according to BookStack official explanation,To use LDAP / Sign verification as AD,.Env need to add to the file following first set value,Examples Domain:
◎ AD domain: abc.com.tw
◎ AD manager account / Password: administrator / 123456
# General auth
AUTH_METHOD=ldap
# The LDAP host, Adding a port is optional
LDAP_SERVER=abc.com.tw:389
# If using LDAP over SSL you should also define the protocol:
# LDAP_SERVER=ldaps://example.com:636
# The base DN from where users will be searched within
LDAP_BASE_DN=dc=abc,dc=com,dc=tw
# The full DN and password of the user used to search the server
# Can both be left as false to bind anonymously
LDAP_DN= cn=administrator,cn=users,dc=abc,dc=com,dc=tw
LDAP_PASS=123456
# A filter to use when searching for users
# The user-provided user-name used to replace any occurrences of '${user}'
LDAP_USER_FILTER=(&(sAMAccountName=${user}))
#以 AD 帳號的 sAMAccountName 值作為 BookStack 的帳號。
# Set the LDAP version to use when connecting to the server
LDAP_VERSION=3
# Set the default 'email' attribute. Defaults to 'mail'
LDAP_EMAIL_ATTRIBUTE=mail
#以 AD 帳號的 mail 值作為 BookStack 帳號的 mail 值。
# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
#以 AD 帳號的 cn 值作為 BookStack 帳號的顯示名稱。
#這邊如果改成 sAMAccountName,BookStack 仍會帶到 cn,原因不明。
# If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #)
# Only set this option if debugging or you're absolutely sure it's required for your setup.
#LDAP_TLS_INSECURE=true
◎ modify the parameters of the process,Simply save .env file to apply the new settings,No need to restart Apache。
◎ "display name" if spaces,Will appear incomplete。
After the change to take effect End,A problem occurs,When the AD manager (administrator) Log in,No administrator privileges;The original BookStack manager (admin@admin.com) They no longer have access。In accordance with the official explanation,Please follow the steps below to set:
1. .Env turn off the LDAP / AD authentication setting。
2. To account managers of BookStack (admin@admin.com) Sign in。
3. Open .env the LDAP / AD authentication setting。
4. To edit the user profile page,There will be a "external authentication ID" field,Import”CN=Administrator,CN=Users,DC=abc,DC = com,DC=tw” (The case can not be wrong),The BookStack manager (admin@admin.com)Managers with AD (administrator)String together。
5. Sign out,The AD manager (administrator) Sign in,You can have administrator privileges。
您好
1.My impression is ok。
2.Depends on your AD architecture,Suppose danielchou is under users,Then the string you hit is right。
Xie Xie
Moderator is good
請問
1. “Name”Can you use Chinese name?
2. Can I fill in the external identity field?
CN=danielchou, CN=users, DC=abc,DC=local
Thanks