LDAP only allow specific users? #781

New Issue

OVERLORD · 2026-02-04T22:16:06+03:00

OVERLORD commented

2026-02-04 22:16:06 +03:00

Originally created by @pth0rn on GitHub (Aug 18, 2018).

So I've successfully configured LDAP and I can log in. Is there a way to configure BookStack to only allow logins from a list of specific users?
Current I'm just using LDAP_USER_FILTER=(&(sAMAccountName=${user})) in .env

Originally created by @pth0rn on GitHub (Aug 18, 2018). So I've successfully configured LDAP and I can log in. Is there a way to configure BookStack to only allow logins from a list of specific users? Current I'm just using `LDAP_USER_FILTER=(&(sAMAccountName=${user}))` in .env

OVERLORD added the 🐕 Support ❓ Question labels 2026-02-04 22:16:06 +03:00

OVERLORD closed this issue

2026-02-04 22:16:06 +03:00

OVERLORD commented

2026-02-04 22:16:10 +03:00

@derek-shnosh commented on GitHub (Aug 19, 2018):

Review the docs; https://www.bookstackapp.com/docs/admin/ldap-auth/

The LDAP Group Sync section at the bottom outlines what you're trying to accomplish.

I just did this last night and its working as documented...

Create security groups that match your Role Names in admin settings.
Add users to these groups as desired.
In your .env file;

# Do you want to sync LDAP groups to BookStack roles for a user
LDAP_USER_TO_GROUPS=true
# What is the LDAP attribute for group memberships
LDAP_GROUP_ATTRIBUTE="memberOf"

@derek-shnosh commented on GitHub (Aug 19, 2018): Review the docs; https://www.bookstackapp.com/docs/admin/ldap-auth/ The **LDAP Group Sync** section at the bottom outlines what you're trying to accomplish. I just did this last night and its working as documented... - Create security groups that match your _Role Names_ in admin settings. - Add users to these groups as desired. - In your `.env` file; ``` # Do you want to sync LDAP groups to BookStack roles for a user LDAP_USER_TO_GROUPS=true # What is the LDAP attribute for group memberships LDAP_GROUP_ATTRIBUTE="memberOf" ```

OVERLORD commented

2026-02-04 22:16:13 +03:00

@pth0rn commented on GitHub (Aug 19, 2018):

Actually I’d like to have a specific list of users to filter, not by groups in ldap.

Something like

LDAP_USER_FILTER=(&(sAMAccountName=john || joe || mark)

@pth0rn commented on GitHub (Aug 19, 2018): Actually I’d like to have a specific list of users to filter, not by groups in ldap. Something like LDAP_USER_FILTER=(&(sAMAccountName=john || joe || mark)

OVERLORD commented

2026-02-04 22:16:17 +03:00

@ssddanbrown commented on GitHub (Aug 19, 2018):

Hi @Vicvinegar0,
There's three ways I can see of doing this:

Use group syncing as recommended above, Have all you BookStack users in a single group and only grant that group permissions. Other users would be able to log-in but not be able to do anything else unless granted via permissions.
Give your BookStack+LDAP users a specific attribute in LDAP or add them to a specific group then modify your filter to include that:

(&(sAMAccountName=${user})(memberOf=cn=BookStackers,ou=users,dc=example,dc=com))

Add the users directly to the filter (Not as scalable):

(&(sAMAccountName=${user})(|(sAMAccountName=Ben)(sAMAccountName=Hannah)(sAMAccountName=Steve))

Let us know if that helps

@ssddanbrown commented on GitHub (Aug 19, 2018): Hi @Vicvinegar0, There's three ways I can see of doing this: 1. Use group syncing as recommended above, Have all you BookStack users in a single group and only grant that group permissions. Other users would be able to log-in but not be able to do anything else unless granted via permissions. 2. Give your BookStack+LDAP users a specific attribute in LDAP or add them to a specific group then modify your filter to include that: ``` (&(sAMAccountName=${user})(memberOf=cn=BookStackers,ou=users,dc=example,dc=com)) ``` 3. Add the users directly to the filter (Not as scalable): ``` (&(sAMAccountName=${user})(|(sAMAccountName=Ben)(sAMAccountName=Hannah)(sAMAccountName=Steve)) ``` Let us know if that helps

OVERLORD commented

2026-02-04 22:16:19 +03:00

@pth0rn commented on GitHub (Aug 19, 2018):

Perfect, I only have a small number of users who need to use the site and I don’t have access to make AD changes so 3 is what I was looking for.
Appreciate it

@pth0rn commented on GitHub (Aug 19, 2018): Perfect, I only have a small number of users who need to use the site and I don’t have access to make AD changes so 3 is what I was looking for. Appreciate it

OVERLORD commented

2026-02-04 22:16:21 +03:00

@ssddanbrown commented on GitHub (Aug 19, 2018):

@Vicvinegar0 Awesome, Thanks for replying, Will therefore close this issue.

