github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-26 11:27:54 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #668] feat: LDAP User management #50834

New Issue
Closed
opened 2026-05-05 11:20:10 -05:00 by GiteaMirror · 36 comments
GiteaMirror commented 2026-05-05 11:20:10 -05:00
Owner
Copy Link

Originally created by @this-josh on GitHub (Feb 7, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/668

Is your feature request related to a problem? Please describe.
Users should be managed via LDAP, similar to Portainer

Describe the solution you'd like
LDAP user management implemented

Describe alternatives you've considered

  • OAUTH
  • Microsoft Active directory

I believe LDAP is the best starting point

Additional context

One key feature of ollama-webui is its ability to have users, but without LDAP this doesn't have same network level utility.

Originally created by @this-josh on GitHub (Feb 7, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/668 **Is your feature request related to a problem? Please describe.** Users should be managed via LDAP, similar to [Portainer](https://docs.portainer.io/admin/settings/authentication/ldap) **Describe the solution you'd like** LDAP user management implemented **Describe alternatives you've considered** - OAUTH - Microsoft Active directory I believe LDAP is the best starting point **Additional context** One key feature of `ollama-webui` is its ability to have users, but without LDAP this doesn't have same network level utility.
GiteaMirror added the enhancementgood first issuehelp wantednon-core labels 2026-05-05 11:20:10 -05:00
GiteaMirror commented 2026-05-05 11:20:13 -05:00
Author
Owner
Copy Link

@jannikstdl commented on GitHub (Feb 7, 2024):

Yes agree, this would be a use case for us as well.

<!-- gh-comment-id:1931839077 --> @jannikstdl commented on GitHub (Feb 7, 2024): Yes agree, this would be a use case for us as well.
GiteaMirror commented 2026-05-05 11:20:14 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Feb 7, 2024):

Related: https://github.com/ollama-webui/ollama-webui/issues/483

<!-- gh-comment-id:1933135334 --> @tjbck commented on GitHub (Feb 7, 2024): Related: https://github.com/ollama-webui/ollama-webui/issues/483
GiteaMirror commented 2026-05-05 11:20:14 -05:00
Author
Owner
Copy Link

@UberMetroid commented on GitHub (Feb 18, 2024):

I can help test this.

<!-- gh-comment-id:1951376910 --> @UberMetroid commented on GitHub (Feb 18, 2024): I can help test this.
GiteaMirror commented 2026-05-05 11:20:15 -05:00
Author
Owner
Copy Link

@eingemaischt commented on GitHub (Apr 10, 2024):

This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...

<!-- gh-comment-id:2046655303 --> @eingemaischt commented on GitHub (Apr 10, 2024): This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...
GiteaMirror commented 2026-05-05 11:20:16 -05:00
Author
Owner
Copy Link

@justinh-rahb commented on GitHub (Apr 10, 2024):

This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...

Excellent news, this has been implemented:

<!-- gh-comment-id:2046664205 --> @justinh-rahb commented on GitHub (Apr 10, 2024): > This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself... Excellent news, this has been implemented: - #1347
GiteaMirror commented 2026-05-05 11:20:17 -05:00
Author
Owner
Copy Link

@Manfredzimmermann commented on GitHub (Jul 3, 2024):

How can I connect Open-WebUI with Microsoft Active directory? I'm looking for an excellent solution. A fixed module in Open-WebUI for Active Directory (LDAP) would be a dream

<!-- gh-comment-id:2206037649 --> @Manfredzimmermann commented on GitHub (Jul 3, 2024): How can I connect Open-WebUI with Microsoft Active directory? I'm looking for an excellent solution. A fixed module in Open-WebUI for Active Directory (LDAP) would be a dream
GiteaMirror commented 2026-05-05 11:20:17 -05:00
Author
Owner
Copy Link

@FritzHeiden commented on GitHub (Jul 26, 2024):

I'd really like to see this feature implemented aswell

<!-- gh-comment-id:2252423199 --> @FritzHeiden commented on GitHub (Jul 26, 2024): I'd really like to see this feature implemented aswell
GiteaMirror commented 2026-05-05 11:20:18 -05:00
Author
Owner
Copy Link

@dorianborovina commented on GitHub (Aug 1, 2024):

Me too! +1 from me.

