@@BookStackApp I started deploying BookStack in our company yesterday and the ldap setting was pain. Mainly the Filter field where in different applications (gitea, snipeit) I had more complex filter that checked if user was part of defined group and has email with our domain. This I couldn't make it work. Will try tomorrow again. But the way with roles would nicely solve this problem with those group aliases. Really looking forward to create some documentation :-)
I love it, both bookstack and your amazing workthroughs! The written documentation would probably already suffice, but having such a nice companion video; I brought it up and runningn within less than 60 minutes. Btw, I am using openldap, and the uid, mail and jpeg implementation work great there!
Dear Dan, thank you for providing Bookstack. Its superior performance, functions, design and simplicity in editing for users make it so unique. As you asked in your 31st Dec blog post, what could boost awareness were use-case videos on youtube from business context, and more references to managed Bookstack hosters. I started with a managed hoster who offered 1-click-installation and it reduced my hesitiation from trying the software so much, as I am a non-technical person, like many decision makers in companies who care about organizational topics. Also, please keep this project open-source, so everyone can try it! More people like me from business ventures will come across and start using it when you stay active on the project. Thanks a lot!
Thank you so much for your positive words, advisories and donation! It means a lot! I'll keep a note of your comments as awareness boosting ideas. I totally agree access could be eased for non-technical folks, just need to ensure we improve that in a project-sustaining way. Don't worry, Open source is very close to my ideals, I have no intention to close it off!
Excellent video! But I have a question, I want to configure with an LDAP base from my Active Directory, if I create a role called "Domain Users", will all users in that group be part of this role?
Thanks Victor, I'm not quite sure I understand the scenario here. Roles need to be mapped as shown in the video, so either by name matching with LDAP groups or by manually configuring the mapping.
Hey Dan, am I correct to assume OIDC authentication through microsoft azure-ad should work? Also what confuses me in the documentation is, that it says if it cannot find a user in the oidc provider it will automatically create them - can this be prevented? (As I only want users who actually have an account to be able to setup an account in bookstack)
I have not specifically tested azure-ad with OIDC, but if they provide OIDC then it should work. >> that it says if it cannot find a user in the oidc provider it will automatically create them - can this be prevented? No, the idea of the LDAP/OIDC/SAML2 auth methods is to delegate authorization to a third-party system, and BookStack tries to provide a seamless experience with that auth system. There are a couple of possible options: - Limit access to the OIDC application you create in Azure-AD. From what I remember you can often control applications by user/group. - Alternatively, use 'standard' BookStack authentication and use the "Azure AD" social login option, which would allow you to disable any kind of registration, and azure login would exist as a convenience login option upon standard username/password.
I have been at this for days. We have an active directory, and i cannot seem to get LDAP to work with bookstack. I enabled debug, but do not get any errors. I run this in a docker compose. It just tells me "These credentials do not match our records.", when im 1000% sure they are correct.
This message may also show if no matching user was found for the given LDAP lookup based upon the defined `LDAP_USER_FILTER` and user-provided username. Since you mention using docker-compose, are how are you defining the `LDAP_USER_FILTER` option? Are you doing any additional escaping? Or do you make use of the docker-compose `env_file` option at all?
@@BookStackApp I have a .env file, and I have tried several different user filters. I have tried the default, the one specified to use with AD in the documentation, and a couple I found in some forums. I'll reply here later with the exact line of text once I am back to my desk.
Great Video! I do have a question regarding the debugging tool, however. When I enable it, it doesn't return the data as shown in the video, it just says the same thing as if it weren't enabled "An Uknown Error Occurred." I think it has to do with enabling the ldap-php extension, but i'm not 100% sure. Any help would be greatly appreciated!
It sounds like there's a general other issue, preventing the code from getting to the debug log. Follow our general guidance here to find the detail of errors that show on the "An unknown error occurred" view: www.bookstackapp.com/docs/admin/debugging/#error-log-file
Fundamental access (Accept/deny BookStack login) would be controlled by the LDAP_USER_FILTER you define in your `.env` file, so you could expand this out with group conditions so that you are filtering-in only those in the accepted groups.
THX so much !!!
I love it, both bookstack and your amazing workthroughs!
btw these demo videos are a REALLLLYYYY helpful thing, I have queued up like.. 10??? to watch... thanks for doing this!!!
Wow, NICE! I really like your way of explaining things. Thank you for these videos! They are superb.
Happy to hear they're useful. Thanks for the kind message!