@ssddanbrown commented on GitHub (Aug 19, 2018): @Vicvinegar0 Awesome, Thanks for replying, Will therefore close this issue.

OVERLORD commented

2026-02-04 22:16:23 +03:00

@rag08 commented on GitHub (Jan 8, 2021):

Hi @Vicvinegar0,
There's three ways I can see of doing this:

Use group syncing as recommended above, Have all you BookStack users in a single group and only grant that group permissions. Other users would be able to log-in but not be able to do anything else unless granted via permissions.

Give your BookStack+LDAP users a specific attribute in LDAP or add them to a specific group then modify your filter to include that:
(&(sAMAccountName=${user})(memberOf=cn=BookStackers,ou=users,dc=example,dc=com))
Add the users directly to the filter (Not as scalable):
(&(sAMAccountName=${user})(|(sAMAccountName=Ben)(sAMAccountName=Hannah)(sAMAccountName=Steve))
Let us know if that helps
Hi,

I know this thread has been closed a little while now but I would ideally like to implement option 2 in to our setup. Using the example below appears to break syntax and BookStack fails to load. Using option 3 works, but I would prefer the scalability of using AD groups. I don't know if this is because we have spaces in our lookup path, but works ok on the LDAP_BASE_DN lookup.

LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf="cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com"))

Thanks

@rag08 commented on GitHub (Jan 8, 2021): > Hi @Vicvinegar0, > There's three ways I can see of doing this: > > 1. Use group syncing as recommended above, Have all you BookStack users in a single group and only grant that group permissions. Other users would be able to log-in but not be able to do anything else unless granted via permissions. > 2. Give your BookStack+LDAP users a specific attribute in LDAP or add them to a specific group then modify your filter to include that: > > ``` > (&(sAMAccountName=${user})(memberOf=cn=BookStackers,ou=users,dc=example,dc=com)) > ``` > > 1. Add the users directly to the filter (Not as scalable): > > ``` > (&(sAMAccountName=${user})(|(sAMAccountName=Ben)(sAMAccountName=Hannah)(sAMAccountName=Steve)) > ``` > > Let us know if that helps Hi, I know this thread has been closed a little while now but I would ideally like to implement option 2 in to our setup. Using the example below appears to break syntax and BookStack fails to load. Using option 3 works, but I would prefer the scalability of using AD groups. I don't know if this is because we have spaces in our lookup path, but works ok on the LDAP_BASE_DN lookup. `LDAP_USER_FILTER=(&(sAMAccountName=${user})(memberOf="cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com"))` Thanks

OVERLORD commented

2026-02-04 22:16:27 +03:00

@ssddanbrown commented on GitHub (Jan 9, 2021):

Hi @rag08, Quotes and spaces can mess with the .env values. Can you try something like:

LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=\"cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com\"))"

So wrap the entire value in quotes and escape any quotes you need in the string itself.

@ssddanbrown commented on GitHub (Jan 9, 2021): Hi @rag08, Quotes and spaces can mess with the `.env` values. Can you try something like: ``` LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=\"cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com\"))" ``` So wrap the entire value in quotes and escape any quotes you need in the string itself.

OVERLORD commented

2026-02-04 22:16:30 +03:00

@rag08 commented on GitHub (Jan 11, 2021):

Thanks for the quick response @ssddanbrown. Unfortunately encapsulating the entire string in quotes still breaks with a syntax error. Do you know of any other workaround for this at all?

Or we may just have to go with one of your other two suggestions from above!

Thanks

@rag08 commented on GitHub (Jan 11, 2021): Thanks for the quick response @ssddanbrown. Unfortunately encapsulating the entire string in quotes still breaks with a syntax error. Do you know of any other workaround for this at all? Or we may just have to go with one of your other two suggestions from above! Thanks

OVERLORD commented

2026-02-04 22:16:33 +03:00

@ssddanbrown commented on GitHub (Jan 12, 2021):

@rag08No problem, It should not break BookStack though, Are you escaping the inner quotes with back-slashes like in the example? Is this in a .env or are you passing these to something like a docker container via other means?

@ssddanbrown commented on GitHub (Jan 12, 2021): @rag08No problem, It should not break BookStack though, Are you escaping the inner quotes with back-slashes like in the example? Is this in a `.env` or are you passing these to something like a docker container via other means?

OVERLORD commented

2026-02-04 22:16:35 +03:00

@rag08 commented on GitHub (Jan 12, 2021):

Yeah the inner quotes are escaped with back-slashes, but no joy unfortunately. BookStack will not load at all with this config.

LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=\"cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com\"))"

This is all in the .env file.

