mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-10 23:55:15 -05:00
[GH-ISSUE #7063] issue: LDAP Not Working With Active Directory #85329
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @stondino00 on GitHub (Nov 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7063
Originally assigned to: @jackthgu on GitHub.
Trying to test the new feature of LDAP against our active directory. We are using the same settings other Linux servers are using to bind to our ldap and open-webui is not working.
Are there any examples of the testing done that can be shown that work? How do I get a debug log from docker about this ldap communication with our active directory?
@tjbck commented on GitHub (Nov 20, 2024):
@morgan55555 @WilsonZiweiWang
@stondino00 commented on GitHub (Nov 20, 2024):
Keep getting this with tls disabled on ports 389 and 3268 non tls ports.
When I do this command it shows this at the bottom each time I try and login with an ldap credential.
My domain controller does show ldap attempts from the IP of the open-webui server so it appears to be reaching out but is not successful.
sudo docker logs
@zsy5172 commented on GitHub (Nov 20, 2024):
@stondino00 In Active Directory, the attribute for username should be sAMAccountName, my configuration works fine.
@tjbck Could you consider adding a "test" button in the LDAP settings? This way, users can know if the configuration is correct.
and. print result in HTTPException detail will be better.
Change to
if connection fail, it will show something like
@fq393 commented on GitHub (Nov 20, 2024):
Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email
@stondino00 commented on GitHub (Nov 20, 2024):
Still no luck. Where would one put the public certificate if trying over tls ports?
Get Invalid CA Public Key File with the above config.
@zsy5172 commented on GitHub (Nov 20, 2024):
try without tls first, then use tls if success. seems your cert path is wrong, it should be the path inside container.
@tjbck commented on GitHub (Nov 20, 2024):
@zsy5172 PR welcome!
@stondino00 commented on GitHub (Nov 20, 2024):
Can an option be made in the ldap config to check a box to disable tls/ssl verification of the certificate? We use self signed domain certs in our active directory and it doesn't appear the ldap in open-webui likes self signed even when the public cert is supplied.
@stondino00 commented on GitHub (Nov 20, 2024):
Ok I think I figured this out on my end by getting it the right certificate it was needing.
I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui?
Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?
@zsy5172 commented on GitHub (Nov 21, 2024):
if you already use docker, you can make
-v open-webui:/app/backend/datauseful. put your certificate in volumeopen-webuiand point the path to/app/backend/data/your_certificatein your ldap configuration@WilsonZiweiWang commented on GitHub (Nov 21, 2024):
@vanche1212 The main purpose of getting this attribute is to create the WebUI user. Could you be more specific about the issue you are having?
@morgan55555 commented on GitHub (Nov 21, 2024):
Can be related to https://github.com/open-webui/open-webui/pull/7162
@adamoutler commented on GitHub (Nov 27, 2024):
Please make everything configurable. These default values will not work for all situations for example my search filter is:
(&(objectClass=Person)(memberOf=CN=my-users,OU=Groups,DC=domain,DC=ad,DC=mycompany,DC=com)(|(sAMAccountName=%s)(companyEmailAlias=%s)))Which would allow the user in a specific group to login with the email or username they're familiar with. the mail attribute is something the user may have never seen before. I can't seem to get my config working for login.
@WilsonZiweiWang commented on GitHub (Nov 28, 2024):
WebUI will need the email to create the user in the current workflow. Where does that come from in your case?
@adamoutler commented on GitHub (Nov 28, 2024):
CompanyEmailAlias property. Not this name directly, but as an approximation. It should be customizable.
There's still some stuff to do to make this universal. Usually with ldap setups you'd want to customize the container which may be uid or cn which is the identifier of the account. There should be a unique property as well to account for account deletions followed by a new user creation with username reuse. The user may login with email property or username property depending on preference. The email may be something different than expected. The profile picture may be different per-configuration. The filter should be able to override the login username as well.
