LDAP and local authentication #878

New Issue

OVERLORD · 2026-02-04T22:40:34+03:00

OVERLORD commented

2026-02-04 22:40:34 +03:00

Originally created by @emmanuelhaine on GitHub (Oct 24, 2018).

Hey guys,
I setting up a fresh installation and I'm having a problem with ldap and local authentication together.
When I change the AUTH_METHOD to ldap I cannot login with he local account. I followed the steps bellow

"You may find that you cannot log in with your initial Admin account after changing the AUTH_METHOD to ldap. To get around this set the AUTH_METHOD to standard, login with your admin account then change it back to ldap. You get then edit your profile and add your LDAP uid under the ‘External Authentication ID’ field. You will then be able to login in with that ID."

But I haven't success.

Originally created by @emmanuelhaine on GitHub (Oct 24, 2018). Hey guys, I setting up a fresh installation and I'm having a problem with ldap and local authentication together. When I change the AUTH_METHOD to ldap I cannot login with he local account. I followed the steps bellow _"You may find that you cannot log in with your initial Admin account after changing the AUTH_METHOD to ldap. To get around this set the AUTH_METHOD to standard, login with your admin account then change it back to ldap. You get then edit your profile and add your LDAP uid under the ‘External Authentication ID’ field. You will then be able to login in with that ID."_ But I haven't success.

OVERLORD closed this issue

2026-02-04 22:40:39 +03:00

OVERLORD commented

2026-02-04 22:40:45 +03:00

@ssddanbrown commented on GitHub (Oct 24, 2018):

Hi @emanuelhaine, As it stands, LDAP cannot be used alongside the standard email/username option.

@ssddanbrown commented on GitHub (Oct 24, 2018): Hi @emanuelhaine, As it stands, LDAP cannot be used alongside the standard email/username option.

OVERLORD commented

2026-02-04 22:40:49 +03:00

@emmanuelhaine commented on GitHub (Oct 24, 2018):

Hey @ssddanbrown, first of all thanks for your response. I'd like to know if there's a way to use the local account in this case.

@emmanuelhaine commented on GitHub (Oct 24, 2018): Hey @ssddanbrown, first of all thanks for your response. I'd like to know if there's a way to use the local account in this case.

OVERLORD commented

2026-02-04 22:40:54 +03:00

@emmanuelhaine commented on GitHub (Oct 25, 2018):

Hey @ssddanbrown , Now I understood what to do. I have a doubt about the roles. I create a role with the same group name I have on LDAP, but when I log in, the user always get the public role. How can I filter it? I set the options bellow

LDAP_USER_TO_GROUPS=true
LDAP_REMOVE_FROM_GROUPS=true

And I'm not sure about this variable

LDAP_GROUP_ATTRIBUTE

@emmanuelhaine commented on GitHub (Oct 25, 2018): Hey @ssddanbrown , Now I understood what to do. I have a doubt about the roles. I create a role with the same group name I have on LDAP, but when I log in, the user always get the public role. How can I filter it? I set the options bellow LDAP_USER_TO_GROUPS=true LDAP_REMOVE_FROM_GROUPS=true And I'm not sure about this variable LDAP_GROUP_ATTRIBUTE

OVERLORD commented

2026-02-04 22:41:00 +03:00

@ssddanbrown commented on GitHub (Oct 26, 2018):

@emanuelhaine I most cases LDAP_GROUP_ATTRIBUTE can be left as-is if things are syncing since it uses the popular memberOf attribute by default.

I think the default registration role might get applied to users on LDAP group sync. Is the public role set as the default for new registrants in settings?

@ssddanbrown commented on GitHub (Oct 26, 2018): @emanuelhaine I most cases `LDAP_GROUP_ATTRIBUTE` can be left as-is if things are syncing since it uses the popular `memberOf` attribute by default. I think the default registration role might get applied to users on LDAP group sync. Is the public role set as the default for new registrants in settings?

OVERLORD commented

2026-02-04 22:41:07 +03:00

@emmanuelhaine commented on GitHub (Oct 26, 2018):

@ssddanbrown Thanks for your help, but I got how it works. The application recognize the LDAP groups if the role is with the same name and the LDAP_GROUP_ATTRIBUTE is with "memberOf"

So, my configuration is:

LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=true

I also set this variable bellow, because some users on my LDAP don't have e-mail. If this variable is not set, I can't login with a user without e-mail.

LDAP_EMAIL_ATTRIBUTE=false

I think this issue can be closed.

@emmanuelhaine commented on GitHub (Oct 26, 2018): @ssddanbrown Thanks for your help, but I got how it works. The application recognize the LDAP groups if the role is with the same name and the LDAP_GROUP_ATTRIBUTE is with "memberOf" So, my configuration is: LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_REMOVE_FROM_GROUPS=true I also set this variable bellow, because some users on my LDAP don't have e-mail. If this variable is not set, I can't login with a user without e-mail. LDAP_EMAIL_ATTRIBUTE=false I think this issue can be closed.

OVERLORD commented

2026-02-04 22:41:11 +03:00

@emmanuelhaine commented on GitHub (Oct 26, 2018):

I had to change thist variable to default value
LDAP_EMAIL_ATTRIBUTE
In cases users don't have e-mail, they can type a valid email and login.

@emmanuelhaine commented on GitHub (Oct 26, 2018): I had to change thist variable to default value LDAP_EMAIL_ATTRIBUTE In cases users don't have e-mail, they can type a valid email and login.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#878