After BookStack authentication using AD,You can also do a group role and AD series,To simplify the transaction work group members,But now in use on the set,Some places need attention,Although there are minor problems,But I spent a week or two just to find out why,Therefore sorted out Share。
according toOfficial Description,First set value by adding the following profile .env:
# Enable LDAP group sync, Set to 'true' to enable. LDAP_USER_TO_GROUPS=true # LDAP user attribute containing groups, Defaults to 'memberOf'. LDAP_GROUP_ATTRIBUTE="memberOf" # Remove users from roles that don't match LDAP groups. LDAP_REMOVE_FROM_GROUPS=false
After finishing the settings,Set an example in the following environment:
AD / BookStack Account: test
BookStack role: test-bs-group
AD Group: test-ad-group
Add a role in BookStack "test-bs-group”,And enter "in its "external authentication ID"test-ad-group”。
When in AD "test-ad-group”When the member “test” account logs into BoookStack,Will automatically bring it into the "test-bs-group" Character。
【note】
AD group mechanism ◎ BookStack is to BookStack existing character string together with the AD group,Rather than copying AD group to BookStack。
◎ AD group name can include underscores "_" or minus "-",But you can not have a blank,Nor is Chinese。
◎ AD AD group members account if it is a member of the Sun,As can be linked into the role of (The name of the subgroup cannot have blanks and Chinese)。
After the test no problem,If the transaction when the AD group members hope,BookStack can adjust the synchronization role membership,Perform the following settings:
1. In AD group the new custom manager,Case:BS_Admin。
2. The AD manager account administrator added to BS_Admin。
3. Modify the Admin role BookStack,In the "external authentication ID" field enter BS_Admin。
4. Modify .env,The LDAP_REMOVE_FROM_GROUPS into true。
【note】
◎ Step 1 to 3 for first,Value can be modified in Step 4,Otherwise admin role members BookStack will be cleared,Causing no account has administrative privileges。
◎ unfortunate event such as the above case,Need even into the database,Modify "roles" table ,The admin role external_auth_id field,Enter the administrator-defined group name AD (As BS_Admin)。
【相關資料】
- v0.23.2 // (AD) LDAP & “Default user role”… also, multiple ldap_user_filter entries? · Issue #973 · BookStackApp/BookStack · GitHub
- how LDAP group sync works · Issue #1059 · BookStackApp/BookStack · GitHub
