starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-05 08:39:55 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

LDAP Auth broken by security groups with parenthesis in the name... #939

New Issue
Closed
opened 2026-02-04 23:04:43 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2026-02-04 23:04:43 +03:00
Owner
Copy Link

Originally created by @derek-shnosh on GitHub (Dec 8, 2018).

Describe the bug
LDAP authentication seems to succeed, but throws an exception; i.e. a ldap_search(): Search: Bad search filter error is given, but if I simply browse back I am logged in and given admin privileges according to the External Authentication ID mapped to the role.

screenrecord

.env

I tried including a valid OU= for the LDAP_BASE_DN= setting, but experienced the same result.

# General auth
AUTH_METHOD=ldap

# LDAP Settings
LDAP_SERVER=dc.domain.com
LDAP_BASE_DN="DC=domain,DC=com"
LDAP_DN="CN=bookstack,OU=Service Accounts,DC=domain,DC=com"
LDAP_PASS="strong_password"
LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=CN=Docs_Login,OU=Security Groups,DC=domain,DC=com))"
LDAP_VERSION=3
# Do you want to sync LDAP groups to BookStack roles for a user
LDAP_USER_TO_GROUPS=true
# What is the LDAP attribute for group memberships
LDAP_GROUP_ATTRIBUTE="memberOf"
# Would you like to remove users from roles on BookStack if they do not match on LDAP
# If false, the ldap groups-roles sync will only add users to roles
LDAP_REMOVE_FROM_GROUPS=true

Steps To Reproduce
Login using AD credentials.

Expected behavior
User logs in and authenticates.

Screenshots
If applicable, add screenshots to help explain your problem.

Your Configuration (please complete the following information):

  • BookStack Version: 0.24.3
  • PHP Version: PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )
  • Hosting Method (Nginx/Apache/Docker): Apache2 (2.4.29)
  • Windows 2008 R2 Domain Controller and functional level.

Additional context
Possibly related: #317

Originally created by @derek-shnosh on GitHub (Dec 8, 2018). **Describe the bug** LDAP authentication seems to succeed, but throws an exception; i.e. a `ldap_search(): Search: Bad search filter` error is given, but if I simply browse _back_ I am logged in and given admin privileges according to the **External Authentication ID** mapped to the role. ![screenrecord](https://i.imgur.com/nNDcGk7.gif) ## .env > I tried including a valid `OU=` for the `LDAP_BASE_DN=` setting, but experienced the same result. ``` # General auth AUTH_METHOD=ldap # LDAP Settings LDAP_SERVER=dc.domain.com LDAP_BASE_DN="DC=domain,DC=com" LDAP_DN="CN=bookstack,OU=Service Accounts,DC=domain,DC=com" LDAP_PASS="strong_password" LDAP_USER_FILTER="(&(sAMAccountName=${user})(memberOf=CN=Docs_Login,OU=Security Groups,DC=domain,DC=com))" LDAP_VERSION=3 # Do you want to sync LDAP groups to BookStack roles for a user LDAP_USER_TO_GROUPS=true # What is the LDAP attribute for group memberships LDAP_GROUP_ATTRIBUTE="memberOf" # Would you like to remove users from roles on BookStack if they do not match on LDAP # If false, the ldap groups-roles sync will only add users to roles LDAP_REMOVE_FROM_GROUPS=true ``` **Steps To Reproduce** Login using AD credentials. **Expected behavior** User logs in and authenticates. **Screenshots** If applicable, add screenshots to help explain your problem. **Your Configuration (please complete the following information):** - BookStack Version: 0.24.3 - PHP Version: PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS ) - Hosting Method (Nginx/Apache/Docker): Apache2 (2.4.29) - Windows 2008 R2 Domain Controller and functional level. **Additional context** Possibly related: #317
OVERLORD added the 🐛 Bug🚀 Priority labels 2026-02-04 23:04:43 +03:00
OVERLORD commented 2026-02-04 23:04:55 +03:00
Author
Owner
Copy Link

@derek-shnosh commented on GitHub (Dec 8, 2018):

I figured out what the issue was.

The account was part of some AD groups that had parenthesis in their names.

image

Apparently it was referencing that group as a search filter.

