github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-11 08:15:00 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

issue: Disabling TLS on LDAP Throws Error #4909

New Issue
Closed
opened 2025-11-11 16:06:11 -06:00 by GiteaMirror · 11 comments
GiteaMirror commented 2025-11-11 16:06:11 -06:00
Owner
Copy Link

Originally created by @sempervictus on GitHub (Apr 19, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.5

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have listed steps to reproduce the bug in detail.

Expected Behavior

Disabling TLS in the LDAP control panel should allow use of an unencrypted connection

Actual Behavior

Disabling TLS in the LDAP control panel produces the following error in logs upon save:

2025-04-19 22:09:39.099 | INFO     | open_webui.config:save:246 - Saving 'LDAP_USE_TLS' to the database - {}
2025-04-19 22:09:39.100 | INFO     | open_webui.config:save:246 - Saving 'LDAP_CA_CERT_FILE' to the database - {}
2025-04-19 22:09:39.102 | INFO     | open_webui.config:save:246 - Saving 'LDAP_CIPHERS' to the database - {}
2025-04-19 22:09:39.103 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - XXXXX:0 - "POST /api/v1/auths/admin/config/ldap/server HTTP/1.1" 200 - {}
2025-04-19 22:09:39.124 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - XXXXX:0 - "GET /api/config HTTP/1.1" 200 - {}
2025-04-19 22:09:40.768 | ERROR    | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {}

and throws an error attempting to log in whether the target on the LDAP host is set to use raw LDAP or LDAPS.

Steps to Reproduce

  1. Disable LDAP TLS
  2. Attempt to login via LDAP
  3. Observe logs from both prior steps

Logs & Screenshots

2025-04-19 22:09:40.768 | ERROR    | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {}

Image

Additional Information

No response

Originally created by @sempervictus on GitHub (Apr 19, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.5 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior Disabling TLS in the LDAP control panel should allow use of an unencrypted connection ### Actual Behavior Disabling TLS in the LDAP control panel produces the following error in logs upon save: ``` 2025-04-19 22:09:39.099 | INFO | open_webui.config:save:246 - Saving 'LDAP_USE_TLS' to the database - {} 2025-04-19 22:09:39.100 | INFO | open_webui.config:save:246 - Saving 'LDAP_CA_CERT_FILE' to the database - {} 2025-04-19 22:09:39.102 | INFO | open_webui.config:save:246 - Saving 'LDAP_CIPHERS' to the database - {} 2025-04-19 22:09:39.103 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - XXXXX:0 - "POST /api/v1/auths/admin/config/ldap/server HTTP/1.1" 200 - {} 2025-04-19 22:09:39.124 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - XXXXX:0 - "GET /api/config HTTP/1.1" 200 - {} 2025-04-19 22:09:40.768 | ERROR | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {} ``` and throws an error attempting to log in whether the target on the LDAP host is set to use raw LDAP or LDAPS. ### Steps to Reproduce 1. Disable LDAP TLS 2. Attempt to login via LDAP 3. Observe logs from both prior steps ### Logs & Screenshots ``` 2025-04-19 22:09:40.768 | ERROR | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {} ``` ![Image](https://github.com/user-attachments/assets/f76788a7-1d86-4398-b488-0b1eb3426830) ### Additional Information _No response_
GiteaMirror added the bug label 2025-11-11 16:06:11 -06:00
GiteaMirror commented 2025-11-11 16:06:12 -06:00
Author
Owner
Copy Link

@sempervictus commented on GitHub (Apr 19, 2025):

Seems this is the call involved which is odd because Tls is being imported from ldap3 above but something seem to be making it sad :-.

Cant quite get it to work w/ TLS even though a CA cert is provided but getting cleartext to work merely requires

 sed -i 's|raise HTTPException(400, detail="Failed to configure TLS for LDAP connection.")|# raise HTTPException(400, detail="Failed to configure TLS for LDAP connection.")|' open_webui/routers/auths.py
@sempervictus commented on GitHub (Apr 19, 2025): Seems [this](https://github.com/open-webui/open-webui/blob/852d9dcbe9b4406e1da230a14642f35ac7bb0d2b/backend/open_webui/routers/auths.py#L190) is the call involved which is odd because `Tls` _is_ being imported from `ldap3` above but something seem to be making it sad :-\. Cant quite get it to work w/ TLS even though a CA cert is provided but getting cleartext to work merely requires ```bash sed -i 's|raise HTTPException(400, detail="Failed to configure TLS for LDAP connection.")|# raise HTTPException(400, detail="Failed to configure TLS for LDAP connection.")|' open_webui/routers/auths.py ```
GiteaMirror commented 2025-11-11 16:06:12 -06:00
Author
Owner
Copy Link

@sempervictus commented on GitHub (Apr 20, 2025):

Spoke too soon, lack of an error in the logs is not success - entire webapp just hangs, nothing in the logs. I do eventually see LDAP on the wire but the app is completely destabilized at that point requiring the docker container (all in one, nvidia) to be stopped and started again (restart doesnt seem to do it).

