tjbck
commented
1 week ago @morgan55555 @WilsonZiweiWang
Open stondino00 opened 1 week ago
tjbck
commented
1 week ago @morgan55555 @WilsonZiweiWang
stondino00
commented
1 week ago Keep getting this with tls disabled on ports 389 and 3268 non tls ports.
When I do this command it shows this at the bottom each time I try and login with an ldap credential.
My domain controller does show ldap attempts from the IP of the open-webui server so it appears to be reaching out but is not successful.
sudo docker logs
zsy5172
commented
1 week ago @stondino00 In Active Directory, the attribute for username should be sAMAccountName, my configuration works fine.
@tjbck Could you consider adding a "test" button in the LDAP settings? This way, users can know if the configuration is correct.
and. print result in HTTPException detail will be better.
Change to
if not connection_app.bind():
raise HTTPException(400, detail=f"Application account bind failed, result:{connection_app.result}, last error:{connection_app.last_error}") if connection fail, it will show something like
Bind failed: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Last error: invalidCredentials
vanche1212
commented
1 week ago
Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email
stondino00
commented
1 week ago Still no luck. Where would one put the public certificate if trying over tls ports?
Get Invalid CA Public Key File with the above config.
zsy5172
commented
1 week ago try without tls first, then use tls if success. seems your cert path is wrong, it should be the path inside container.
tjbck
commented
1 week ago @zsy5172 PR welcome!
stondino00
commented
1 week ago Can an option be made in the ldap config to check a box to disable tls/ssl verification of the certificate? We use self signed domain certs in our active directory and it doesn't appear the ldap in open-webui likes self signed even when the public cert is supplied.
stondino00
commented
1 week ago Ok I think I figured this out on my end by getting it the right certificate it was needing.
I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui?
Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?
zsy5172
commented
1 week ago Ok I think I figured this out on my end by getting it the right certificate it was needing.
I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui?
Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?
if you already use docker, you can make -v open-webui:/app/backend/data useful. put your certificate in volume open-webui and point the path to /app/backend/data/your_certificate in your ldap configuration
WilsonZiweiWang
commented
1 week ago Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email
@vanche1212 The main purpose of getting this attribute is to create the WebUI user. Could you be more specific about the issue you are having?
morgan55555
commented
1 week ago Can be related to https://github.com/open-webui/open-webui/pull/7162
adamoutler
commented
4 days ago
Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email
Please make everything configurable. These default values will not work for all situations for example my search filter is:
(&(objectClass=Person)(memberOf=CN=my-users,OU=Groups,DC=domain,DC=ad,DC=mycompany,DC=com)(|(sAMAccountName=%s)(companyEmailAlias=%s)))
Which would allow the user in a specific group to login with the email or username they're familiar with. the mail attribute is something the user may have never seen before. I can't seem to get my config working for login.
WilsonZiweiWang
commented
4 days ago the mail attribute is something the user may have never seen before
WebUI will need the email to create the user in the current workflow. Where does that come from in your case?
adamoutler
commented
4 days ago CompanyEmailAlias property. Not this name directly, but as an approximation. It should be customizable.
There's still some stuff to do to make this universal. Usually with ldap setups you'd want to customize the container which may be uid or cn which is the identifier of the account. There should be a unique property as well to account for account deletions followed by a new user creation with username reuse. The user may login with email property or username property depending on preference. The email may be something different than expected. The profile picture may be different per-configuration. The filter should be able to override the login username as well.
Trying to test the new feature of LDAP against our active directory. We are using the same settings other Linux servers are using to bind to our ldap and open-webui is not working.
Are there any examples of the testing done that can be shown that work? How do I get a debug log from docker about this ldap communication with our active directory?