feat: LDAP User management

[this-josh]

Is your feature request related to a problem? Please describe. Users should be managed via LDAP, similar to Portainer

Describe the solution you'd like LDAP user management implemented

Describe alternatives you've considered

• OAUTH
• Microsoft Active directory

I believe LDAP is the best starting point

Additional context

One key feature of ollama-webui is its ability to have users, but without LDAP this doesn't have same network level utility.

[jannikstdl]

Yes agree, this would be a use case for us as well.

[tjbck]

Related: https://github.com/ollama-webui/ollama-webui/issues/483

[SurvivaLlama]

I can help test this.

[eingemaischt]

This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...

[justinh-rahb]

This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...

Excellent news, this has been implemented:

• 1347

[Manfredzimmermann]

How can I connect Open-WebUI with Microsoft Active directory? I'm looking for an excellent solution. A fixed module in Open-WebUI for Active Directory (LDAP) would be a dream

[FritzHeiden]

I'd really like to see this feature implemented aswell

[dorianborovina]

Me too! +1 from me.

[hostingnuggets]

Me too! +100 from me ;-)

[peske]

+1

[sry9681]

+1

[lduplaga]

Would be awesome to have this feature.

[seal61]

+1

[lduplaga]

I solved my case with Microsoft authentication by this

https://docs.openwebui.com/tutorial/sso#microsoft

[seal61]

I solved my case with Microsoft authentication by this

https://docs.openwebui.com/tutorial/sso#microsoft

does not help with local active directory / ldap server sadly, but might be useful for some.

[WilsonZiweiWang]

My implementation: https://github.com/WilsonZiweiWang/open-webui/commit/f4e487480f414f24ff19b0243e6357c0625b330f It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.

[hostingnuggets]

Bravo @WilsonZiweiWang for your LDAP implementation. @tjbck could @WilsonZiweiWang's code be integrated to this project?

[tjbck]

Feel free to make a PR!

[justinh-rahb]

WilsonZiweiWang with some refac that might be workable for more servers. Not working on my AD server, but honestly I'm fairly sure it's either a layer8 problem, or we just need more environment variables to tune the (too many) options for LDAP binding, user search and field mappings.

[Peter-De-Ath]

My implementation: WilsonZiweiWang@f4e4874 It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.

I wasn't quite able able to get this working out the box, but adding

LDAP_USER_DN = f'cn={cn},{LDAP_USERS_DN}'

inside if uid == form_data.user:

[justinh-rahb]

I got this to work with @Peter-De-Ath's modification on a test LDAP server, but still unable to get working on my (probably misconfigured by my predecessor) AD domain.

Some notes I'd add:

• This won't interact well with WEBUI_LOGIN=false, the email/username and password fields are hidden
• Could we not use the email field for login? We already get it from the LDAP server to create the account
• Would prefer if LDAP is enabled that a button be shown in similar style to the OIDC login buttons, hidden otherwise
• May want to be able to configure which field is used for the username

[WilsonZiweiWang]

hi all, thanks for testing my code and leaving comments, I have created the PR for this issue: https://github.com/open-webui/open-webui/pull/5056

[tjbck]

LDAP support merged to dev. More testing wanted from the community here!

[arthur-flam]

Hello! We managed to make it work with LDAP. Thanks a lot for adding this feature. Some small issues I ran into:

• Auths.insert_new_auth only gets mail/hash/cn parameters. Other auth methods also accept a role (default to pending otherwise no matter how DEFAULT_USER_ROLE is defined. It's also not possible to add profile picture (although it could be difficult with ldap, at least in my experience with our LDAP, ldapsearch returns a path to a temp image file, not a real URL).
• The LDAP_SEARCH_FILTERS is always messy to get right. I didn't understand that it already did f&(LDAP_ATTRIBUTE_FOR_USERNAME={login})({LDAP_SEARCH_FILTERS}). In any case testing with dev was very easy, amazing work all around.

[nordy1145]

I also got LDAP working with a simple ldap filter to a specific group, TLS and no issues authenticating. The only issue I see is the default Role is Pending instead of User as mentioned above.

[GabrielRamirez]

Are the LDAP variables set in the .env file?

[WilsonZiweiWang]

Are the LDAP variables set in the .env file?

You can set initial values to them in the .env file or edit them with the interface