Skip to content

Error with filtered LDAP group objects #5971

New issue
New issue
Open
Open
Error with filtered LDAP group objects#5971
Labels
🐛 Bug
@dhimler

Description

@dhimler
dhimler
opened on Jan 2, 2026

Describe the Bug

Hello!

I stumbled about a bug that will probably hit only a subset of users, but I thought I report it anyways. Our Active Directory is running in "List Object Mode" (https://docs.microsoft.com/en-us/previous-versions/dd308984(v=technet.10)), which changes the behavior of Active Directory and allows to hide objects, which we do to hide different customers from each other. So the service account that we use to access Active Directory via LDAP from BookStack is not being able to resolve ALL the groups that the users are member of, but only the ones that are relevant.

When using the following parameters in .env, the application fails to let users log in:

LDAP_USER_TO_GROUPS=true
LDAP_GROUP_ATTRIBUTE="memberOf"

It tries to resolve all of the groups referenced under "memberOf" and fails as soon as it hits the first it has no access to.

#0 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Bootstrap/HandleExceptions.php(258): Illuminate\Foundation\Bootstrap\HandleExceptions->handleError()
#1 [internal function]: Illuminate\Foundation\Bootstrap\HandleExceptions->Illuminate\Foundation\Bootstrap\{closure}()
#2 /opt/bookstack/app/Access/Ldap.php(71): ldap_read()
#3 /opt/bookstack/app/Access/LdapService.php(417): BookStack\Access\Ldap->read()
#4 /opt/bookstack/app/Access/LdapService.php(392): BookStack\Access\LdapService->getParentsOfGroup()
#5 /opt/bookstack/app/Access/LdapService.php(349): BookStack\Access\LdapService->getGroupsRecursive()
#6 /opt/bookstack/app/Access/LdapService.php(457): BookStack\Access\LdapService->getUserGroups()
#7 /opt/bookstack/app/Access/Guards/LdapSessionGuard.php(88): BookStack\Access\LdapService->syncGroups()
#8 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Auth/AuthManager.php(333): BookStack\Access\Guards\LdapSessionGuard->attempt()
#9 /opt/bookstack/app/Access/LoginService.php(165): Illuminate\Auth\AuthManager->__call()
#10 /opt/bookstack/app/Access/Controllers/LoginController.php(134): BookStack\Access\LoginService->attempt()
#11 /opt/bookstack/app/Access/Controllers/LoginController.php(74): BookStack\Access\Controllers\LoginController->attemptLogin()
#12 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\Access\Controllers\LoginController->login()
#13 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(43): Illuminate\Routing\Controller->callAction()
#14 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(265): Illuminate\Routing\ControllerDispatcher->dispatch()
#15 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(211): Illuminate\Routing\Route->runController()
#16 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(822): Illuminate\Routing\Route->run()
#17 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\Routing\Router->Illuminate\Routing\{closure}()
#18 /opt/bookstack/app/Http/Middleware/CheckGuard.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#19 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\CheckGuard->handle()
#20 /opt/bookstack/app/Http/Middleware/RedirectIfAuthenticated.php(28): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#21 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\RedirectIfAuthenticated->handle()
#22 /opt/bookstack/app/Http/Middleware/Localization.php(32): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#23 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\Localization->handle()
#24 /opt/bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#25 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\RunThemeActions->handle()
#26 /opt/bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#27 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\CheckEmailConfirmed->handle()
#28 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(87): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#29 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle()
#30 /opt/bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(48): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#31 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\View\Middleware\ShareErrorsFromSession->handle()
#32 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(120): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#33 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(63): Illuminate\Session\Middleware\StartSession->handleStatefulRequest()
#34 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Session\Middleware\StartSession->handle()
#35 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(36): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#36 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle()
#37 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(74): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#38 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Cookie\Middleware\EncryptCookies->handle()
#39 /opt/bookstack/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#40 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\ApplyCspRules->handle()
#41 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#42 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(821): Illuminate\Pipeline\Pipeline->then()
#43 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(800): Illuminate\Routing\Router->runRouteWithinStack()
#44 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(764): Illuminate\Routing\Router->runRoute()
#45 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(753): Illuminate\Routing\Router->dispatchToRoute()
#46 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(200): Illuminate\Routing\Router->dispatch()
#47 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}()
#48 /opt/bookstack/app/Http/Middleware/PreventResponseCaching.php(28): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#49 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\PreventResponseCaching->handle()
#50 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(58): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#51 /opt/bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\Http\Middleware\TrustProxies->handle()
#52 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): BookStack\Http\Middleware\TrustProxies->handle()
#53 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#54 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(51): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
#55 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Foundation\Http\Middleware\TrimStrings->handle()
#56 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#57 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Http\Middleware\ValidatePostSize->handle()
#58 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(109): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#59 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(219): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle()
#60 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#61 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(175): Illuminate\Pipeline\Pipeline->then()
#62 /opt/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(144): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter()
#63 /opt/bookstack/public/index.php(23): Illuminate\Foundation\Http\Kernel->handle()
#64 {main}
"}

If I put the account in a security group that has access to the whole Active Directory, everything is working as expected. I think there should be an error handling in place to skip the groups that cannot be found instead of causing the login to fail.

Best regards,
Daniel

Steps to Reproduce

Prevent some groups to be found in Active Directory by using List Object Mode and configure LDAP authentication in BookStack with LDAP_USER_TO_GROUPS enabled.

Expected Behaviour

Being able to login and having all resolvable group memberships evaluated.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v25.12

Metadata

Metadata

Assignees

No one assigned

    Labels

    🐛 Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions