BookStackApp
LDAP: Adding second AD group crashes BookStack — admins still require manual permissions
Attempted Debugging
- [x] I have read the debugging page
Searched GitHub Issues
- [x] I have searched GitHub for the issue.
Describe the Scenario
I have connected BookStack to our Active Directory (AD) via LDAP and I am using the LDAP_USER_FILTER. I want two AD groups to map to different BookStack roles:
AD_WikiAdmin → BookStack Admins
AD_WikiViewer → BookStack Viewers
I followed the BookStack documentation, but I can't get this working.
What I tried
Configured LDAP authentication and LDAP_USER_FILTER.
Got a single-group setup working to some extent.
Tried adding a second group for viewers using the same LDAP configuration approach.
Expected behavior
Users in AD_WikiAdmin should be automatically assigned the Admin role.
Users in AD_WikiViewer should be automatically assigned a Viewer role (read-only).
Actual behavior
Admin users still need to be granted Admin permissions manually after their first login.
When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable.
Hope you can help me
Exact BookStack Version
25.02.5
Log Content
Hosting Environment
PHP 8.3.6 Ubuntu 24.04.2 LTS
Hi @SudoPan, When you say the following:
When I add a second AD group (for viewers) to the LDAP configuration, BookStack crashes/unusable.
Can you confirm exactly what you're changing to achieve this?
Hello @ssddanbrown
I tried something like this in the .env file. LDAP_GROUPS=CN=Bookstack-Viewer,OU=Groups,DC=business,DC=local:viewer LDAP_GROUPS=CN=Bookstack-Admin,OU=Groups,DC=business,DC=local:admin
I tried many things but dont get it to work that i got an Second AD Group from the AD only to View my shared Books / Sites from BookStack
@SudoPan Are you attempting to follow an LLM or AI for configuring this?
If so, please don't. There's no LDAP_GROUPS used by BookStack. Remove those options.
Group matching is done based on fetched "memberOf" group CN values matched with BookStack role names (or external auth ID values where set). Please read our documentation on LDAP group sync for more specific details.
Good day @ssddanbrown
Thank you for trying to help me.
I tried to set this up using the documentation and with the help of an AI.
When I read through the documentation, I’m still missing one small piece of information that I don’t fully understand.
In the documentation, I don’t find the section about working with two AD groups.
Currently, I’m working with the following setup, where the group BookStack_Admin is allowed to use the wiki:
Activate LDAP Groups
LDAP_USER_TO_GROUPS=true LDAP_GROUP_ATTRIBUTE=memberOf
User Group for BookStack
LDAP_USER_FILTER="(&(objectClass=user) (SAMAccountName=${user}) (memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local))" LDAP_USER_ATTRIBUTE=sAMAccountName
Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack.
Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack.
I’m not sure if this is even possible, since I can’t really figure it out from the documentation.
Now, I would like to reconfigure this so that the AD group BookStack_Admin directly gets the Admin role in BookStack.
Assuming that your LDAP system is providing valid memberOf values, all you'd need to do is edit the "Admin" role in BookStack, then set the "External Authentication IDs" field to bookstack_admin.
Additionally, I want to add a second AD group, BookStack_Viewer, which should directly receive the Viewer role in BookStack.
Same as above but for the "Viewer" role in BookStack, setting bookstack_viewer in the "External authentication IDs" field.
You'll also need to remove the (memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local) part of your user filter to allow such users to log-in (or alternatively you could add extra groups in an OR configuration within your filter query).
That sounds good.
Do I understand correctly that as soon as I set up the external authentication IDs (does that simply mean entering a number)?
What would that look like in the .env file? Do you perhaps have an example?
Thanks for your help.
as I set up the external authentication IDs (does that simply mean entering a number)?
The value you enter should match the CN value of the role, formatted as per our docs. So to match with memberOf=CN=BookStack_Admin, OU=Groups, DC=my, DC=local you'd use a value of bookstack_admin.
What would that look like in the .env file? Do you perhaps have an example?
It's not part of the .env file config, but a field in the UI seen when editing a specific role (when LDAP/SAML2/OIDC is active). See my video from about 21:05 where I add group syncing and perform some mapping using this field: https://youtu.be/50qw_LkhwoM?t=1265
Ah Thank you i thing i had misunderstanding something in the configuration. I will try it and let you know. Thank you for the help
Hello @ssddanbrown,
Sorry for the late message.
I followed the steps from your video and adjusted my setup accordingly. I removed my specific memberOf path and replaced it with the generic configuration as shown in the video:
Enable LDAP group sync, set to 'true' to enable.
LDAP_USER_TO_GROUPS=true
LDAP user attribute containing groups, defaults to 'memberOf'.
LDAP_GROUP_ATTRIBUTE="memberOf"
Remove users from roles that don't match LDAP groups.
Note: While this is enabled, the "Default Registration Role" (editable within the
BookStack settings view) will be considered a matched role and assigned to the user.
LDAP_REMOVE_FROM_GROUPS=false
After that, I added my bookstack_admin group to the Admin role in the external authentication ID settings.
However, once I make these changes, I can no longer log in. I tested this with both my existing bookstack_admin group and a newly created group, but the login still fails in both cases.
Is there an error log I can check to find out what’s going wrong?
Thanks in advance for your help!