[PR #7162] [MERGED] LDAP auth fixes: do not store LDAP password, use default user role on first auth, allow ldap only form. #109331

Closed
opened 2026-05-18 08:40:12 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/7162
Author: @morgan55555
Created: 11/21/2024
Status: Merged
Merged: 11/21/2024
Merged by: @tjbck

Base: devHead: dev


📝 Commits (2)

  • b1237cf Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth.
  • b9e637e Now ENABLE_LOGIN_FORM=False disabling only email form.

📊 Changes

2 files changed (+21 additions, -8 deletions)

View changed files

📝 backend/open_webui/apps/webui/routers/auths.py (+14 -4)
📝 src/routes/auth/+page.svelte (+7 -4)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests for validating the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Prefix: To cleary categorize this pull request, prefix the pull request title, using one of the following:
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction

Changelog Entry

Description

  • LDAP authorization is now work like trusted header: it will not store user password, trusting LDAP server.
    This also fixing login after LDAP password was changed.
    If you need both LDAP and e-mail authorizations: register e-mail first or set password in user settings after LDAP first login.
  • LDAP user role is now working accordingly to DEFAULT_USER_ROLE. Also, if this is first user on server, user will get admin rights.
  • ENABLE_LOGIN_FORM = false now will disable only standard (e-mail) login form. If ENABLE_LDAP is true, then LDAP form only will be shown.
  • Fixed Chrome autocompletion (added "name" property to fields).

Added

  • Added "name" property to login fields, for Chrome autocompletion.

Changed

  • LDAP authorization is now bypassing pasword, like trusted header auth.
  • Default password is now randomized, like in trusted header auth.
  • LDAP default user role is now work like in other auths, first user will be an admin, other will get DEFAULT_USER_ROLE from setings.

Fixed

  • LDAP authorization is now not storing user's passwords hashes.

Security

  • LDAP authorization is now not storing user's passwords hashes.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/7162 **Author:** [@morgan55555](https://github.com/morgan55555) **Created:** 11/21/2024 **Status:** ✅ Merged **Merged:** 11/21/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (2) - [`b1237cf`](https://github.com/open-webui/open-webui/commit/b1237cf389e23b49d5e622258a37abd328687ae5) Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. - [`b9e637e`](https://github.com/open-webui/open-webui/commit/b9e637ee2bf5ed82c02626a5f87477780e389b0a) Now ENABLE_LOGIN_FORM=False disabling only email form. ### 📊 Changes **2 files changed** (+21 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/apps/webui/routers/auths.py` (+14 -4) 📝 `src/routes/auth/+page.svelte` (+7 -4) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests for validating the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To cleary categorize this pull request, prefix the pull request title, using one of the following: - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction # Changelog Entry ### Description - LDAP authorization is now work like trusted header: it will not store user password, trusting LDAP server. This also fixing login after LDAP password was changed. If you need both LDAP and e-mail authorizations: register e-mail first or set password in user settings after LDAP first login. - LDAP user role is now working accordingly to DEFAULT_USER_ROLE. Also, if this is first user on server, user will get admin rights. - ENABLE_LOGIN_FORM = false now will disable only standard (e-mail) login form. If ENABLE_LDAP is true, then LDAP form only will be shown. - Fixed Chrome autocompletion (added "name" property to fields). ### Added - Added "name" property to login fields, for Chrome autocompletion. ### Changed - LDAP authorization is now bypassing pasword, like trusted header auth. - Default password is now randomized, like in trusted header auth. - LDAP default user role is now work like in other auths, first user will be an admin, other will get DEFAULT_USER_ROLE from setings. ### Fixed - LDAP authorization is now not storing user's passwords hashes. ### Security - LDAP authorization is now not storing user's passwords hashes. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 08:40:12 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#109331