<!-- gh-comment-id:2262627015 --> @dorianborovina commented on GitHub (Aug 1, 2024): Me too! +1 from me.
GiteaMirror commented 2026-05-05 11:20:19 -05:00
Author
Owner
Copy Link

@hostingnuggets commented on GitHub (Aug 1, 2024):

Me too! +100 from me ;-)

<!-- gh-comment-id:2262905495 --> @hostingnuggets commented on GitHub (Aug 1, 2024): Me too! +100 from me ;-)
GiteaMirror commented 2026-05-05 11:20:20 -05:00
Author
Owner
Copy Link

@peske commented on GitHub (Aug 2, 2024):

+1

<!-- gh-comment-id:2264356388 --> @peske commented on GitHub (Aug 2, 2024): +1
GiteaMirror commented 2026-05-05 11:20:21 -05:00
Author
Owner
Copy Link

@sry9681 commented on GitHub (Aug 12, 2024):

+1

<!-- gh-comment-id:2284617279 --> @sry9681 commented on GitHub (Aug 12, 2024): +1
GiteaMirror commented 2026-05-05 11:20:21 -05:00
Author
Owner
Copy Link

@lduplaga commented on GitHub (Aug 16, 2024):

Would be awesome to have this feature.

<!-- gh-comment-id:2293116696 --> @lduplaga commented on GitHub (Aug 16, 2024): Would be awesome to have this feature.
GiteaMirror commented 2026-05-05 11:20:22 -05:00
Author
Owner
Copy Link

@seal61 commented on GitHub (Aug 30, 2024):

+1

<!-- gh-comment-id:2321092798 --> @seal61 commented on GitHub (Aug 30, 2024): +1
GiteaMirror commented 2026-05-05 11:20:23 -05:00
Author
Owner
Copy Link

@lduplaga commented on GitHub (Aug 30, 2024):

I solved my case with Microsoft authentication by this

https://docs.openwebui.com/tutorial/sso#microsoft

<!-- gh-comment-id:2321096304 --> @lduplaga commented on GitHub (Aug 30, 2024): I solved my case with Microsoft authentication by this https://docs.openwebui.com/tutorial/sso#microsoft
GiteaMirror commented 2026-05-05 11:20:23 -05:00
Author
Owner
Copy Link

@seal61 commented on GitHub (Aug 30, 2024):

I solved my case with Microsoft authentication by this

https://docs.openwebui.com/tutorial/sso#microsoft

does not help with local active directory / ldap server sadly, but might be useful for some.

<!-- gh-comment-id:2321131217 --> @seal61 commented on GitHub (Aug 30, 2024): > I solved my case with Microsoft authentication by this > > https://docs.openwebui.com/tutorial/sso#microsoft does not help with local active directory / ldap server sadly, but might be useful for some.
GiteaMirror commented 2026-05-05 11:20:24 -05:00
Author
Owner
Copy Link

@WilsonZiweiWang commented on GitHub (Aug 30, 2024):

My implementation: f4e487480f
It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.

<!-- gh-comment-id:2321736035 --> @WilsonZiweiWang commented on GitHub (Aug 30, 2024): My implementation: https://github.com/WilsonZiweiWang/open-webui/commit/f4e487480f414f24ff19b0243e6357c0625b330f It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.
GiteaMirror commented 2026-05-05 11:20:25 -05:00
Author
Owner
Copy Link

@hostingnuggets commented on GitHub (Aug 30, 2024):

Bravo @WilsonZiweiWang for your LDAP implementation. @tjbck could @WilsonZiweiWang's code be integrated to this project?

