github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-06-07 09:19:06 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #17682] issue: Open WebUI rejects LDAP users with missing mail attribute #18366

New Issue
Closed
opened 2026-04-20 00:35:47 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-20 00:35:47 -05:00
Owner
Copy Link

Originally created by @LarryStewart2022 on GitHub (Sep 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17682

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.6.30 (latest)

Ollama Version (if applicable)

0.11.3

Operating System

Ubuntu 22.04.5 LTS

Browser (if applicable)

Chrome

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Open WebUI should allow LDAP users to authenticate successfully even if the mail attribute is empty in Active Directory.
If "Attribute for Mail" is set to userPrincipalName, that value should be used as the email instead of requiring mail.

Actual Behavior

LDAP authentication fails with "LDAP authentication failed" when the AD user has no mail attribute set.
From testing with ldapsearch, the bind and filter work correctly and return the user entry, but Open WebUI still rejects the login.
Our AD user has sAMAccountName and userPrincipalName populated, but mail is blank.

Steps to Reproduce

  1. Create a test AD user with these attributes:
  2. Configure Open WebUI LDAP settings:
    • Application DN:
    • Application DN Password:
    • Attribute for Username: userPrincipalName
    • Attribute for Mail: userPrincipalName
    • Search Base: DC=example,DC=com
    • Search Filter: (&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s)))
  3. Save settings and attempt login as:
  4. Observe that login fails with "LDAP authentication failed".
  5. Run equivalent ldapsearch from the Open WebUI host:
    ldapsearch -x -H ldap://:389 -D "" -W -b "DC=example,DC=com" "(&(objectClass=user)(userPrincipalName=testuser@domain.com))"
    → This succeeds and returns the user entry.

Logs & Screenshots

Browser UI shows: "LDAP authentication failed"
No additional error message in the UI.

Ubuntu server test with ldapsearch succeeds:

ldapsearch -x -H ldap://-dc..com:389
-D "CN=webui_bind,OU=Users,DC=,DC=com" -W
-b "DC=,DC=com"
"(&(objectClass=user)(|(sAMAccountName=lstewart)(userPrincipalName=lstewart@.com)))"
sAMAccountName userPrincipalName mail

Result:
dn: CN=Larry Stewart,OU=Users,DC=,DC=com
sAMAccountName: lstewart
userPrincipalName: lstewart@***.com
mail: (empty)

search result

result: 0 Success

I replaced my actual domain name with *** for this bug report only.

Additional Information

  • Our AD environment has sAMAccountName and userPrincipalName populated, but many accounts do not have the mail attribute filled.
  • Open WebUI requires "Attribute for Mail" to be set. If we set it to mail, login fails (since mail is empty). If we set it to userPrincipalName, login still fails.
  • This appears to match Issue #12813: when mail is empty, Open WebUI fails internally when creating the user record.
  • Workaround would be to allow userPrincipalName to be used for "mail" or to gracefully handle missing mail attributes.
Originally created by @LarryStewart2022 on GitHub (Sep 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17682 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.6.30 (latest) ### Ollama Version (if applicable) 0.11.3 ### Operating System Ubuntu 22.04.5 LTS ### Browser (if applicable) Chrome ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Open WebUI should allow LDAP users to authenticate successfully even if the `mail` attribute is empty in Active Directory. If "Attribute for Mail" is set to `userPrincipalName`, that value should be used as the email instead of requiring `mail`. ### Actual Behavior LDAP authentication fails with "LDAP authentication failed" when the AD user has no `mail` attribute set. From testing with `ldapsearch`, the bind and filter work correctly and return the user entry, but Open WebUI still rejects the login. Our AD user has `sAMAccountName` and `userPrincipalName` populated, but `mail` is blank. ### Steps to Reproduce 1. Create a test AD user with these attributes: - sAMAccountName: testuser - userPrincipalName: testuser@domain.com - mail: (empty / not set) 2. Configure Open WebUI LDAP settings: - Application DN: <bind DN> - Application DN Password: <bind password> - Attribute for Username: userPrincipalName - Attribute for Mail: userPrincipalName - Search Base: DC=example,DC=com - Search Filter: (&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s))) 3. Save settings and attempt login as: - Username: testuser@domain.com - Password: <AD password> 4. Observe that login fails with "LDAP authentication failed". 5. Run equivalent `ldapsearch` from the Open WebUI host: ldapsearch -x -H ldap://<dc>:389 -D "<bind DN>" -W -b "DC=example,DC=com" "(&(objectClass=user)(userPrincipalName=testuser@domain.com))" → This succeeds and returns the user entry. ### Logs & Screenshots Browser UI shows: "LDAP authentication failed" No additional error message in the UI. Ubuntu server test with ldapsearch succeeds: ldapsearch -x -H ldap://***-dc.***.com:389 \ -D "CN=webui_bind,OU=***Users,DC=***,DC=com" -W \ -b "DC=***,DC=com" \ "(&(objectClass=user)(|(sAMAccountName=lstewart)(userPrincipalName=lstewart@***.com)))" \ sAMAccountName userPrincipalName mail Result: dn: CN=Larry Stewart,OU=***Users,DC=***,DC=com sAMAccountName: lstewart userPrincipalName: lstewart@***.com mail: (empty) # search result result: 0 Success I replaced my actual domain name with *** for this bug report only. ### Additional Information - Our AD environment has `sAMAccountName` and `userPrincipalName` populated, but many accounts do not have the `mail` attribute filled. - Open WebUI requires "Attribute for Mail" to be set. If we set it to `mail`, login fails (since mail is empty). If we set it to `userPrincipalName`, login still fails. - This appears to match Issue #12813: when `mail` is empty, Open WebUI fails internally when creating the user record. - Workaround would be to allow `userPrincipalName` to be used for "mail" or to gracefully handle missing mail attributes.
GiteaMirror added the bug label 2026-04-20 00:35:47 -05:00
GiteaMirror commented 2026-04-20 00:35:48 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Sep 23, 2025):

PR welcome!

<!-- gh-comment-id:3325231048 --> @tjbck commented on GitHub (Sep 23, 2025): PR welcome!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#18366
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?