option.

Since this should be fairly straightforward, and since it's effected a few people, I've marked this to be part of v0.28.

@ssddanbrown commented on GitHub (Aug 27, 2019): Thanks for the confirmation everyone. Would probably be best to make this configurable instead of a toggle, so it can adjust for all systems, then we can update the AD sample in the docs to include this with `objectGUID` set as the option. Since this should be fairly straightforward, and since it's effected a few people, I've marked this to be part of v0.28.

OVERLORD commented 2026-02-04 20:36:00 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Dec 16, 2019):

This is now in master, to be part of the next feature release (v0.28).
As of that release you'll be able to set the following in your .env file:

LDAP_ID_ATTRIBUTE=objectGUID

Note that changing this parameter could affect existing LDAP logins since the stored ID's will no longer match up. After changing you may want to go through your users and alter the stored "External Authentication Ids". If you have many users it will probably be easiest to do this directly via the database. It's the external_auth_id column of the users table that you'd need to change.

@ssddanbrown commented on GitHub (Dec 16, 2019): This is now in master, to be part of the next feature release (v0.28). As of that release you'll be able to set the following in your .env file: ```bash LDAP_ID_ATTRIBUTE=objectGUID ``` Note that changing this parameter could affect existing LDAP logins since the stored ID's will no longer match up. After changing you may want to go through your users and alter the stored "External Authentication Ids". If you have many users it will probably be easiest to do this directly via the database. It's the `external_auth_id` column of the `users` table that you'd need to change.

OVERLORD commented 2026-02-04 20:36:07 +03:00

Author

Owner

Copy Link

@joaomezzari commented on GitHub (Dec 23, 2019):

If I just change the parameter and don't change anything else, the users that use the DN as the ID won't be able to login?

@joaomezzari commented on GitHub (Dec 23, 2019): If I just change the parameter and don't change anything else, the users that use the DN as the ID won't be able to login?

OVERLORD commented 2026-02-04 20:36:16 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Dec 23, 2019):

@joaomezzari If you're referring to existing users that already have a DN as their external_auth_id value, then likely yes, They either won't be able to login and be shown an "Email already in use" warning or they may be shown a view to set their email which will end up as a new account. I think that can occur if LDAP is not providing an email address for the user.

@ssddanbrown commented on GitHub (Dec 23, 2019): @joaomezzari If you're referring to existing users that already have a DN as their `external_auth_id` value, then likely yes, They either won't be able to login and be shown an "Email already in use" warning or they may be shown a view to set their email which will end up as a new account. I think that can occur if LDAP is not providing an email address for the user.

OVERLORD commented 2026-02-04 20:36:22 +03:00

Author

Owner

Copy Link

@joaomezzari commented on GitHub (Dec 23, 2019):

@ssddanbrown Yes, that's the behaviour if the email field in AD is not populated. Thanks for the feedback.

@joaomezzari commented on GitHub (Dec 23, 2019): @ssddanbrown Yes, that's the behaviour if the email field in AD is not populated. Thanks for the feedback.

OVERLORD commented 2026-02-04 20:36:25 +03:00

Author

Owner

Copy Link

@joaomezzari commented on GitHub (Feb 4, 2020):

Hello,
I changed the parameter in the .env file to LDAP_ID_ATTRIBUTE=objectGUID and changed the user external authentication ID to the matching objectGUID value in AD, but the user can't login to Bookstack. It doesn't throw any error, it just returns to the login page.

New users are created normally using the objectGUID attribute if it's the first login.

@joaomezzari commented on GitHub (Feb 4, 2020): Hello, I changed the parameter in the .env file to LDAP_ID_ATTRIBUTE=objectGUID and changed the user external authentication ID to the matching objectGUID value in AD, but the user can't login to Bookstack. It doesn't throw any error, it just returns to the login page. New users are created normally using the objectGUID attribute if it's the first login.

OVERLORD commented 2026-02-04 20:36:27 +03:00

Author

Owner

Copy Link

@finnwessel commented on GitHub (Feb 5, 2020):

Did you try to set the SAML2_DUMP_USER_DETAILS=true to see what your IDP returns?
Maybe there is more info in the log file.

Edit:
Thought this was like the problem I had without recognizing its about LDAP...

@finnwessel commented on GitHub (Feb 5, 2020): Did you try to set the `SAML2_DUMP_USER_DETAILS=true` to see what your IDP returns? Maybe there is more info in the log file. Edit: Thought this was like the problem I had without recognizing its about LDAP...

OVERLORD commented 2026-02-04 20:36:37 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 5, 2020):

@finnwessel That option is only for SAML, not for LDAP.

@ssddanbrown commented on GitHub (Feb 5, 2020): @finnwessel That option is only for SAML, not for LDAP.

OVERLORD commented 2026-02-04 20:36:44 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 5, 2020):

@joaomezzari Are those new users, that are created with the objectGUID, able to login again upon the first login? Any formatting differences in their external auth id compared to the one you're manually entering?

@ssddanbrown commented on GitHub (Feb 5, 2020): @joaomezzari Are those new users, that are created with the objectGUID, able to login again upon the first login? Any formatting differences in their external auth id compared to the one you're manually entering?

OVERLORD commented 2026-02-04 20:36:53 +03:00

Author

Owner

Copy Link

@joaomezzari commented on GitHub (Feb 5, 2020):

@ssddanbrown It seems that it's not possible to login again after the first one. I checked and the external authentication ID is very strange, actually:

Obviously, this is not the objectGUID that this user have in AD.

@joaomezzari commented on GitHub (Feb 5, 2020): @ssddanbrown It seems that it's not possible to login again after the first one. I checked and the external authentication ID is very strange, actually:  Obviously, this is not the objectGUID that this user have in AD.

OVERLORD commented 2026-02-04 20:36:58 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 5, 2020):

Hi @joaomezzari,
That's really odd, I've opened #1872 so I don't lose track of things on this closed issue and so that others can see it if they're experiencing the same thing.

I'll have a think about how this can be debugged and I'l respond on that new issue.

@ssddanbrown commented on GitHub (Feb 5, 2020): Hi @joaomezzari, That's really odd, I've opened #1872 so I don't lose track of things on this closed issue and so that others can see it if they're experiencing the same thing. I'll have a think about how this can be debugged and I'l respond on that new issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 📖 Docs Update 🚪 Authentication 🏭 Back-End 🛠️ Enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#500