@smccreadie1 commented on GitHub (Dec 2, 2024):
Hello, I am trying out the new LDAP feature. I am excited to use this as it will make this manageable in our environment.
I am running into the issue ( I think) of the LDAP implementation not trusting our internal CA TLS certs. The error message says "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak"
I am thinking this is because it doesnt like the internal CA authority, as the cert appears to be SHA256RSA
Any help is appreciated. Thanks
@smccreadie1 commented on GitHub (Dec 2, 2024):
I see my Domain Controller certs are using a key size of 1024 bits, maybe that is the issue here? If so, does anyone know the minimum key size that the LDAP module requires? Thanks
@robby-d commented on GitHub (Jan 28, 2025):
Trying to log in with my Samba-based active directory DC. I supply the public key chain for the AD server, but when connecting to port 389, still get:
The system supports starttls on port 389 fine, but not straight SSL. Is the "TLS" option actually trying to connect via SSL?
I also try turning off the "TLS" option, but then I get the error:
The bind account specified is tested and working elsewhere. I've turned up logging to DEBUG and nothing useful. In the docker container I just see:
@Vinc89 commented on GitHub (Jan 30, 2025):
Hi, I have a bit different error when using TLS for LDAP. I'm using a full chain cert signed by a trusted authority.
socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)
@LeeVinBin commented on GitHub (Feb 3, 2025):
Open-WebUI v0.5.7
This works !!!
Host: 192.168.1.1
Port: 389
Application DN:cn=ldapauth,cn=users,dc=test,dc=com
Application DN Password: ldapauth user password
Attribute for Username: sAMAccountName (modify)
Search Base: dc=test,dc=com
Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com))
TLS: Disable
Add AD users to the openwebui group
@Vasyl-svy commented on GitHub (Feb 4, 2025):
We use the same configuration for LDAP without TLS, but get the error - "the application account bind failed". How it fix or check connection?
@adamoutler commented on GitHub (Feb 4, 2025):
Check your Bind Account Credentials @Vasyl-svy
@Vasyl-svy commented on GitHub (Feb 4, 2025):
thanks for quick response, the credentials is good, because used in another config. So, if you use .env file this configuration of LDAP we add to this file or type via gui in admin of OpenWebUI
@lwdnxu commented on GitHub (Feb 7, 2025):
@adamoutler hello,When I log in with LDAP, I get an error: list index out of range, regardless of whether my password is correct or not. However, when I search with ldapsearch, I can find it. Please!
@0x9394 commented on GitHub (Feb 13, 2025):
@lwdnxu check if the user id is in the member group or not. (follow
LeeVinBin's example)@Gum97 commented on GitHub (Feb 19, 2025):
Open-WebUI v0.5.14 Not works
(latest)
Host: 192.168.1.1
Port: 389
Application DN:cn=ldapauth,cn=users,dc=test,dc=com
Application DN Password: ldapauth user password
Attribute for Mail: mail
Attribute for Username: sAMAccountName (modify)
Search Base: dc=test,dc=com
Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com))
TLS: Disable
@LeeVinBin commented on GitHub (Feb 20, 2025):
I verified it works !!!
@waterdrops commented on GitHub (Feb 20, 2025):
Same here, It works well with version 0.5.14 of Open-WebUI.
@stondino00 Check all configurable settings, with special attention to the
Search Filterssection, and adjust the content based on your specific situation.@bilalwaheedch commented on GitHub (Feb 23, 2025):
I can confirm it does indeed work, however I am unable to get the nested groups working. Ideas anyone?
@dont-touchme commented on GitHub (Mar 5, 2025):
你好,按照你的设置方式,我登录时提示:400: Application account bind failed
我使用Microsoft AD,不知道你是否也是一样的环境?请教,谢谢!
@bbotte commented on GitHub (Mar 12, 2025):
windows AD config, it is work well
@adamoutler commented on GitHub (Mar 12, 2025):
My home Active Directory config, without TLS, in Docker Compose format.
