starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-12 11:19:36 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

LDAPS not working with ActiveDirectory #5042

New Issue
Closed
opened 2026-02-05 09:36:01 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-05 09:36:01 +03:00
Owner
Copy Link

Originally created by @Utility9298 on GitHub (Nov 5, 2024).

Describe the Bug

Hello everyone,
I am running a Microsoft Active Directory (on windows server 2016) and bookstack on a non-domain ubuntu machine.

My setup works with LDAP over port 389.
When I do enable LDAPS in the .env the login does not work any more.
I did add the internal root-certificate authority on the ubuntu server to the trusted one (as I did in other linux setups).

I have APP_DEBUG=true but I do not receive further information on the login screen than "Could not start TLS connection. Further details in the application log".

The laravel.log showing me the following:

[2024-11-05 14:06:33] production.INFO: LDAP STARTTLS failure: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server :: Can't contact LDAP server (unknown error code)
[2024-11-05 14:06:33] production.ERROR: Could not start TLS connection. Further details in the application log. {"exception":"[object] (BookStack\\Exceptions\\LdapException(code: 0): Could not start TLS connection. Further details in the application log. at /var/www/bookstack/app/Access/LdapService.php:238)
[stacktrace]

Where can I find the "application log"?

The LDAP section from my .env: (I did replace business informations with "xxx" but it works with LDAP so these must be correct). I also tried several combination of the LDAP_TLS_INSECURE and the LDAP_TLS_CA_CERT parameter - but these does not seem to change anything.

#LDAP
AUTH_METHOD=ldap
LDAP_SERVER=ldaps://192.168.73.250:636
LDAP_BASE_DN="xxx"
LDAP_DN="xxx"
LDAP_PASS="xxx"
LDAP_USER_FILTER=(&(sAMAccountName={user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=BIN;objectGUID
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_DISPLAY_NAME_ATTRIBUTE=sAMAccountName
LDAP_START_TLS=true
#LDAP_TLS_INSECURE=true
#LDAP_TLS_CA_CERT=/usr/local/share/ca-certificates/xxx.crt
LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto`

Steps to Reproduce

  1. Go to login page
  2. Try to login via LDAPS

Expected Behaviour

Login does work after enabling LDAPS

Screenshots or Additional Context

bookstack_LDAPS_error

Browser Details

No response

Exact BookStack Version

v24.10

Originally created by @Utility9298 on GitHub (Nov 5, 2024). ### Describe the Bug Hello everyone, I am running a Microsoft Active Directory (on windows server 2016) and bookstack on a non-domain ubuntu machine. My setup works with LDAP over port 389. When I do enable LDAPS in the .env the login does not work any more. I did add the internal root-certificate authority on the ubuntu server to the trusted one (as I did in other linux setups). I have APP_DEBUG=true but I do not receive further information on the login screen than "Could not start TLS connection. Further details in the application log". The laravel.log showing me the following: ``` [2024-11-05 14:06:33] production.INFO: LDAP STARTTLS failure: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server :: Can't contact LDAP server (unknown error code) [2024-11-05 14:06:33] production.ERROR: Could not start TLS connection. Further details in the application log. {"exception":"[object] (BookStack\\Exceptions\\LdapException(code: 0): Could not start TLS connection. Further details in the application log. at /var/www/bookstack/app/Access/LdapService.php:238) [stacktrace] ``` Where can I find the "application log"? The LDAP section from my .env: (I did replace business informations with "xxx" but it works with LDAP so these must be correct). I also tried several combination of the LDAP_TLS_INSECURE and the LDAP_TLS_CA_CERT parameter - but these does not seem to change anything. ``` #LDAP AUTH_METHOD=ldap LDAP_SERVER=ldaps://192.168.73.250:636 LDAP_BASE_DN="xxx" LDAP_DN="xxx" LDAP_PASS="xxx" LDAP_USER_FILTER=(&(sAMAccountName={user})) LDAP_VERSION=3 LDAP_ID_ATTRIBUTE=BIN;objectGUID LDAP_EMAIL_ATTRIBUTE=mail LDAP_DISPLAY_NAME_ATTRIBUTE=sAMAccountName LDAP_START_TLS=true #LDAP_TLS_INSECURE=true #LDAP_TLS_CA_CERT=/usr/local/share/ca-certificates/xxx.crt LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto` ``` ### Steps to Reproduce 1. Go to login page 2. Try to login via LDAPS ### Expected Behaviour Login does work after enabling LDAPS ### Screenshots or Additional Context ![bookstack_LDAPS_error](https://github.com/user-attachments/assets/79bb4938-e866-407e-aea9-668dddec62d9) ### Browser Details _No response_ ### Exact BookStack Version v24.10
OVERLORD added the 🐛 Bug label 2026-02-05 09:36:01 +03:00
OVERLORD commented 2026-02-05 09:36:06 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Nov 5, 2024):

Hi @gamebird92,

Do you actually mean to use LDAPS? or does your system actually use LDAP via STARTTLS?
These are two distinct mechanisms, that both look to be at play in your configured options which is probably not desired.

@ssddanbrown commented on GitHub (Nov 5, 2024): Hi @gamebird92, Do you actually mean to use LDAPS? or does your system actually use LDAP via STARTTLS? These are two distinct mechanisms, that both look to be at play in your configured options which is probably not desired.
OVERLORD commented 2026-02-05 09:36:09 +03:00
Author
Owner
Copy Link

@Utility9298 commented on GitHub (Nov 6, 2024):

@ssddanbrown Thanks for the hint! I do want to use LDAPS and took a deeper look into the differences.

I figured it out:

Thanks to your video from the LDAP setup you mentioned to use the name and not IP adress on the LDAP_SERVER. Seems like it works with the domain name but not the IP Adress. Probably because of the certificate verification.

I also did reboot my server (after installing the trusted certificate used for LDAPS on the server) but I am unsure if the reboot was really necessary.

@Utility9298 commented on GitHub (Nov 6, 2024): @ssddanbrown Thanks for the hint! I do want to use LDAPS and took a deeper look into the differences. I figured it out: Thanks to your video from the LDAP setup you mentioned to use the name and not IP adress on the LDAP_SERVER. Seems like it works with the domain name but not the IP Adress. Probably because of the certificate verification. I also did reboot my server (after installing the trusted certificate used for LDAPS on the server) but I am unsure if the reboot was really necessary.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐛 Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#5042
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?