github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #12813] issue: LDAP Login not working for v0.6.3 and v0.6.4 #55387

New Issue
Closed
opened 2026-05-05 17:30:18 -05:00 by GiteaMirror · 11 comments
GiteaMirror commented 2026-05-05 17:30:18 -05:00
Owner
Copy Link

Originally created by @marcuscmy on GitHub (Apr 13, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/12813

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.4

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have listed steps to reproduce the bug in detail.

Expected Behavior

LDAP Users are able to login

Actual Behavior

LDAP Users are unable to login due to incorrect processing of the returned user email, the system attempts to create a user with the falsely returned "email" and fails.

The LDAP module returns mail as a key value pair (mail: emailaddress) instead of only the email address, therefore existing users are unable to be identified, and it attempts to create a new user, but pydantic detects the input as an attribute instead of string.

Steps to Reproduce

Install v0.6.4, connect LDAP server, attempt to login with LDAP user.

Logs & Screenshots

2025-04-13T08:28:05.160795394Z 2025-04-13 08:28:05.160 | ERROR | open_webui.routers.auths:ldap_auth:322 - LDAP authentication error: 500: Internal error occurred during LDAP user creation. - {}
2025-04-13T08:28:05.161651357Z 2025-04-13 08:28:05.161 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.X.X:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {}
2025-04-13T08:29:07.275810912Z 2025-04-13 08:29:07.275 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.X.X:0 - "GET /api/config HTTP/1.1" 200 - {}
2025-04-13T08:29:10.085765379Z 2025-04-13 08:29:10.085 | INFO | open_webui.models.auths:insert_new_auth:108 - insert_new_auth - {}
2025-04-13T08:29:10.086007653Z 2025-04-13 08:29:10.085 | ERROR | open_webui.routers.auths:ldap_auth:281 - LDAP user creation error: 1 validation error for AuthModel
2025-04-13T08:29:10.086036826Z email
2025-04-13T08:29:10.086042044Z Input should be a valid string [type=string_type, input_value=mail: first.last@domain.com, input_type=Attribute]
2025-04-13T08:29:10.086046794Z For further information visit https://errors.pydantic.dev/2.10/v/string_type - {}
[4:38 pm]

Additional Information

I suspect this is due to the changes in backend/open_webui/routers/auths.py -
in v0.6.2 line 231-237:
entry = connection_app.entries[0]
username = str(entry[f"{LDAP_ATTRIBUTE_FOR_USERNAME}"]).lower()
email = str(entry[f"{LDAP_ATTRIBUTE_FOR_MAIL}"])
if not email or email == "" or email == "[]":
raise HTTPException(400, "User does not have a valid email address.")
else:
email = email.lower()

in v0.6.3 (unchanged in v0.6.4) line 231-239:
entry = connection_app.entries[0]
username = str(entry[f"{LDAP_ATTRIBUTE_FOR_USERNAME}"]).lower()
email = entry[f"{LDAP_ATTRIBUTE_FOR_MAIL}"]
if not email:
raise HTTPException(400, "User does not have a valid email address.")
elif isinstance(email, str):
email = email.lower()
elif isinstance(email, list):
email = email[0].lower()

It appears allowing email to preserve its original type has caused some unexpected behaviors.

I have downgraded my instance from 0.6.4 to 0.6.2 and users can login again.

Originally created by @marcuscmy on GitHub (Apr 13, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/12813 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.4 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior LDAP Users are able to login ### Actual Behavior LDAP Users are unable to login due to incorrect processing of the returned user email, the system attempts to create a user with the falsely returned "email" and fails. The LDAP module returns mail as a key value pair (mail: emailaddress) instead of only the email address, therefore existing users are unable to be identified, and it attempts to create a new user, but pydantic detects the input as an attribute instead of string. ### Steps to Reproduce Install v0.6.4, connect LDAP server, attempt to login with LDAP user. ### Logs & Screenshots 2025-04-13T08:28:05.160795394Z 2025-04-13 08:28:05.160 | ERROR | open_webui.routers.auths:ldap_auth:322 - LDAP authentication error: 500: Internal error occurred during LDAP user creation. - {} 2025-04-13T08:28:05.161651357Z 2025-04-13 08:28:05.161 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.X.X:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {} 2025-04-13T08:29:07.275810912Z 2025-04-13 08:29:07.275 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.X.X:0 - "GET /api/config HTTP/1.1" 200 - {} 2025-04-13T08:29:10.085765379Z 2025-04-13 08:29:10.085 | INFO | open_webui.models.auths:insert_new_auth:108 - insert_new_auth - {} 2025-04-13T08:29:10.086007653Z 2025-04-13 08:29:10.085 | ERROR | open_webui.routers.auths:ldap_auth:281 - LDAP user creation error: 1 validation error for AuthModel 2025-04-13T08:29:10.086036826Z email 2025-04-13T08:29:10.086042044Z Input should be a valid string [type=string_type, input_value=mail: first.last@domain.com, input_type=Attribute] 2025-04-13T08:29:10.086046794Z For further information visit https://errors.pydantic.dev/2.10/v/string_type - {} [4:38 pm] ### Additional Information I suspect this is due to the changes in backend/open_webui/routers/auths.py - in v0.6.2 line 231-237: entry = connection_app.entries[0] username = str(entry[f"{LDAP_ATTRIBUTE_FOR_USERNAME}"]).lower() email = str(entry[f"{LDAP_ATTRIBUTE_FOR_MAIL}"]) if not email or email == "" or email == "[]": raise HTTPException(400, "User does not have a valid email address.") else: email = email.lower() in v0.6.3 (unchanged in v0.6.4) line 231-239: entry = connection_app.entries[0] username = str(entry[f"{LDAP_ATTRIBUTE_FOR_USERNAME}"]).lower() email = entry[f"{LDAP_ATTRIBUTE_FOR_MAIL}"] if not email: raise HTTPException(400, "User does not have a valid email address.") elif isinstance(email, str): email = email.lower() elif isinstance(email, list): email = email[0].lower() It appears allowing email to preserve its original type has caused some unexpected behaviors. I have downgraded my instance from 0.6.4 to 0.6.2 and users can login again.
GiteaMirror added the bug label 2026-05-05 17:30:18 -05:00
GiteaMirror commented 2026-05-05 17:30:21 -05:00
Author
Owner
Copy Link

@mw-ctrl commented on GitHub (Apr 13, 2025):

I have a similar problem. My users already exist from previous versions. So after upgrading I always get the following error message
LDAP authentication failed.

I have just the basic configuration like without TLS and port 389 in the web-ui configuration

<!-- gh-comment-id:2799917099 --> @mw-ctrl commented on GitHub (Apr 13, 2025): I have a similar problem. My users already exist from previous versions. So after upgrading I always get the following error message LDAP authentication failed. I have just the basic configuration like without TLS and port 389 in the web-ui configuration
GiteaMirror commented 2026-05-05 17:30:21 -05:00
Author
Owner
Copy Link

@marcuscmy commented on GitHub (Apr 13, 2025):

image

Added screenshots of my LDAP Auth for developer's reference.

<!-- gh-comment-id:2799919566 --> @marcuscmy commented on GitHub (Apr 13, 2025): ![image](https://github.com/user-attachments/assets/5cb1e2d8-272a-40a4-9eed-c45acd4b479a) Added screenshots of my LDAP Auth for developer's reference.
GiteaMirror commented 2026-05-05 17:30:22 -05:00
Author
Owner
Copy Link

@gaby commented on GitHub (Apr 13, 2025):

This is related to changes introduced in https://github.com/open-webui/open-webui/pull/12647

<!-- gh-comment-id:2799949501 --> @gaby commented on GitHub (Apr 13, 2025): This is related to changes introduced in https://github.com/open-webui/open-webui/pull/12647
GiteaMirror commented 2026-05-05 17:30:22 -05:00
Author
Owner
Copy Link

@marcuscmy commented on GitHub (Apr 13, 2025):

I have confirmed this behavior also exists with a brand new instance of OpenWebUI, I tested this in our staging environment.

Additionally I have found in the newer v0.6.4 version, I could not turn off TLS for LDAP.

Adding the below to the environmental variable worked:
LDAP_USE_TLS=False

Then the issue I have submitted was successfully recreated.

2025-04-13T14:04:42.648225731Z 2025-04-13 14:04:42.648 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.0.253:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {}
2025-04-13T14:09:01.296935805Z 2025-04-13 14:09:01.291 | INFO | open_webui.models.auths:insert_new_auth:108 - insert_new_auth - {}
2025-04-13T14:09:01.297718896Z 2025-04-13 14:09:01.295 | ERROR | open_webui.routers.auths:ldap_auth:281 - LDAP user creation error: 1 validation error for AuthModel
2025-04-13T14:09:01.297731816Z email
2025-04-13T14:09:01.297739836Z Input should be a valid string [type=string_type, input_value=mail: address@domain.com, input_type=Attribute]
2025-04-13T14:09:01.297747236Z For further information visit https://errors.pydantic.dev/2.10/v/string_type - {}
2025-04-13T14:09:01.297754766Z 2025-04-13 14:09:01.295 | ERROR | open_webui.routers.auths:ldap_auth:322 - LDAP authentication error: 500: Internal error occurred during LDAP user creation. - {}
2025-04-13T14:09:01.297762116Z 2025-04-13 14:09:01.295 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.0.253:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {}