<!-- gh-comment-id:2321933895 --> @hostingnuggets commented on GitHub (Aug 30, 2024): Bravo @WilsonZiweiWang for your LDAP implementation. @tjbck could @WilsonZiweiWang's code be integrated to this project?
GiteaMirror commented 2026-05-05 11:20:26 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Aug 30, 2024):

Feel free to make a PR!

<!-- gh-comment-id:2322099381 --> @tjbck commented on GitHub (Aug 30, 2024): Feel free to make a PR!
GiteaMirror commented 2026-05-05 11:20:27 -05:00
Author
Owner
Copy Link

@justinh-rahb commented on GitHub (Aug 30, 2024):

WilsonZiweiWang with some refac that might be workable for more servers. Not working on my AD server, but honestly I'm fairly sure it's either a layer8 problem, or we just need more environment variables to tune the (too many) options for LDAP binding, user search and field mappings.

<!-- gh-comment-id:2322511539 --> @justinh-rahb commented on GitHub (Aug 30, 2024): WilsonZiweiWang with some refac that might be workable for more servers. Not working on my AD server, but honestly I'm fairly sure it's either a layer8 problem, or we just need more environment variables to tune the (too many) options for LDAP binding, user search and field mappings.
GiteaMirror commented 2026-05-05 11:20:27 -05:00
Author
Owner
Copy Link

@Peter-De-Ath commented on GitHub (Aug 31, 2024):

My implementation: WilsonZiweiWang@f4e4874 It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.

I wasn't quite able able to get this working out the box, but adding

LDAP_USER_DN = f'cn={cn},{LDAP_USERS_DN}'

inside if uid == form_data.user:

<!-- gh-comment-id:2322627904 --> @Peter-De-Ath commented on GitHub (Aug 31, 2024): > My implementation: [WilsonZiweiWang@f4e4874](https://github.com/WilsonZiweiWang/open-webui/commit/f4e487480f414f24ff19b0243e6357c0625b330f) It worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks. I wasn't quite able able to get this working out the box, but adding `LDAP_USER_DN = f'cn={cn},{LDAP_USERS_DN}'` inside `if uid == form_data.user:`
GiteaMirror commented 2026-05-05 11:20:29 -05:00
Author
Owner
Copy Link

@justinh-rahb commented on GitHub (Aug 31, 2024):

I got this to work with @Peter-De-Ath's modification on a test LDAP server, but still unable to get working on my (probably misconfigured by my predecessor) AD domain.

Some notes I'd add:

  • This won't interact well with WEBUI_LOGIN=false, the email/username and password fields are hidden
  • Could we not use the email field for login? We already get it from the LDAP server to create the account
  • Would prefer if LDAP is enabled that a button be shown in similar style to the OIDC login buttons, hidden otherwise
  • May want to be able to configure which field is used for the username
<!-- gh-comment-id:2322733312 --> @justinh-rahb commented on GitHub (Aug 31, 2024): I got this to work with @Peter-De-Ath's modification on a test LDAP server, but still unable to get working on my (probably misconfigured by my predecessor) AD domain. Some notes I'd add: - This won't interact well with `WEBUI_LOGIN=false`, the email/username and password fields are hidden - Could we not use the `email` field for login? We already get it from the LDAP server to create the account - Would prefer if LDAP is enabled that a button be shown in similar style to the OIDC login buttons, hidden otherwise - May want to be able to configure which field is used for the username
GiteaMirror commented 2026-05-05 11:20:32 -05:00
Author
Owner
Copy Link

@WilsonZiweiWang commented on GitHub (Aug 31, 2024):

hi all, thanks for testing my code and leaving comments, I have created the PR for this issue: https://github.com/open-webui/open-webui/pull/5056

<!-- gh-comment-id:2322739973 --> @WilsonZiweiWang commented on GitHub (Aug 31, 2024): hi all, thanks for testing my code and leaving comments, I have created the PR for this issue: https://github.com/open-webui/open-webui/pull/5056
GiteaMirror commented 2026-05-05 11:20:32 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Nov 6, 2024):

LDAP support merged to dev. More testing wanted from the community here!

