Active Directory logins receiving "another user exists with different credentials"

[Coros]

Attempted Debugging

• [X] I have read the debugging page

Searched GitHub Issues

• [X] I have searched GitHub for the issue.

Describe the Scenario

I configured LDAP following the setup guide but missed the Active Directory specific directions. Everything has been working for the most part, but a user will occasionally receive an error stating: "A user with email already exists but with different credentials". I've been able to resolve it by changing their external ID to their distinguished name, but that seems to only work for a time until it wants their sAMAccountName again.

I'd like to resolve this problem permanently. I see that changing from standard to OIDC authentication has a similar issue. There's an article on it here: https://www.bookstackapp.com/docs/admin/oidc-auth/#switching-to-oidc-with-existing-users

Is there any documentation on switching from LDAP to Active Directory LDAP? I believe I could populate the external IDs in the database but I'm having trouble getting the appropriate data. The objectGUID binary field is causing me problems.

Exact BookStack Version

24.05.2

Log Content

No response

Hosting Environment

Ubuntu 22.04.4 LTS Apache 2.4.59 PHP 8.1.2-1ubuntu2.18

[ssddanbrown]

Hi @Coros, Sorry, I'm a little confused on the exact scenario here so I have a few extra questions:

• What is LDAP_ID_ATTRIBUTE currently set to?
• Was it previously set to something different?
• What exactly do you mean by "but that seems to only work for a time until it wants their sAMAccountName again."? What part of BookStack is wanting their sAMAccountName? How does that show up?

The objectGUID binary field is causing me problems.

• What problems?

Is there any documentation on switching from LDAP to Active Directory LDAP?

No, I try not to document too deeply for other platforms, and ultimately these are both LDAP scenarios, just might be different id values in use I'd guess?

[Coros]

Hi @ssddanbrown . Sorry..I was rambling a bit there.

Some of our users will receive an error message described in my first post. It seems to be entirely random and I haven't been able to find out why. 90% of our users are able to login without any issues with our current configuration.

I was hoping to correct my LDAP configuration to follow the documented Active Directory settings.

LDAP_ID_ATTRIBUTE is currently set to 'uid'. The user external ID in BookStack normally their sAMAccountName. When a user reports the login problem, I've been changing the external ID to match their distinguishedName. I'm not sure why this resolves their issue but it does.

After researching the LDAP / Active Directory configuration in Book Stack, I realized my initial setup was incorrect. As a result I want to change LDAP_ID_ATTRIBUTE to `BIN;objectGUID' but that breaks existing accounts unless I update their external ID.

I've finally figured out how to get objectGUID in the correct format that BookStack expects so I should now be able to export a list of users, get their properly formatted objectGUID from AD and then insert it into the external ID attribute field in the database. Then I can make the LDAP_ID_ATTRIBUTE change and everything should work.

[Coros]

I was able to get the objectGUID value populated for each of my users and flipped the switch. Everything appears to be working currently.

[WiMaGit]

Hello @Coros,

can you please share your Settings here? I have been trying a long time to get LDAP with Active Directory Server 2019 working, but without success. I get the Error: 'failed' => 'These credentials do not match our records.', Below is my setup. The used user to search the server seams to be OK, because if I change something on it, I get another error.

AUTH_METHOD=ldap

LDAP_SERVER=xxx.xxx.xxx.xxx:389

LDAP_BASE_DN="OU=xxxxxxxxxxxxxxx,OU=xxxxxxxxxxxxxx,DC=xxxxxxxxxx,DC=local"

LDAP_DN="CN=xxxxxxxxxx,OU=xxxxxxxx,OU=Benutzer,OU=xxxxxxxx,DC=xxxxxxxx,DC=local"
LDAP_PASS="xxxxxxxxxxxxxxxxxxxx"

LDAP_USER_FILTER=(&(sAMAccountName={user}))

LDAP_VERSION=3

LDAP_ID_ATTRIBUTE=BIN;objectGUID

LDAP_EMAIL_ATTRIBUTE=mail

LDAP_DISPLAY_NAME_ATTRIBUTE=cn

LDAP_THUMBNAIL_ATTRIBUTE=null

LDAP_START_TLS=false

LDAP_TLS_INSECURE=true

LDAP_DUMP_USER_DETAILS=true