@sempervictus commented on GitHub (Apr 20, 2025): Spoke too soon, lack of an error in the logs is not success - entire webapp just hangs, nothing in the logs. I do _eventually_ see LDAP on the wire but the app is completely destabilized at that point requiring the docker container (all in one, nvidia) to be stopped and started again (`restart` doesnt seem to do it).
GiteaMirror commented 2025-11-11 16:06:12 -06:00
Author
Owner
Copy Link

@gaby commented on GitHub (Apr 21, 2025):

This is because the import of Tls is broken. It was working, then broke, then got fixed, now broken again.

It's a fixable bug

@gaby commented on GitHub (Apr 21, 2025): This is because the import of `Tls` is broken. It was working, then broke, then got fixed, now broken again. It's a fixable bug
GiteaMirror commented 2025-11-11 16:06:12 -06:00
Author
Owner
Copy Link

@Star-caorui commented on GitHub (Apr 23, 2025):

Same problem: 2025-04-23 03:30:55.053 | ERROR | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {}

@Star-caorui commented on GitHub (Apr 23, 2025): Same problem: 2025-04-23 03:30:55.053 | ERROR | open_webui.routers.auths:ldap_auth:197 - TLS configuration error: name 'Tls' is not defined - {}
GiteaMirror commented 2025-11-11 16:06:13 -06:00
Author
Owner
Copy Link

@zuhao-chen commented on GitHub (Apr 24, 2025):

This is because the import of Tls is broken. It was working, then broke, then got fixed, now broken again.

It's a fixable bug

how could i solve this problem

@zuhao-chen commented on GitHub (Apr 24, 2025): > This is because the import of `Tls` is broken. It was working, then broke, then got fixed, now broken again. > > It's a fixable bug how could i solve this problem
GiteaMirror commented 2025-11-11 16:06:13 -06:00
Author
Owner
Copy Link

@andresmorago commented on GitHub (Apr 24, 2025):

having the same issue here. Im on version v0.6.5

Image

Image

@andresmorago commented on GitHub (Apr 24, 2025): having the same issue here. Im on version v0.6.5 ![Image](https://github.com/user-attachments/assets/9e21ba95-68f5-4e4c-9d53-c12f2e60b98f) ![Image](https://github.com/user-attachments/assets/461d3077-d4be-4368-a9e1-d01fa8badfc0)
GiteaMirror commented 2025-11-11 16:06:13 -06:00
Author
Owner
Copy Link

@sempervictus commented on GitHub (May 2, 2025):

@gaby That's probably because TLS is evil asym security by obscurity 😉, but for the time being it does kind of underpin tons of stuff. Apologies i've not had time to dive into the sources of this project; but could you provide any hints as to how this normally gets fixed when the breakage occurs?

@sempervictus commented on GitHub (May 2, 2025): @gaby That's probably because TLS is evil asym security by obscurity 😉, but for the time being it does kind of underpin tons of stuff. Apologies i've not had time to dive into the sources of this project; but could you provide any hints as to _how_ this normally gets fixed when the breakage occurs?
GiteaMirror commented 2025-11-11 16:06:13 -06:00
Author
Owner
Copy Link

@gaby commented on GitHub (May 6, 2025):

@sempervictus Problem is related to a PR that was done a long time ago to make importing Tls optional, not an issue with TLS.

Related PR: https://github.com/open-webui/open-webui/pull/10755

Related Issue: https://github.com/open-webui/open-webui/discussions/11138

You have to set the ENABLE_LDAP=true environment variable for this module to be loaded.

@gaby commented on GitHub (May 6, 2025): @sempervictus Problem is related to a PR that was done a long time ago to make importing Tls optional, not an issue with TLS. Related PR: https://github.com/open-webui/open-webui/pull/10755 Related Issue: https://github.com/open-webui/open-webui/discussions/11138 You have to set the `ENABLE_LDAP=true` environment variable for this module to be loaded.
GiteaMirror commented 2025-11-11 16:06:14 -06:00
Author
Owner
Copy Link

@hhclaes commented on GitHub (May 6, 2025):

After setting ENABLE_LDAP=true I still get open_webui.routers.auths:ldap_auth:345 - LDAP authentication error: malformed filter - {}

Filter is &(objectClass=user). I've tried other filters too (default, etc.).

@hhclaes commented on GitHub (May 6, 2025): After setting `ENABLE_LDAP=true` I still get `open_webui.routers.auths:ldap_auth:345 - LDAP authentication error: malformed filter - {}` Filter is `&(objectClass=user)`. I've tried other filters too (default, etc.).
GiteaMirror commented 2025-11-11 16:06:14 -06:00
Author
Owner
Copy Link

@gaby commented on GitHub (May 6, 2025):

@hhclaes That's unrelated to this issue.

The correct filter is (objectClass=user). All ldap filters must start with ( and end with ).

If you want to AND conditions then: (&(objectClass=user) (objectCategory=person))

@gaby commented on GitHub (May 6, 2025): @hhclaes That's unrelated to this issue. The correct filter is `(objectClass=user)`. All ldap filters must start with `(` and end with `)`. If you want to `AND` conditions then: `(&(objectClass=user) (objectCategory=person))`
GiteaMirror commented 2025-11-11 16:06:14 -06:00
Author
Owner
Copy Link

@hhclaes commented on GitHub (May 6, 2025):

@gaby Thanks a lot! It works now.

@hhclaes commented on GitHub (May 6, 2025): @gaby Thanks a lot! It works now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#4909
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?