@adamoutler commented on GitHub (Mar 12, 2025):
Does anyone know how to allow both email and username for login? Eg.
Seems appropriate as the rest of Open WebUI uses email, but usually AD requires username, so why not both?
@dont-touchme commented on GitHub (Mar 19, 2025):
Is ldapauth the username with administrative privileges? Does the DN password correspond to the password of the ldapauth username?Thank you.
@adamoutler commented on GitHub (Mar 19, 2025):
It's the bind user and pass. It's def not the admin. Usually bind has no groups or just enough permissions to perform the task of looking up a username. You create an account just for binding between your app and AD/LDAP. Someone chose very weird names. I think it was someone who knows OAUTH but was kinda unfamiliar with AD
@EJansenMSFT commented on GitHub (Apr 4, 2025):
Has anyone got TLS working? I configured LDAP to work with the Active Directory domain in my lab just fine, but it's doing SIMPLE binds, and the passwords are sent in clear text which obviously most people wouldn't want. In my lab I just issued client / server auth certs to the DCs for testing purposes, and I exported a .p7b file with the Root/Sub CA certs in it. I assume, I'd put the .p7b (if that's even supported?) somewhere in the volume on the container and point to the .p7b where it says 'Enter Certificate Path'?
What I did so far that didn't work is I copied the Root CA and SubCA certs to the following path:
docker cp C:\temp\ROOTCA-CA.cer open-webui-doclib:/app/backend/data
docker cp C:\temp\SubCA-CA.cer open-webui-doclib:/app/backend/data
docker exec -it open-webui-doclib bash
update-ca-certificates
Then went into the Admin Settings within OpenWebUI, enabled TLS pointing to:
/app/backend/data/SubCA-CA.cer
changed the port to 636, saved the config, logged off, and then tried to log on with a test user, while running Wireshark on the DC.
I see a Client Hello sent to the DC using TLSv1 over port 636, but the DC didn't respond with a Server Hello and it just failed with the following error:
Also, the LDAP Server that I defined in Admin Settings uses the FQDN of the server, and the cert has the FDQN defined in the SAN on the cert. The Cert has the Server Authentication and Client Authentication EKUs, it chains, and it has the private key.
Any ideas would be much appreciated.
Well, I found one of my issues... The FQDN of the server in the SAN was missing a .
For anyone else trying to do this, also keep these considerations in mind when generating your cert request:
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Learn
[Solved] ID 1220 LDAPS 8009030e No credentials are available in the security package
Troubleshooting LDAP Over SSL | Microsoft Community Hub
At least the Server is sending a Server Hello now, but it's still failing from OpenWebUI. The Wireshark trace on the DC shows the following:
and on the OpenWebUI end, it shows the following:
Getting closer..
UPDATE - The Next Day:
Since then, I read that Linux ( I don't know Linux very well at all. ) doesn't like the .cer format for certificates, so I changed them to .crt. The certs are Base64 Encoded btw. I also put them in the /usr/local/share/ca-certificates directory and then reran the following:
docker exec -it open-webui-doclib bash
update-ca-certificates
Still getting the same error, so I figured I'd try a dev build based on @rgaricano suggestion.
After updating to the Dev build, I recopied my CA certs to the usr/local/share/ca-certificates directory and ran update-ca-certificates as I did before. This time, however, I went back into Admin Settings and cleared out the TLS Certificate path, leaving it blank. After doing that, logging off, and attempting to log back in with my test user, while doing a Wireshark trace on the DC, everything worked!
@rgaricano commented on GitHub (Apr 4, 2025):
maybe this help you, there are a referenced fix on thread: https://github.com/open-webui/open-webui/issues/12408#issuecomment-2777838379
@EJansenMSFT commented on GitHub (Apr 4, 2025):
Updated to the Dev image, cleared the cert path, and that did the trick, thanks! I've also updated what I did in my original post to hopefully help someone else out.