Thanks

@rag08 commented on GitHub (Jan 12, 2021): Yeah the inner quotes are escaped with back-slashes, but no joy unfortunately. BookStack will not load at all with this config. `LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=\"cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com\"))"` This is all in the .env file. Thanks

OVERLORD commented

2026-02-04 22:16:39 +03:00

@ssddanbrown commented on GitHub (Jan 12, 2021):

@rag08 very odd, What operating system are you on out of interest?

That exact line in my .env file does not prevent loading. Does it prevent all page loads? What do you see? A blank white screen or an error message or something else?

@ssddanbrown commented on GitHub (Jan 12, 2021): @rag08 very odd, What operating system are you on out of interest? That exact line in my .env file does not prevent loading. Does it prevent all page loads? What do you see? A blank white screen or an error message or something else?

OVERLORD commented

2026-02-04 22:16:44 +03:00

@rag08 commented on GitHub (Jan 13, 2021):

Ok so it looks like I am getting somewhere. BookStack is now loading with that line in the config (not sure what was going on there, service restart seemed to sort that).

When trying to login with a user that is a member of the required security group, it gives the "These credentials do not match our records" error. Is there anything else I need to change in the .env file for this? Or is it maybe a filter issue?

@rag08 commented on GitHub (Jan 13, 2021): Ok so it looks like I am getting somewhere. BookStack is now loading with that line in the config (not sure what was going on there, service restart seemed to sort that). When trying to login with a user that is a member of the required security group, it gives the "These credentials do not match our records" error. Is there anything else I need to change in the .env file for this? Or is it maybe a filter issue?

OVERLORD commented

2026-02-04 22:16:49 +03:00

@ssddanbrown commented on GitHub (Jan 13, 2021):

@rag08 Generally that would indicate either the filter is matching no results or the password is incorrect.

I think setting LDAP_DUMP_USER_DETAILS=true may dump a user, if found at all, before the password is checked if you wanted to double check what part is failing.

@ssddanbrown commented on GitHub (Jan 13, 2021): @rag08 Generally that would indicate either the filter is matching no results or the password is incorrect. I think setting `LDAP_DUMP_USER_DETAILS=true` may dump a user, if found at all, before the password is checked if you wanted to double check what part is failing.

OVERLORD commented

2026-02-04 22:16:53 +03:00

@jdolny commented on GitHub (Oct 22, 2021):

I experienced the same issues stated above and the following worked for me. Note, quotes should go around the entire filter but should not be included in the memberof=

LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com))"

Putting quotes around the member of would allow the page to load but could not login

@jdolny commented on GitHub (Oct 22, 2021): I experienced the same issues stated above and the following worked for me. Note, quotes should go around the entire filter but should not be included in the memberof= `LDAP_USER_FILTER="(&(sAMAccountname=${user})(memberOf=cn=BookStack,ou=Security Groups,ou=OU Name,dc=domain,dc=com))"` Putting quotes around the member of would allow the page to load but could not login

OVERLORD commented

2026-02-04 22:16:55 +03:00

@NewbAdmin commented on GitHub (Jan 28, 2024):

I know this is an old issue, but I'm running through Active Directory integration now and thought I would contribute some additional useful information. You can make role management easier with the following filter (specific values will obviously be different for your environment):
LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"

By adding :1.2.840.113556.1.4.1941: to the LDAP filter, BookStack can check nested groups. This is useful when you sync BookStack roles to AD groups because you can store multiple roles within a single 'BookStack Users' group.

Here are some examples:

BookStack Users group can log in to BookStack
BookStack Users/BookStack Admins group can log in and has admin privileges
BookStack Users/BookStack Editors group can log in and has editing privileges

Of course, you could also just add an OR statement to the filter and explicitly name each group with something like (|(group_one)(group_two)(group_three)), but this looks much cleaner and you won't have to go back and edit the filter in .env every time you add a new role.

@NewbAdmin commented on GitHub (Jan 28, 2024): I know this is an old issue, but I'm running through Active Directory integration now and thought I would contribute some additional useful information. You can make role management easier with the following filter (specific values will obviously be different for your environment): `LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"` By adding **:1.2.840.113556.1.4.1941:** to the LDAP filter, BookStack can check nested groups. This is useful when you sync BookStack roles to AD groups because you can store multiple roles within a single 'BookStack Users' group. Here are some examples: - **BookStack Users** group can log in to BookStack - **BookStack Users/BookStack Admins** group can log in and has admin privileges - **BookStack Users/BookStack Editors** group can log in and has editing privileges Of course, you could also just add an OR statement to the filter and explicitly name each group with something like `(|(group_one)(group_two)(group_three))`, but this looks much cleaner and you won't have to go back and edit the filter in **.env** every time you add a new role.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#781