<!-- gh-comment-id:2458738720 --> @tjbck commented on GitHub (Nov 6, 2024): LDAP support merged to dev. More testing wanted from the community here!
GiteaMirror commented 2026-05-05 11:20:33 -05:00
Author
Owner
Copy Link

@arthur-flam commented on GitHub (Nov 6, 2024):

Hello! We managed to make it work with LDAP. Thanks a lot for adding this feature.
Some small issues I ran into:

  • Auths.insert_new_auth only gets mail/hash/cn parameters. Other auth methods also accept a role (default to pending otherwise no matter how DEFAULT_USER_ROLE is defined. It's also not possible to add profile picture (although it could be difficult with ldap, at least in my experience with our LDAP, ldapsearch returns a path to a temp image file, not a real URL).
  • The LDAP_SEARCH_FILTERS is always messy to get right. I didn't understand that it already did f&(LDAP_ATTRIBUTE_FOR_USERNAME={login})({LDAP_SEARCH_FILTERS}).
    In any case testing with dev was very easy, amazing work all around.
<!-- gh-comment-id:2459230096 --> @arthur-flam commented on GitHub (Nov 6, 2024): Hello! We managed to make it work with LDAP. Thanks a lot for adding this feature. Some small issues I ran into: - `Auths.insert_new_auth` only gets `mail`/`hash`/`cn` parameters. Other auth methods also accept a role (default to `pending` otherwise no matter how `DEFAULT_USER_ROLE` is defined. It's also not possible to add profile picture (although it could be difficult with ldap, at least in my experience with our LDAP, `ldapsearch` returns a path to a temp image file, not a real URL). - The `LDAP_SEARCH_FILTERS` is always messy to get right. I didn't understand that it already did f`&(LDAP_ATTRIBUTE_FOR_USERNAME={login})({LDAP_SEARCH_FILTERS})`. In any case testing with `dev` was very easy, amazing work all around.
GiteaMirror commented 2026-05-05 11:20:33 -05:00
Author
Owner
Copy Link

@nordy1145 commented on GitHub (Nov 7, 2024):

I also got LDAP working with a simple ldap filter to a specific group, TLS and no issues authenticating. The only issue I see is the default Role is Pending instead of User as mentioned above.

<!-- gh-comment-id:2462769988 --> @nordy1145 commented on GitHub (Nov 7, 2024): I also got LDAP working with a simple ldap filter to a specific group, TLS and no issues authenticating. The only issue I see is the default Role is Pending instead of User as mentioned above.
GiteaMirror commented 2026-05-05 11:20:34 -05:00
Author
Owner
Copy Link

@GabrielRamirez commented on GitHub (Nov 7, 2024):

Are the LDAP variables set in the .env file?

<!-- gh-comment-id:2463131896 --> @GabrielRamirez commented on GitHub (Nov 7, 2024): Are the LDAP variables set in the .env file?
GiteaMirror commented 2026-05-05 11:20:35 -05:00
Author
Owner
Copy Link

@WilsonZiweiWang commented on GitHub (Nov 8, 2024):

Are the LDAP variables set in the .env file?

You can set initial values to them in the .env file or edit them with the interface

<!-- gh-comment-id:2463639252 --> @WilsonZiweiWang commented on GitHub (Nov 8, 2024): > Are the LDAP variables set in the .env file? You can set initial values to them in the .env file or edit them with the interface
GiteaMirror commented 2026-05-05 11:20:36 -05:00
Author
Owner
Copy Link

@UberMetroid commented on GitHub (Nov 20, 2024):

works great. thank you.

<!-- gh-comment-id:2487478618 --> @UberMetroid commented on GitHub (Nov 20, 2024): works great. thank you.
GiteaMirror commented 2026-05-05 11:20:37 -05:00
Author
Owner
Copy Link

@VfBfoerst commented on GitHub (Nov 20, 2024):

thanks for the implementation :) I also tested it, works like a charm.