Since the user was part of the DOCS_LOGIN group, they were able to log in... but this bug breaks the LDAP group mappings; i.e. LDAP_USER_TO_GROUPS and LDAP_REMOVE_FROM_GROUPS.

@derek-shnosh commented on GitHub (Dec 8, 2018): I figured out what the issue was. The account was part of some AD groups that had parenthesis in their names. ![image](https://user-images.githubusercontent.com/21090563/49680248-5dbe8d00-fa8a-11e8-8c32-1b35abee64f4.png) Apparently it was referencing that group as a search filter. Since the user was part of the `DOCS_LOGIN` group, they were able to log in... but this bug breaks the LDAP group mappings; i.e. `LDAP_USER_TO_GROUPS` and `LDAP_REMOVE_FROM_GROUPS`.
OVERLORD commented 2026-02-04 23:05:06 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Dec 9, 2018):

Thanks for reporting and doing the investigation work and providing details @derek-shnosh, Really helpful stuff.
Have marked as a priority for the next release.

@ssddanbrown commented on GitHub (Dec 9, 2018): Thanks for reporting and doing the investigation work and providing details @derek-shnosh, Really helpful stuff. Have marked as a priority for the next release.
OVERLORD commented 2026-02-04 23:05:15 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Dec 20, 2018):

Added a fix in 26ec1cc3dc, Will be in next release. Hoping that will be later this weekend.

@ssddanbrown commented on GitHub (Dec 20, 2018): Added a fix in 26ec1cc3dcd4ebc205ab7746cc4a92603f37ea97, Will be in next release. Hoping that will be later this weekend.
OVERLORD commented 2026-02-04 23:05:18 +03:00
Author
Owner
Copy Link

@derek-shnosh commented on GitHub (Dec 21, 2018):

Excellent!

@derek-shnosh commented on GitHub (Dec 21, 2018): Excellent!
OVERLORD commented 2026-02-04 23:05:22 +03:00
Author
Owner
Copy Link

@derek-shnosh commented on GitHub (Dec 29, 2018):

@ssddanbrown - figured I'd ask here, is there a way to run from the master branch?

If I checkout the master branch and refresh the page, it's pretty broken. I'm guessing because public\dist doesn't exist as you mention here.

@derek-shnosh commented on GitHub (Dec 29, 2018): @ssddanbrown - figured I'd ask here, is there a way to run from the master branch? If I checkout the master branch and refresh the page, it's pretty broken. I'm guessing because **public\dist** doesn't exist as you [mention here](https://github.com/BookStackApp/BookStack/issues/879#issuecomment-395506105).
OVERLORD commented 2026-02-04 23:05:26 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Dec 29, 2018):

@derek-shnosh there is but you'll need a recent version of Node.JS installed and then following the build steps towards the top of this section in the readme.

Alternatively, since I've got the files open, here's a zip of built files from current master:
bookstack-dist-files-master.zip
Copy the files out of the zip to public/dist.

Just a warning, master can be a little unstable, Might be okay right now but I'd avoid updates and switch back to release when you can.

Next release is a little late, Now hoping to get it out before wednesday the 2nd.

@ssddanbrown commented on GitHub (Dec 29, 2018): @derek-shnosh there is but you'll need a recent version of Node.JS installed and then following the build steps towards the top of [this section](https://github.com/BookStackApp/BookStack#development--testing) in the readme. Alternatively, since I've got the files open, here's a zip of built files from current master: [bookstack-dist-files-master.zip](https://github.com/BookStackApp/BookStack/files/2715784/bookstack-dist-files-master.zip) Copy the files out of the zip to `public/dist`. Just a warning, master can be a little unstable, Might be okay right now but I'd avoid updates and switch back to release when you can. Next release is a little late, Now hoping to get it out before wednesday the 2nd.
OVERLORD commented 2026-02-04 23:05:29 +03:00
Author
Owner
Copy Link

@derek-shnosh commented on GitHub (Dec 29, 2018):

Thanks for the reponse/input @ssddanbrown.

Try to enjoy the weekend and new year celebrations!

@derek-shnosh commented on GitHub (Dec 29, 2018): Thanks for the reponse/input @ssddanbrown. Try to enjoy the weekend and new year celebrations!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐛 Bug 🚀 Priority
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#939
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?