Configuring Bookstack to use LDAP

wirestyle22

Hey guys.

I am trying to authenticate via LDAP with my Bookstack server. I am using this as a reference: https://www.bookstackapp.com/docs/admin/ldap-auth/

If I follow these directions Bookstack breaks.

nslookup -query=srv _ldap._tcp.domain.local reflects the IP Address I have entered.

# General auth
AUTH_METHOD=ldap

# The LDAP host, Adding a port is optional
LDAP_SERVER=IP Address:389
# If using LDAP over SSL you should also define the protocol:
# LDAP_SERVER=ldaps://example.com:636

# The base DN from where users will be searched within
LDAP_BASE_DN=ou=\Information \Technology,dc=domain,dc=local

# The full DN and password of the user used to search the server
# Can both be left as false to bind anonymously
LDAP_DN=false
LDAP_PASS=false

# A filter to use when searching for users
# The user-provided user-name used to replace any occurrences of '${user}'
LDAP_USER_FILTER=(&(sAMAccountName=${user}))

# Set the LDAP version to use when connecting to the server
LDAP_VERSION=3

# Set the default 'email' attribute. Defaults to 'mail'
LDAP_EMAIL_ATTRIBUTE=mail

# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn

# If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #)
# Only set this option if debugging or you're absolutely sure it's required for your setup.
#LDAP_TLS_INSECURE=true

I've never used LDAP really. Never had the need.

wirestyle22

Seems to be the space in the OU. Trying to find the correct syntax online. I thought it was: \Information \Technology\ but that is apparently not the case

wirestyle22

Figured out the proper syntax. Now it seems like it's forcing e-mail registration for AD users which I don't want. I need to disable that.

dbeato

I have it setup, let me get the configuration right now.

dbeato

Disable it as below under the settings page

dbeato

I also would encourage to use LDAPS instead of LDAP. That said, the DN you will just get it via the Active Directory Users and Computers advanced view or through power shell

dbeato

This are my settings

# General auth
#AUTH_METHOD=standard
AUTH_METHOD=ldap

# LDAP Host
LDAP_SERVER=1.2.3.4:636

# The base DN for users
LDAP_BASE_DN=DC=domain,DC=com

#The full DN and password for binding
LDAP_DN=CN=bookstack,CN=Users,DC=domain,DC=com
LDAP_PASS=S0UP3rS7r0ngP@ssW0rd
#A filter to use when searching for users


LDAP_USER_FILTER=(&(mail=${user}))
LDAP_VERSION=3

# Set the default 'email' attribute. Defaults to 'mail'
LDAP_EMAIL_ATTRIBUTE=mail

# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn

# Enable LDAP group sync, Set to 'true' to enable.
LDAP_USER_TO_GROUPS=true

# LDAP user attribute containing groups, Defaults to 'memberOf'.
LDAP_GROUP_ATTRIBUTE="memberOf"

# Remove users from roles that don't match LDAP groups.
LDAP_REMOVE_FROM_GROUPS=false

LDAP_AUTO_CONFIRM_EMAIL=true

# A full list of options can be found in the '.env.example.complete' file.

Make sure to have the local admin logged in and not logged out while you change and save the changes so then you can add yourself as admin tied to AD.

wirestyle22

@dbeato said in Configuring Bookstack to use LDAP:

Disable it as below under the settings page

Yeah I realized later it was domain restriction

wirestyle22

@dbeato said in Configuring Bookstack to use LDAP:

This are my settings

# General auth
#AUTH_METHOD=standard
AUTH_METHOD=ldap

# LDAP Host
LDAP_SERVER=1.2.3.4:636

# The base DN for users
LDAP_BASE_DN=DC=domain,DC=com

#The full DN and password for binding
LDAP_DN=CN=bookstack,CN=Users,DC=domain,DC=com
LDAP_PASS=S0UP3rS7r0ngP@ssW0rd
#A filter to use when searching for users


LDAP_USER_FILTER=(&(mail=${user}))
LDAP_VERSION=3

# Set the default 'email' attribute. Defaults to 'mail'
LDAP_EMAIL_ATTRIBUTE=mail

# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn

# Enable LDAP group sync, Set to 'true' to enable.
LDAP_USER_TO_GROUPS=true

# LDAP user attribute containing groups, Defaults to 'memberOf'.
LDAP_GROUP_ATTRIBUTE="memberOf"

# Remove users from roles that don't match LDAP groups.
LDAP_REMOVE_FROM_GROUPS=false

LDAP_AUTO_CONFIRM_EMAIL=true

# A full list of options can be found in the '.env.example.complete' file.

Make sure to have the local admin logged in and not logged out while you change and save the changes so then you can add yourself as admin tied to AD.

I just made the default role admin and then changed it after my initial logon lol