@@BookStackApp I started deploying BookStack in our company yesterday and the ldap setting was pain. Mainly the Filter field where in different applications (gitea, snipeit) I had more complex filter that checked if user was part of defined group and has email with our domain. This I couldn't make it work. Will try tomorrow again. But the way with roles would nicely solve this problem with those group aliases. Really looking forward to create some documentation :-)
I love it, both bookstack and your amazing workthroughs!
The written documentation would probably already suffice, but having such a nice companion video; I brought it up and runningn within less than 60 minutes.
Btw, I am using openldap, and the uid, mail and jpeg implementation work great there!
That's great! Good to hear this video was useful!
Dear Dan, thank you for providing Bookstack. Its superior performance, functions, design and simplicity in editing for users make it so unique. As you asked in your 31st Dec blog post, what could boost awareness were use-case videos on youtube from business context, and more references to managed Bookstack hosters. I started with a managed hoster who offered 1-click-installation and it reduced my hesitiation from trying the software so much, as I am a non-technical person, like many decision makers in companies who care about organizational topics. Also, please keep this project open-source, so everyone can try it! More people like me from business ventures will come across and start using it when you stay active on the project. Thanks a lot!
I just donated you some bucks on github as I know noone is able to live from warm words solely, I hope more people will do that too!
Thank you so much for your positive words, advisories and donation! It means a lot! I'll keep a note of your comments as awareness boosting ideas. I totally agree access could be eased for non-technical folks, just need to ensure we improve that in a project-sustaining way.
Don't worry, Open source is very close to my ideals, I have no intention to close it off!
Excellent video! But I have a question, I want to configure with an LDAP base from my Active Directory, if I create a role called "Domain Users", will all users in that group be part of this role?
Thanks Victor, I'm not quite sure I understand the scenario here.
Roles need to be mapped as shown in the video, so either by name matching with LDAP groups or by manually configuring the mapping.
@@BookStackApp It's worked, thank you very much!
Hey Dan, am I correct to assume OIDC authentication through microsoft azure-ad should work? Also what confuses me in the documentation is, that it says if it cannot find a user in the oidc provider it will automatically create them - can this be prevented? (As I only want users who actually have an account to be able to setup an account in bookstack)
I have not specifically tested azure-ad with OIDC, but if they provide OIDC then it should work.
>> that it says if it cannot find a user in the oidc provider it will automatically create them - can this be prevented?
No, the idea of the LDAP/OIDC/SAML2 auth methods is to delegate authorization to a third-party system, and BookStack tries to provide a seamless experience with that auth system.
There are a couple of possible options:
- Limit access to the OIDC application you create in Azure-AD. From what I remember you can often control applications by user/group.
- Alternatively, use 'standard' BookStack authentication and use the "Azure AD" social login option, which would allow you to disable any kind of registration, and azure login would exist as a convenience login option upon standard username/password.
@@BookStackApp Thanks a lot for the answer. Much appreciated. Sent you a "KoFi" :)
I have been at this for days. We have an active directory, and i cannot seem to get LDAP to work with bookstack. I enabled debug, but do not get any errors. I run this in a docker compose. It just tells me "These credentials do not match our records.", when im 1000% sure they are correct.
This message may also show if no matching user was found for the given LDAP lookup based upon the defined `LDAP_USER_FILTER` and user-provided username.
Since you mention using docker-compose, are how are you defining the `LDAP_USER_FILTER` option? Are you doing any additional escaping? Or do you make use of the docker-compose `env_file` option at all?
@@BookStackApp I have a .env file, and I have tried several different user filters.
I have tried the default, the one specified to use with AD in the documentation, and a couple I found in some forums.
I'll reply here later with the exact line of text once I am back to my desk.
LDAP_USER_FILTER=(&(sAMAccountName=${user}))
@@BookStackAppCharacter escaping fixed the problem in the Docker Compose file for me!:
LDAP_USER_FILTER="(&(sAMAccountName=$${user}))"
Thank you
Thanks
Great Video! I do have a question regarding the debugging tool, however. When I enable it, it doesn't return the data as shown in the video, it just says the same thing as if it weren't enabled "An Uknown Error Occurred." I think it has to do with enabling the ldap-php extension, but i'm not 100% sure. Any help would be greatly appreciated!
It sounds like there's a general other issue, preventing the code from getting to the debug log.
Follow our general guidance here to find the detail of errors that show on the "An unknown error occurred" view:
www.bookstackapp.com/docs/admin/debugging/#error-log-file
💕💕❤❤🌷🌷
How can I deny login for LDAP users which are not in any role groups?
Fundamental access (Accept/deny BookStack login) would be controlled by the LDAP_USER_FILTER you define in your `.env` file, so you could expand this out with group conditions so that you are filtering-in only those in the accepted groups.