@rgaricano commented on GitHub (Apr 4, 2025):
(linux like .cer as .crt, it doesn't matter the name or ext, just if it's a valid cert file content)
@EJansenMSFT commented on GitHub (Apr 4, 2025):
Now I just need to figure out how to do SmartCard integration. From what I'm seeing, that's not natively supported with OpenWebUI. Any idea if there are plans to do so?
@mahasems commented on GitHub (Apr 10, 2025):
On v0.6.2 the Search Filter function seems broken.
If trying something like:
(&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s)))
The real request according to tcpdump is:
(&(samaccountname=bill.gates)(&(objectClass=user)(|(samaccountname=%s)(userprincipalname=%s))))
However correct would be:
(&(objectClass=user)(|(sAMAccountName=bill.gates)(userPrincipalName=bill.gates)))
Only solution I found is leavint Search Filters empty...
@adamoutler commented on GitHub (Apr 10, 2025):
@mahasems
%sis not supported.@mahasems commented on GitHub (Apr 10, 2025):
Good to know. So the sample is missleading:
@adamoutler commented on GitHub (Apr 10, 2025):
@mahasems yeah. Otherwise i'd have
(&(objectClass=user)(|(mail=%s)(samaccountname=%s))(memberOf=cn=ai...))to allow both user and email login.@chAyubTahir commented on GitHub (Apr 29, 2025):
@tjbck I am having a problem with setting up LDAP in OpenWebUI.
I also bought your sponsorship. Could you please help? Thanks
@nasm0king commented on GitHub (May 29, 2025):
I am not sure if this is still an issue. I was able to resolve my issue with ldap with a added a ca cert. I am not using docker but have a standalone instance in linux. I had to change the port for ldap to 636 for ldaps on the open-webui portal. I tested with "openssl s_client -connect :636"
I also read the openwebui_access logs for auth issues. There was a cert issue afterwards that I resolved and rebooted my machine. I was able to auth in ldaps.
My Questions: (if needed to add a new thread I can)
I am trying to confirm where these settings are stored for non-docker installs and seems like it uses sqllite3 to contain that data. Can that be verified?
Also I am trying to have this authenticated with a specific security group, I am assuming that is the group that is specified in open-webui portal? Can you control permissions on those users as you would with a created user in open webui?
Also I see that this doesnt create a homedir for users that use ldap, does it still run the models that you add to ollama since they need be loaded in respective home dirs?
@Fmstrat commented on GitHub (Aug 1, 2025):
So, I had LDAP working with AD (A Samba4 AD, but an AD nonetheless). I was running via docker:
But then I updated to:
And am now getting:
However the user exists, and works fine in other services, and worked previously. In addition, despite getting the
User not founderror, I'm not seeing a connection on the Samba server at all.EDIT
In my case, it turned out that the latest OpenWebUI doesn't like the classic AD style of
samaccountnamefilter.This no longer works:
But thjis does:
The
samaccountnameportion is handled in the UI outside of filters, but this filter has always worked in the past. So if you're using a filter built for another app, maybe take a look there.@MDKAOD commented on GitHub (Aug 27, 2025):
@Fmstrat
Can you provide a sanitized screenshot of your config? I'm having a heck of a time getting this to work in my configuration, and am having the same "User not found error".
@dmessano commented on GitHub (Aug 31, 2025):
Works with 0.6.22 and 0.6.26.
This is for any valid user, i don't need group restrictions, and this is a Self-signed CA
@MDKAOD commented on GitHub (Sep 4, 2025):
All I can mangage to get is "LDAP authentication error: 400 User not found in the LDAP server". I've tried many iterations of the configuration. The Search Base values are currently CN=usercn,DC=foo,DC=bar, but trimming down to a less granular DC=foo,DC=bar doesn't help and going all the way down to DC=bar gives me "LDAP authentication error: invalid server address".
I have a Nextcloud install that works with Active Directory without an issue and Active Directory Explorer authenticates and permits browsing the AD tree, so I'm lost on how to proceed to troubleshoot further.
