Configuring Bookstack to use LDAP



  • Hey guys.

    I am trying to authenticate via LDAP with my Bookstack server. I am using this as a reference: https://www.bookstackapp.com/docs/admin/ldap-auth/

    If I follow these directions Bookstack breaks.

    nslookup -query=srv _ldap._tcp.domain.local reflects the IP Address I have entered.

    # General auth
    AUTH_METHOD=ldap
    
    # The LDAP host, Adding a port is optional
    LDAP_SERVER=IP Address:389
    # If using LDAP over SSL you should also define the protocol:
    # LDAP_SERVER=ldaps://example.com:636
    
    # The base DN from where users will be searched within
    LDAP_BASE_DN=ou=\Information \Technology,dc=domain,dc=local
    
    # The full DN and password of the user used to search the server
    # Can both be left as false to bind anonymously
    LDAP_DN=false
    LDAP_PASS=false
    
    # A filter to use when searching for users
    # The user-provided user-name used to replace any occurrences of '${user}'
    LDAP_USER_FILTER=(&(sAMAccountName=${user}))
    
    # Set the LDAP version to use when connecting to the server
    LDAP_VERSION=3
    
    # Set the default 'email' attribute. Defaults to 'mail'
    LDAP_EMAIL_ATTRIBUTE=mail
    
    # Set the property to use for a user's display name. Defaults to 'cn'
    LDAP_DISPLAY_NAME_ATTRIBUTE=cn
    
    # If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #)
    # Only set this option if debugging or you're absolutely sure it's required for your setup.
    #LDAP_TLS_INSECURE=true
    

    I've never used LDAP really. Never had the need.



  • Seems to be the space in the OU. Trying to find the correct syntax online. I thought it was: \Information \Technology\ but that is apparently not the case



  • Figured out the proper syntax. Now it seems like it's forcing e-mail registration for AD users which I don't want. I need to disable that.



  • I have it setup, let me get the configuration right now.



  • Disable it as below under the settings page
    2b72e5fd-5b07-428b-ad10-47dbb1fdf00a-image.png



  • I also would encourage to use LDAPS instead of LDAP. That said, the DN you will just get it via the Active Directory Users and Computers advanced view or through power shell



  • This are my settings

    # General auth
    #AUTH_METHOD=standard
    AUTH_METHOD=ldap
    
    # LDAP Host
    LDAP_SERVER=1.2.3.4:636
    
    # The base DN for users
    LDAP_BASE_DN=DC=domain,DC=com
    
    #The full DN and password for binding
    LDAP_DN=CN=bookstack,CN=Users,DC=domain,DC=com
    [email protected]
    #A filter to use when searching for users
    
    
    LDAP_USER_FILTER=(&(mail=${user}))
    LDAP_VERSION=3
    
    # Set the default 'email' attribute. Defaults to 'mail'
    LDAP_EMAIL_ATTRIBUTE=mail
    
    # Set the property to use for a user's display name. Defaults to 'cn'
    LDAP_DISPLAY_NAME_ATTRIBUTE=cn
    
    # Enable LDAP group sync, Set to 'true' to enable.
    LDAP_USER_TO_GROUPS=true
    
    # LDAP user attribute containing groups, Defaults to 'memberOf'.
    LDAP_GROUP_ATTRIBUTE="memberOf"
    
    # Remove users from roles that don't match LDAP groups.
    LDAP_REMOVE_FROM_GROUPS=false
    
    LDAP_AUTO_CONFIRM_EMAIL=true
    
    # A full list of options can be found in the '.env.example.complete' file.
    
    

    Make sure to have the local admin logged in and not logged out while you change and save the changes so then you can add yourself as admin tied to AD.



  • @dbeato said in Configuring Bookstack to use LDAP:

    Disable it as below under the settings page
    2b72e5fd-5b07-428b-ad10-47dbb1fdf00a-image.png

    Yeah I realized later it was domain restriction



  • @dbeato said in Configuring Bookstack to use LDAP:

    This are my settings

    # General auth
    #AUTH_METHOD=standard
    AUTH_METHOD=ldap
    
    # LDAP Host
    LDAP_SERVER=1.2.3.4:636
    
    # The base DN for users
    LDAP_BASE_DN=DC=domain,DC=com
    
    #The full DN and password for binding
    LDAP_DN=CN=bookstack,CN=Users,DC=domain,DC=com
    [email protected]
    #A filter to use when searching for users
    
    
    LDAP_USER_FILTER=(&(mail=${user}))
    LDAP_VERSION=3
    
    # Set the default 'email' attribute. Defaults to 'mail'
    LDAP_EMAIL_ATTRIBUTE=mail
    
    # Set the property to use for a user's display name. Defaults to 'cn'
    LDAP_DISPLAY_NAME_ATTRIBUTE=cn
    
    # Enable LDAP group sync, Set to 'true' to enable.
    LDAP_USER_TO_GROUPS=true
    
    # LDAP user attribute containing groups, Defaults to 'memberOf'.
    LDAP_GROUP_ATTRIBUTE="memberOf"
    
    # Remove users from roles that don't match LDAP groups.
    LDAP_REMOVE_FROM_GROUPS=false
    
    LDAP_AUTO_CONFIRM_EMAIL=true
    
    # A full list of options can be found in the '.env.example.complete' file.
    
    

    Make sure to have the local admin logged in and not logged out while you change and save the changes so then you can add yourself as admin tied to AD.

    I just made the default role admin and then changed it after my initial logon lol


Log in to reply