LDAP: Adding second AD group crashes BookStack — admins still require manual permissions #5444

New Issue

OVERLORD · 2026-02-05T10:04:14+03:00

OVERLORD commented

2026-02-05 10:04:14 +03:00

Originally created by @SudoPan on GitHub (Sep 30, 2025).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I have connected BookStack to our Active Directory (AD) via LDAP and I am using the LDAP_USER_FILTER.
I want two AD groups to map to different BookStack roles:

AD_WikiAdmin → BookStack Admins

AD_WikiViewer → BookStack Viewers

I followed the BookStack documentation, but I can't get this working.

What I tried

Configured LDAP authentication and LDAP_USER_FILTER.

Got a single-group setup working to some extent.

Tried adding a second group for viewers using the same LDAP configuration approach.

Expected behavior

Users in AD_WikiAdmin should be automatically assigned the Admin role.

Users in AD_WikiViewer should be automatically assigned a Viewer role (read-only).

Actual behavior

Admin users still need to be granted Admin permissions manually after their first login.

When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable.

Hope you can help me

Exact BookStack Version

25.02.5

Log Content

Hosting Environment

PHP 8.3.6
Ubuntu 24.04.2 LTS

Originally created by @SudoPan on GitHub (Sep 30, 2025). ### Attempted Debugging - [x] I have read the debugging page ### Searched GitHub Issues - [x] I have searched GitHub for the issue. ### Describe the Scenario I have connected BookStack to our Active Directory (AD) via LDAP and I am using the LDAP_USER_FILTER. I want two AD groups to map to different BookStack roles: AD_WikiAdmin → BookStack Admins AD_WikiViewer → BookStack Viewers I followed the BookStack documentation, but I can't get this working. What I tried Configured LDAP authentication and LDAP_USER_FILTER. Got a single-group setup working to some extent. Tried adding a second group for viewers using the same LDAP configuration approach. Expected behavior Users in AD_WikiAdmin should be automatically assigned the Admin role. Users in AD_WikiViewer should be automatically assigned a Viewer role (read-only). Actual behavior Admin users still need to be granted Admin permissions manually after their first login. When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable. Hope you can help me ### Exact BookStack Version 25.02.5 ### Log Content ```text ``` ### Hosting Environment PHP 8.3.6 Ubuntu 24.04.2 LTS

OVERLORD added the 🐕 Support label 2026-02-05 10:04:14 +03:00

OVERLORD commented

2026-02-05 10:04:16 +03:00

@ssddanbrown commented on GitHub (Sep 30, 2025):

Hi @SudoPan,
When you say the following:

When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable.

Can you confirm exactly what you're changing to achieve this?

@ssddanbrown commented on GitHub (Sep 30, 2025): Hi @SudoPan, When you say the following: > When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable. Can you confirm exactly what you're changing to achieve this?

OVERLORD commented

2026-02-05 10:04:18 +03:00

@SudoPan commented on GitHub (Oct 1, 2025):

Hello @ssddanbrown

I tried something like this in the .env file.
LDAP_GROUPS=CN=Bookstack-Viewer,OU=Groups,DC=business,DC=local:viewer
LDAP_GROUPS=CN=Bookstack-Admin,OU=Groups,DC=business,DC=local:admin

I tried many things but dont get it to work that i got an Second AD Group from the AD only to View my shared Books / Sites from BookStack

@SudoPan commented on GitHub (Oct 1, 2025): Hello @ssddanbrown I tried something like this in the .env file. LDAP_GROUPS=CN=Bookstack-Viewer,OU=Groups,DC=business,DC=local:viewer LDAP_GROUPS=CN=Bookstack-Admin,OU=Groups,DC=business,DC=local:admin I tried many things but dont get it to work that i got an Second AD Group from the AD only to View my shared Books / Sites from BookStack

OVERLORD commented

2026-02-05 10:04:19 +03:00

@ssddanbrown commented on GitHub (Oct 1, 2025):

@SudoPan Are you attempting to follow an LLM or AI for configuring this?
If so, please don't. There's no LDAP_GROUPS used by BookStack. Remove those options.

