LDAP group sync - no query for memberOf

[ZAck1387]

Describe the Bug

Hi there,

I am currently testing bookstack for the first Time. Please help me for some guidance here.

LDAP server: for my test environment is based on Microsoft AD (2012 R2).

LDAP login works, but it do not try to query the LDAP group attributes of the user who tries to login and therefor fails any matching. The debug log looks like this and totally missing the "memberOf" attribute:

{"details_from_ldap":{"count":0,"dn":"CN=Bookstack Tester,OU=bookstack,DC=test,DC=local"},"parsed_direct_user_groups":[],"parsed_recursive_user_groups":[]}

I have also tried other group attributes, User filters or updating php to 8.1.12.

That is my config:

AUTH_METHOD=ldap
LDAP_SERVER=ldaps://test.local:636
LDAP_BASE_DN="OU=bookstack,DC=test,DC=local"
LDAP_DN="CN=Service Bookstack,OU=bookstack,DC=test,DC=local"
LDAP_PASS="password1"
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
LDAP_USER_FILTER=(&(userPrincipalName=${user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=BIN;objectGUID
LDAP_START_TLS=false
LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto

LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_REMOVE_FROM_GROUPS=true

LDAP_DUMP_USER_GROUPS=true

Steps to Reproduce

Login with user with above mentioned config the debugger will show no memberOf

Expected Behaviour

Expected behaviour would be even if matching does not work it does at least list the memberOf groups of the user who tries to login as mentioned in release bookstack 22.03

https://www.bookstackapp.com/blog/bookstack-release-v22-03/

For example:

```json { "details_from_ldap": { "0": "memberof", "memberof": { "0": "cn=Editor,ou=Users,o=abc123,dc=jumpcloud,dc=com", "1": "cn=Wizards,ou=Users,o=abc123,dc=jumpcloud,dc=com", "2": "cn=All Users,ou=Users,o=abc123,dc=jumpcloud,dc=com", "count": 3 }, "count": 1, "dn": "uid=bjacobs,ou=Users,o=abc123,dc=jumpcloud,dc=com" }, "parsed_direct_user_groups": [ "Editor", "Wizards", "All Users" ], "parsed_recursive_user_groups": [ "Editor", "Wizards", "All Users" ] } ```

Screenshots or Additional Context

No response

Browser Details

Edge 106 64-bit win10; Firefox 106.0.2 64-bit win 10

Exact BookStack Version

22.10.1

PHP Version

8.1.11 + 8.1.12

Hosting Environment

Alma Linux 8.6

[ssddanbrown]

Hi @ZAck1387, This generally sounds like an issue of your LDAP system not returning group details.

• Are you sure this user is a member of groups which would be listed as their "memberOf" attribute?
• Do you have any way to query your LDAP system externally, outside of BookStack, to ensure querying the same user, requesting the "memberOf" attribute, provides "memberOf" results?

[ZAck1387]

Hi @ssddanbrown,

thank you for your reply.

• The user is definitely member of multiple groups. I have checked via the Attribute editor, confirmed the group Attribute and successfully queried over Powershell. And it would be very unusual if not at least be one group, because there always should be one Primary group in MS AD.
• I currently have no tool to test ldaps queries from linux systems do you have any recommendations?

[ssddanbrown]

@ZAck1387 ldapsearch is fairly common, commonly part of a ldap-utils package (Have no idea about Alma linux though)

[ZAck1387]

@ssddanbrown thank you very much, that was the right direction I needed, and could fix it.

The service user had no permission to read the "memberOf" attribute.

For reference: I've installed openldap-clients and with the command

ldapsearch -H ldaps://test.local:636 -b "CN=Bookstack Tester,OU=bookstack,DC=test,DC=local" -D "CN=Service Bookstack,OU=bookstack,DC=test,DC=local" -W

I could verify the service user couldn't read the memberOf attribute.

In MS AD added under security permission for specific OU the user with Type "Allow" and Applies to "Descendant User Objects" "Read memberOf"