LDAP Group Sync using recursive Groups

[Golden-Chicken97]

Attempted Debugging

• [X] I have read the debugging page

Searched GitHub Issues

• [X] I have searched GitHub for the issue.

Describe the Scenario

Hello, our team is having issues getting recursive Group syncing to work with LDAP.

Our Company uses LDAP-ressources, which are part of roles to manage user permissions without having users tied to the ressources directly. This is important to us as you can assign a user to multiple ressources at once with just one click. The concept can be seen here:

This requires a recursive LDAP query like this, so the LDAP will search recursively: "(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))"

However we are not able to make a query, which works in an LDAP Browser, to be usable in Bookstack.

When dumping User details at login, the sections "parsed_direct_user_groups" and "parsed_recursive_user_groups" are identical.

"parsed_direct_user_groups": [
"Role_test"
]
"parsed_recursive_user_groups": [
"Role_test"
]

Syncing Bookstack-roles with direct user groups does work and we have been syncing our groups by assigning users to LDAP-roles for testing purposes until now. However this defeats the purpose of using roles completely.

We have tried adjusting the "LDAP_USER_FILTER" like the example below, but the result is still the same. "(&(sAMAccountName=${user})(memberOf:1.2.840.113556.1.4.1941:=cn=BookStack Users,cn=Users,dc=example,dc=com))" Setting the LDAP_GROUP_ATTRIBUTE to the following did not work and Bookstack was dumping no Groups at all. LDAP_GROUP_ATTRIBUTE="memberOf:1.2.840.113556.1.4.1941:"

Am I misunderstanding the purpose of "parsed_recursive_user_groups" meaning that Bookstack has no way to search recursively or is there something we have overlooked?

Exact BookStack Version

v24.02.3

Log Content

No Error in the logs

Hosting Environment

PHP 8.2.20, Apache/2.4.61 (Debian), Debian 12.6

[ssddanbrown]

Hi @Golden-Chicken97, BookStack handles recursive LDAP groups by additional requests, to look up the membership of originally found groups. The LDAP_USER_FILTER is irrelevant for this.

This isn't a part of the system I often check though, and looking back to confirm the logic I can see some questionable parts in the logic which I don't like and need to double check. I'll try to dive deeper into this soon, but it may be a little while due to needing to emulate an LDAP environment with multi-group hierarchy.

[Golden-Chicken97]

Thank You in advance for your fast response and for taking on this problem. We really appreciate it.

[ssddanbrown]

Hi again @Golden-Chicken97, Sorry for the delay. I've just released BookStack v24.05.4 which included changes to the to LDAP logic I mentioned needing to double check, so I'd advise updating to that since any explanation from here will be specific to the v24.05.4 and later logic.

When BookStack looks up groups, it will first get the direct groups belonging to the user (commonly the users memberOf). For each group found, it will then lookup that groups own group memberships via a query using the group DN. The same attribute is considered for groups and users (LDAP_GROUP_ATTRIBUTE, typically memberOf). This will then recursively continue until all groups have been found. The first element of the DN (typically CN) for all founds groups will then be considered for sync.

[Golden-Chicken97]

Thank you, @ssddanbrown for the professional and quick response.

We updated to the new version v24.05.4. After the update, syncing using recursive groups worked immediatly. Even though no changes were made to our config!

It really impressed us how fast and professionally issues are handled by you, considering the scope of this project.

[ssddanbrown]

@Golden-Chicken97 Thanks for the kind words, and good to hear things are working now! Now things appear to be working, I'll go ahead and close this off.