<!-- gh-comment-id:2799968341 --> @marcuscmy commented on GitHub (Apr 13, 2025): I have confirmed this behavior also exists with a brand new instance of OpenWebUI, I tested this in our staging environment. Additionally I have found in the newer v0.6.4 version, I could not turn off TLS for LDAP. Adding the below to the environmental variable worked: LDAP_USE_TLS=False Then the issue I have submitted was successfully recreated. 2025-04-13T14:04:42.648225731Z 2025-04-13 14:04:42.648 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.0.253:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {} 2025-04-13T14:09:01.296935805Z 2025-04-13 14:09:01.291 | INFO | open_webui.models.auths:insert_new_auth:108 - insert_new_auth - {} 2025-04-13T14:09:01.297718896Z 2025-04-13 14:09:01.295 | ERROR | open_webui.routers.auths:ldap_auth:281 - LDAP user creation error: 1 validation error for AuthModel 2025-04-13T14:09:01.297731816Z email 2025-04-13T14:09:01.297739836Z Input should be a valid string [type=string_type, input_value=mail: address@domain.com, input_type=Attribute] 2025-04-13T14:09:01.297747236Z For further information visit https://errors.pydantic.dev/2.10/v/string_type - {} 2025-04-13T14:09:01.297754766Z 2025-04-13 14:09:01.295 | ERROR | open_webui.routers.auths:ldap_auth:322 - LDAP authentication error: 500: Internal error occurred during LDAP user creation. - {} 2025-04-13T14:09:01.297762116Z 2025-04-13 14:09:01.295 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.0.253:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {}
GiteaMirror commented 2026-05-05 17:30:23 -05:00
Author
Owner
Copy Link

@athoik commented on GitHub (Apr 13, 2025):

Hi,

A fixed pushed on #12819

CC @tjbck

Thank you!

<!-- gh-comment-id:2799989288 --> @athoik commented on GitHub (Apr 13, 2025): Hi, A fixed pushed on #12819 CC @tjbck Thank you!
GiteaMirror commented 2026-05-05 17:30:24 -05:00
Author
Owner
Copy Link

@marcuscmy commented on GitHub (Apr 13, 2025):

Can confirm the proposed fix works for environments with single mail attribute.

@athoik thanks for the quick fix! You beat me to the punch while I was trying to setup the development environment.

Unfortunately, it seems like I cannot simulate environments with multiple mail attributes since it is not supported by Windows AD.

<!-- gh-comment-id:2799998138 --> @marcuscmy commented on GitHub (Apr 13, 2025): Can confirm the proposed fix works for environments with single mail attribute. @athoik thanks for the quick fix! You beat me to the punch while I was trying to setup the development environment. Unfortunately, it seems like I cannot simulate environments with multiple mail attributes since it is not supported by Windows AD.
GiteaMirror commented 2026-05-05 17:30:25 -05:00
Author
Owner
Copy Link

@athoik commented on GitHub (Apr 13, 2025):

@behrmann could you please confirm that fix works properly on multiple mail attributes?

Although I strongly believe that issue was happening on multiple mail LDAP systems. Because the isinstace was checking Attribute vs list or str. That should never worked...

<!-- gh-comment-id:2800000358 --> @athoik commented on GitHub (Apr 13, 2025): @behrmann could you please confirm that fix works properly on multiple mail attributes? Although I strongly believe that issue was happening on multiple mail LDAP systems. Because the `isinstace` was checking `Attribute` vs `list` or `str`. That should never worked...
GiteaMirror commented 2026-05-05 17:30:26 -05:00
Author
Owner
Copy Link

@RocketRider commented on GitHub (Apr 13, 2025):

The issue is prohibiting me from updating as i need the ldap authentication with one mail.

<!-- gh-comment-id:2800013435 --> @RocketRider commented on GitHub (Apr 13, 2025): The issue is prohibiting me from updating as i need the ldap authentication with one mail.
GiteaMirror commented 2026-05-05 17:30:28 -05:00
Author
Owner
Copy Link

@weisser-dev commented on GitHub (Apr 14, 2025):

you need also an else like in this: https://github.com/open-webui/open-webui/pull/12835

<!-- gh-comment-id:2800588113 --> @weisser-dev commented on GitHub (Apr 14, 2025): you need also an else like in this: https://github.com/open-webui/open-webui/pull/12835
GiteaMirror commented 2026-05-05 17:30:28 -05:00
Author
Owner
Copy Link

@behrmann commented on GitHub (Apr 14, 2025):

@athoik Sorry, no idea how, but I lost the .value copying this over from where I had fixed this in production. My bad.

<!-- gh-comment-id:2801144921 --> @behrmann commented on GitHub (Apr 14, 2025): @athoik Sorry, no idea how, but I lost the `.value` copying this over from where I had fixed this in production. My bad.
GiteaMirror commented 2026-05-05 17:30:29 -05:00
Author
Owner
Copy Link

@athoik commented on GitHub (Apr 14, 2025):

@athoik Sorry, no idea how, but I lost the .value copying this over from where I had fixed this in production. My bad.

No worries! You cannot make an omelete without breaking some eggs 👍

<!-- gh-comment-id:2802802746 --> @athoik commented on GitHub (Apr 14, 2025): > [@athoik](https://github.com/athoik) Sorry, no idea how, but I lost the `.value` copying this over from where I had fixed this in production. My bad. No worries! You cannot make an omelete without breaking some eggs 👍
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#55387
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?