New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v0.23.2 // (AD) LDAP & "Default user role"... also, multiple ldap_user_filter entries? #973
Comments
Looked at this again with a semi-clear head and thought the
I re-ran the $ ldapsearch -xLLL -b CN="test,OU=domain admins,OU=city,OU=users,OU=corp,DC=domain,DC=local" -h dc.domain.local -D docssvc@domain.local -W | grep memberOf
Enter LDAP Password:
memberOf: CN=Docs_Admin,OU=security,OU=groups,OU=corp,DC=domain,DC=local Maybe this is a bug? or my head isn't as clear as I thought it was and I'm still missing something. |
I took one last stab and added the DN for the I created another test user and was still assigned the |
Hi @derek-shnosh, Sorry for the lack of reply. I had missed this issue before so sorry if it's too late. Ldap Group Sync Logic with 'remove_from_groups' Enabled
I've bolded the part that may be relevant from reading the above. I think you may just need to set the Let me know if that helps or if I've missed the mark. |
Thanks for the response @ssddanbrown. Here is my LDAP_USER_FILTER, and how it is broken down; LDAP_USER_FILTER="(&(sAMAccountName=${user})(|(memberOf=CN=docs_admin,OU=security,OU=groups,OU=corp,DC=domain,DC=local)(memberOf=CN=docs_viewer,OU=security,OU=groups,OU=corp,DC=domain,DC=local)))" LDAP_USER FILTER objects;
Per the documentation;
Hopefully I'm interpreting this correctly; i.e. (providing the account was found within any of the groups configured in the |
I did some experimenting this morning and have things working. My interpretation of the LDAP authentication configurationThe My configuration changes
Results
I am confused as to why my previous configuration didn't work, because my test account was a member of the AD security group Docs_Admin which was defined in my |
Disclosure
I wasn't sure how to submit this, as a request or as a bug, so please flag accordingly. I have concerns/questions regarding using LDAP integration with AD. I may have overlooked something that's just not registering with me right now because my head is so deep in the weeds.
Goal
Match user roles to security groups without manually entering them in the admin UI. If the LDAP user is not a member of a group name matching any of the roles, then login should not be permitted.
Meat n' Potatoes
I'm not sure if this is more a BookStack concern or a MSFT concern, but are groups supported in the
ldap_user_filter
entries?I see that adding users individually to the
ldap_user_filter
is supported, per @ssddanbrown's comment on issue #971 (reference).Based on based on this, I don't think its an MSFT concern since we're running Server 2016 in our environment (domain function level 2012).
Observation
ldap_user_filter
entries.ldap_user_filter
entries exist.Example
If the default role is configured to Docs_Public and a user in the group Docs_Viewer logs in for the first time, they are incorrectly assigned the Docs_Public role.
Validation
Result
Configuration Details
File
/.env
Notes
ldap_user_filter
to use(objectClass=user)
instead of(sAMAccountName=${user})
, but then I can't even complete the first login.LDAP_USER_FILTER
string, the end result is the same.The text was updated successfully, but these errors were encountered: