Integrate LDAP with Roles System #67

New Issue

OVERLORD · 2026-02-04T16:29:37+03:00

OVERLORD commented

2026-02-04 16:29:37 +03:00

Originally created by @ssddanbrown on GitHub (Mar 8, 2016).

OVERLORD added the 🛠️ Enhancement label 2026-02-04 16:29:37 +03:00

OVERLORD closed this issue

2026-02-04 16:29:41 +03:00

OVERLORD commented

2026-02-04 16:29:57 +03:00

@ssddanbrown commented on GitHub (Jan 15, 2017):

Sorry this issue has been open for so long. I was hoping to add this in the next release (v0.14) but my limited knowledge of LDAP is making this difficult. If someone can answer the below it will help my understanding of LDAP so I can implement this feature:

How are user groups normally managed?
- Are they dictated by being nested within group objects or by users being directly assigned to groups (via memberUID?)?
- Looking around there's many ways so it it up to the LDAP service and owner how they set up groups?
Is there a standardised way to find users belonging to a group? If found references to using memberOf but this does not seem to be standard on OpenLDAP?

After looking around, KanBoard seem to have good support for LDAP including groups so maybe inspiration should be taken from there. It looks like it's going to be easier to get the groups of a user rather than getting the users of a group.

@ssddanbrown commented on GitHub (Jan 15, 2017): Sorry this issue has been open for so long. I was hoping to add this in the next release (v0.14) but my limited knowledge of LDAP is making this difficult. If someone can answer the below it will help my understanding of LDAP so I can implement this feature: * How are user groups normally managed? * Are they dictated by being nested within group objects or by users being directly assigned to groups (via `memberUID`?)? * Looking around there's many ways so it it up to the LDAP service and owner how they set up groups? * Is there a standardised way to find users belonging to a group? If found references to using `memberOf` but this does not seem to be standard on OpenLDAP? ---- After looking around, [KanBoard](https://kanboard.net/documentation/ldap-configuration-examples) seem to have good support for LDAP including groups so maybe inspiration should be taken from there. It looks like it's going to be easier to get the groups of a user rather than getting the users of a group.

OVERLORD commented

2026-02-04 16:29:59 +03:00

@AceBlade258 commented on GitHub (Nov 20, 2017):

First, I am highly interested in this feature, and would love to assist/see it make progress. I have an installation in place at work, and this functionality is the one thing holding us back from a company-wide rollout.

For group management in LDAP there isn't really a "standard", as it is up to whomever implemented the LDAP schema. The only time there are standards to work with are when LDAP is part of a larger directory service such as Active Directory, or FreeIPA/RedHat IDM. Most LDAP auth implementations focus on supporting them, as they are by far the most widely-deployed LDAP implementations.
as far as I am aware of, memberOf is the most commonly used method of determining if a user is a member of a group, however some POSIX-only implementations of LDAP use memberUid instead. Also, as far as I am aware, it is more normal to get the groups of a user than the users of a group.

Please let me know if I can help test this: I have two installations in my lab I can test against with AD and IPA authentication set up. I would also be more than happy to spin up additional testing instances of any of the needed services.

@AceBlade258 commented on GitHub (Nov 20, 2017): First, I am highly interested in this feature, and would love to assist/see it make progress. I have an installation in place at work, and this functionality is the one thing holding us back from a company-wide rollout. * For group management in LDAP there isn't really a "standard", as it is up to whomever implemented the LDAP schema. The only time there are standards to work with are when LDAP is part of a larger directory service such as Active Directory, or FreeIPA/RedHat IDM. Most LDAP auth implementations focus on supporting them, as they are by far the most widely-deployed LDAP implementations. * as far as I am aware of, `memberOf` is the most commonly used method of determining if a user is a member of a group, however some POSIX-only implementations of LDAP use `memberUid` instead. Also, as far as I am aware, it is more normal to get the groups of a user than the users of a group. Please let me know if I can help test this: I have two installations in my lab I can test against with AD and IPA authentication set up. I would also be more than happy to spin up additional testing instances of any of the needed services.

OVERLORD commented

2026-02-04 16:30:04 +03:00

@brennanmurphy commented on GitHub (Apr 20, 2018):

Hi @ssddanbrown, I was wondering if you still are working on this, as I've been activity looking at deploying Bookstack at my workplace, and this is also holding us back. If you don't have a lot of done on this, I would be happy to take a run at making this work in the next few weeks.

I would agree with @AceBlade258 that memberOf is more common, as most of the installations of an LDAP server I've seen do try to replicate an Active Directory structure.

You are right that it will be easier to get the groups of a user rather than users of a group. I would also say that some sort of parent group loop needs to be implemented, as I've seen major deployments of OpenLDAP with 4 to 5 levels of parent-child relationships with groups, for example this is common at university campuses.

Please let me know if you would like help completing this, as I worked on ldap integrations for single sign-on systems in the past, and I was looking through the code yesterday and think know the path I would take to make this work.

@brennanmurphy commented on GitHub (Apr 20, 2018): Hi @ssddanbrown, I was wondering if you still are working on this, as I've been activity looking at deploying Bookstack at my workplace, and this is also holding us back. If you don't have a lot of done on this, I would be happy to take a run at making this work in the next few weeks. I would agree with @AceBlade258 that ``memberOf`` is more common, as most of the installations of an LDAP server I've seen do try to replicate an Active Directory structure. You are right that it will be easier to get the groups of a user rather than users of a group. I would also say that some sort of parent group loop needs to be implemented, as I've seen major deployments of OpenLDAP with 4 to 5 levels of parent-child relationships with groups, for example this is common at university campuses. Please let me know if you would like help completing this, as I worked on ldap integrations for single sign-on systems in the past, and I was looking through the code yesterday and think know the path I would take to make this work.

OVERLORD commented

2026-02-04 16:30:11 +03:00

@ssddanbrown commented on GitHub (Apr 21, 2018):

Hi @brennanmurphy,

I've made no real work on this, Just tried to work out the logic and got confused with the LDAP specifics. Absolutely feel free to take a crack at this one if happy to do so.

I'm happy to support you on this any way I can.

@ssddanbrown commented on GitHub (Apr 21, 2018): Hi @brennanmurphy, I've made no real work on this, Just tried to work out the logic and got confused with the LDAP specifics. Absolutely feel free to take a crack at this one if happy to do so. I'm happy to support you on this any way I can.

OVERLORD referenced this issue

2026-02-04 22:19:51 +03:00

after upgrade, clicking 'Edit Profile' throws an error - ReflectionException (-1) Class SocialiteProviders\GitLab\GitLabExtendSocialite does not exist #804

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#67