Group matching is done based on fetched "memberOf" group CN values matched with BookStack role names (or external auth ID values where set). Please read our documentation on LDAP group sync for more specific details.

@ssddanbrown commented on GitHub (Oct 1, 2025): @SudoPan Are you attempting to follow an LLM or AI for configuring this? If so, please don't. There's no `LDAP_GROUPS` used by BookStack. Remove those options. Group matching is done based on fetched "memberOf" group CN values matched with BookStack role names (or external auth ID values where set). Please [read our documentation](https://www.bookstackapp.com/docs/admin/ldap-auth/#ldap-group-sync) on LDAP group sync for more specific details.

OVERLORD commented

2026-02-05 10:04:20 +03:00

@SudoPan commented on GitHub (Oct 1, 2025):

Good day @ssddanbrown

Thank you for trying to help me.

I tried to set this up using the documentation and with the help of an AI.

When I read through the documentation, I’m still missing one small piece of information that I don’t fully understand.

In the documentation, I don’t find the section about working with two AD groups.

Currently, I’m working with the following setup, where the group BookStack_Admin is allowed to use the wiki:

Activate LDAP Groups

LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE=memberOf

User Group for BookStack

LDAP_USER_FILTER="(&(objectClass=user) (SAMAccountName=${user}) (memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local))"
LDAP_USER_ATTRIBUTE=sAMAccountName

Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack.

Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack.

I’m not sure if this is even possible, since I can’t really figure it out from the documentation.

@SudoPan commented on GitHub (Oct 1, 2025): Good day @ssddanbrown Thank you for trying to help me. I tried to set this up using the documentation and with the help of an AI. When I read through the documentation, I’m still missing one small piece of information that I don’t fully understand. In the documentation, I don’t find the section about working with two AD groups. Currently, I’m working with the following setup, where the group BookStack_Admin is allowed to use the wiki: # Activate LDAP Groups LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE=memberOf # User Group for BookStack LDAP_USER_FILTER="(&(objectClass=user) (SAMAccountName=${user}) (memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local))" LDAP_USER_ATTRIBUTE=sAMAccountName Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack. Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack. I’m not sure if this is even possible, since I can’t really figure it out from the documentation.

OVERLORD commented

2026-02-05 10:04:21 +03:00

@ssddanbrown commented on GitHub (Oct 5, 2025):

Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack.

Assuming that your LDAP system is providing valid memberOf values, all you'd need to do is edit the "Admin" role in BookStack, then set the "External Authentication IDs" field to bookstack_admin.

Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack.

Same as above but for the "Viewer" role in BookStack, setting bookstack_viewer in the "External authentication IDs" field.
You'll also need to remove the (memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local) part of your user filter to allow such users to log-in (or alternatively you could add extra groups in an OR configuration within your filter query).

@ssddanbrown commented on GitHub (Oct 5, 2025): > Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack. Assuming that your LDAP system is providing valid `memberOf` values, all you'd need to do is edit the "Admin" role in BookStack, then set the "External Authentication IDs" field to `bookstack_admin`. > Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack. Same as above but for the "Viewer" role in BookStack, setting `bookstack_viewer` in the "External authentication IDs" field. You'll also need to remove the `(memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local)` part of your user filter to allow such users to log-in (or alternatively you could add extra groups in an `OR` configuration within your filter query).

OVERLORD commented

2026-02-05 10:04:22 +03:00

@SudoPan commented on GitHub (Oct 7, 2025):

That sounds good.

Do I understand correctly that as soon as I set up the external authentication IDs (does that simply mean entering a number)?

What would that look like in the .env file? Do you perhaps have an example?

Thanks for your help.