@saschacontes commented on GitHub (Sep 17, 2025):
For a quick test, I would shorten the Search Base to: DC=foo,DC=bar
CN=usercn,DC=foo,DC=bar would point to exatly this one user or if its an OU than its a typo and should be adjusted to OU=usercn,DC=foo,DC=bar
@stfast commented on GitHub (Sep 18, 2025):
This works for me:
Label: LDAP-domain.us
Host: domain.us
Port: 389
Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us
Application DN Password: **********
Attribute for Mail: mail
Attribute for Username: userPrincipalName
Search Base: OU=Users,OU=domain.us,DC=domain,DC=us
Search Filters: (objectClass=user)
Label: LDAP-domain.us
Host: domain.us
Port: 636
Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us
Application DN Password: **********
Attribute for Mail: mail
Attribute for Username: userPrincipalName
Search Base: OU=Users,OU=domain.us,DC=domain,DC=us
Search Filters: (&(objectClass=user)(memberof=CN=cgpt_user,OU=cgpt_domain_us,OU=CGPT,OU=Groups,OU=domain.us,DC=domain,DC=us))
TLS: (TOGGLE ON)
Certificate Path: (LEAVE EMPTY)
Validate certificate: (TOGGLE OFF)
Ciphers: ALL
$ docker logs open-webui
....
2025-09-18 23:13:55.637 | INFO | open_webui.routers.auths:ldap_auth:259 - LDAP search attributes: ['userPrincipalName', 'mail', 'cn']
2025-09-18 23:13:55.677 | INFO | open_webui.models.auths:authenticate_user_by_email:158 - authenticate_user_by_email: one.email@domain.com
2025-09-18 23:13:55.687 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "POST /api/v1/auths/ldap HTTP/1.1" 200
2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200
2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200
2025-09-18 23:13:55.834 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/changelog HTTP/1.1" 200
2025-09-18 23:13:55.846 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/archived?page=1&order_by=updated_at&direction=desc HTTP/1.1" 200
2025-09-18 23:13:55.876 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/folders/ HTTP/1.1" 200
2025-09-18 23:13:55.877 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/?page=1 HTTP/1.1" 200
2025-09-18 23:13:55.894 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/channels/ HTTP/1.1" 200
2025-09-18 23:13:55.898 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/users/user/settings HTTP/1.1" 200
2025-09-18 23:13:55.927 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/all/tags HTTP/1.1" 200
2025-09-18 23:13:55.939 | INFO | open_webui.routers.ollama:get_all_models:348 - get_all_models()
@dmessano commented on GitHub (Sep 19, 2025):
@MDKAOD
Looking at your picture you have a typo for the Attribute for Username
You have
saAMAccountNameinstead ofsAMAccountName, notice the extraa.More tips for poeple having this issue
You are only using the username when you try to login, no domain or @?
Yes:
myuser
No:
domain\myuser
myuser@domain
finally, if the account doesn't have an email address in the LDAP server you will get
LDAP authentication error: 400: User does not have a valid email address@MDKAOD commented on GitHub (Sep 19, 2025):
..Well then. I guess when you're close to an issue and having a tough time, it's easy to overlook a typo. Remember the days where you could drop a semi-colon in 10,000 lines of code and nothing worked? sigh
This was the other tip that I needed. I had tried with and without @domain.top but having confirmation on the specific requirement is super helpful. I assumed it would run the check against mail OR username.
Thank you @dmessano you nailed my issue.
@dmessano commented on GitHub (Sep 19, 2025):
@MDKAOD - good to hear you got it working, and the small things always get us.
If you want to use email only for login then swap
sAMAccountNamewithuserPrincipalName(tested on v0.6.30)Want to use both? I couldn't find a way, but I did find that I had an incorrect setting on my picture.
I had
mailset forAttribute for Mail. Set it touserPrincipalNameand you will no longer need to add an email to their profile for logins to work.