<!-- gh-comment-id:2488215235 --> @VfBfoerst commented on GitHub (Nov 20, 2024): thanks for the implementation :) I also tested it, works like a charm.
GiteaMirror commented 2026-05-05 11:20:39 -05:00
Author
Owner
Copy Link

@wixyskywriter commented on GitHub (Nov 24, 2024):

would it be possible to share a sample of a working configuration?

<!-- gh-comment-id:2496117602 --> @wixyskywriter commented on GitHub (Nov 24, 2024): would it be possible to share a sample of a working configuration?
GiteaMirror commented 2026-05-05 11:20:39 -05:00
Author
Owner
Copy Link

@WilsonZiweiWang commented on GitHub (Nov 25, 2024):

would it be possible to share a sample of a working configuration?

You will need to know how your active directory is configured.

<!-- gh-comment-id:2498429340 --> @WilsonZiweiWang commented on GitHub (Nov 25, 2024): > would it be possible to share a sample of a working configuration? You will need to know how your active directory is configured.
GiteaMirror commented 2026-05-05 11:20:40 -05:00
Author
Owner
Copy Link

@wixyskywriter commented on GitHub (Nov 26, 2024):

I know, but still not able to integrate and the binding error appearing. If there is a guide or tutorial for setting up AD integration would be helpful to everyone.

<!-- gh-comment-id:2499435356 --> @wixyskywriter commented on GitHub (Nov 26, 2024): I know, but still not able to integrate and the binding error appearing. If there is a guide or tutorial for setting up AD integration would be helpful to everyone.
GiteaMirror commented 2026-05-05 11:20:41 -05:00
Author
Owner
Copy Link

@WilsonZiweiWang commented on GitHub (Nov 28, 2024):

I know, but still not able to integrate and the binding error appearing. If there is a guide or tutorial for setting up AD integration would be helpful to everyone.

The configurations can be very different from case to case, I think first it is best that you let us know what errors you are having. You could create an issue.

<!-- gh-comment-id:2505124251 --> @WilsonZiweiWang commented on GitHub (Nov 28, 2024): > I know, but still not able to integrate and the binding error appearing. If there is a guide or tutorial for setting up AD integration would be helpful to everyone. The configurations can be very different from case to case, I think first it is best that you let us know what errors you are having. You could create an issue.
GiteaMirror commented 2026-05-05 11:20:42 -05:00
Author
Owner
Copy Link

@AndreasUpb commented on GitHub (Dec 2, 2024):

Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case?

<!-- gh-comment-id:2510821558 --> @AndreasUpb commented on GitHub (Dec 2, 2024): Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case?
GiteaMirror commented 2026-05-05 11:20:43 -05:00
Author
Owner
Copy Link

@nordy1145 commented on GitHub (Dec 3, 2024):

Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case?

Why not just create a single group and nest groups under that one?

<!-- gh-comment-id:2513459264 --> @nordy1145 commented on GitHub (Dec 3, 2024): > Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case? Why not just create a single group and nest groups under that one?
GiteaMirror commented 2026-05-05 11:20:44 -05:00
Author
Owner
Copy Link

@AndreasUpb commented on GitHub (Dec 3, 2024):

Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case?

Why not just create a single group and nest groups under that one?

I already have a meta-group in ldap, so that the login works for both groups. But i want ldap-group-a to have openwebui-permission-group-a (can only access model llamaX) and ldap-group-b to have openwebui-permission-group-b (can also access model gpt4 + working area).

<!-- gh-comment-id:2513777266 --> @AndreasUpb commented on GitHub (Dec 3, 2024): > > Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case? > > Why not just create a single group and nest groups under that one? I already have a meta-group in ldap, so that the login works for both groups. But i want ldap-group-a to have openwebui-permission-group-a (can only access model llamaX) and ldap-group-b to have openwebui-permission-group-b (can also access model gpt4 + working area).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label enhancement good first issue help wanted non-core
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#50834
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?