@SudoPan commented on GitHub (Oct 7, 2025): That sounds good. Do I understand correctly that as soon as I set up the external authentication IDs (does that simply mean entering a number)? What would that look like in the .env file? Do you perhaps have an example? Thanks for your help.

OVERLORD commented

2026-02-05 10:04:23 +03:00

@ssddanbrown commented on GitHub (Oct 7, 2025):

as I set up the external authentication IDs (does that simply mean entering a number)?

The value you enter should match the CN value of the role, formatted as per our docs. So to match with memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local you'd use a value of bookstack_admin.

What would that look like in the .env file? Do you perhaps have an example?

It's not part of the .env file config, but a field in the UI seen when editing a specific role (when LDAP/SAML2/OIDC is active).
See my video from about 21:05 where I add group syncing and perform some mapping using this field:
https://youtu.be/50qw_LkhwoM?t=1265

@ssddanbrown commented on GitHub (Oct 7, 2025): > as I set up the external authentication IDs (does that simply mean entering a number)? The value you enter should match the `CN` value of the role, formatted as per our docs. So to match with `memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local` you'd use a value of `bookstack_admin`. > What would that look like in the .env file? Do you perhaps have an example? It's not part of the .env file config, but a field in the UI seen when editing a specific role (when LDAP/SAML2/OIDC is active). See my video from about 21:05 where I add group syncing and perform some mapping using this field: https://youtu.be/50qw_LkhwoM?t=1265

OVERLORD commented

2026-02-05 10:04:24 +03:00

@SudoPan commented on GitHub (Oct 8, 2025):

Ah Thank you i thing i had misunderstanding something in the configuration.
I will try it and let you know.
Thank you for the help

@SudoPan commented on GitHub (Oct 8, 2025): Ah Thank you i thing i had misunderstanding something in the configuration. I will try it and let you know. Thank you for the help

OVERLORD commented

2026-02-05 10:04:26 +03:00

@SudoPan commented on GitHub (Oct 17, 2025):

Hello @ssddanbrown,

Sorry for the late message.

I followed the steps from your video and adjusted my setup accordingly. I removed my specific memberOf path and replaced it with the generic configuration as shown in the video:

Enable LDAP group sync, set to 'true' to enable.

LDAP_USER_TO_GROUPS=true

LDAP user attribute containing groups, defaults to 'memberOf'.

LDAP_GROUP_ATTRIBUTE="memberOf"

Remove users from roles that don't match LDAP groups.

Note: While this is enabled, the "Default Registration Role" (editable within the

BookStack settings view) will be considered a matched role and assigned to the user.

LDAP_REMOVE_FROM_GROUPS=false

After that, I added my bookstack_admin group to the Admin role in the external authentication ID settings.

However, once I make these changes, I can no longer log in.
I tested this with both my existing bookstack_admin group and a newly created group, but the login still fails in both cases.

Is there an error log I can check to find out what’s going wrong?

Thanks in advance for your help!

@SudoPan commented on GitHub (Oct 17, 2025): Hello @ssddanbrown, Sorry for the late message. I followed the steps from your video and adjusted my setup accordingly. I removed my specific memberOf path and replaced it with the generic configuration as shown in the video: # Enable LDAP group sync, set to 'true' to enable. LDAP_USER_TO_GROUPS=true # LDAP user attribute containing groups, defaults to 'memberOf'. LDAP_GROUP_ATTRIBUTE="memberOf" # Remove users from roles that don't match LDAP groups. # Note: While this is enabled, the "Default Registration Role" (editable within the # BookStack settings view) will be considered a matched role and assigned to the user. LDAP_REMOVE_FROM_GROUPS=false After that, I added my bookstack_admin group to the Admin role in the external authentication ID settings. However, once I make these changes, I can no longer log in. I tested this with both my existing bookstack_admin group and a newly created group, but the login still fails in both cases. Is there an error log I can check to find out what’s going wrong? Thanks in advance for your help!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5444