[GH-ISSUE #7063] issue: LDAP Not Working With Active Directory #85329

Closed
opened 2026-05-15 09:59:51 -05:00 by GiteaMirror · 55 comments
Owner

Originally created by @stondino00 on GitHub (Nov 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7063

Originally assigned to: @jackthgu on GitHub.

Trying to test the new feature of LDAP against our active directory. We are using the same settings other Linux servers are using to bind to our ldap and open-webui is not working.

Are there any examples of the testing done that can be shown that work? How do I get a debug log from docker about this ldap communication with our active directory?

Originally created by @stondino00 on GitHub (Nov 20, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/7063 Originally assigned to: @jackthgu on GitHub. Trying to test the new feature of LDAP against our active directory. We are using the same settings other Linux servers are using to bind to our ldap and open-webui is not working. Are there any examples of the testing done that can be shown that work? How do I get a debug log from docker about this ldap communication with our active directory?
Author
Owner

@tjbck commented on GitHub (Nov 20, 2024):

@morgan55555 @WilsonZiweiWang

<!-- gh-comment-id:2487248216 --> @tjbck commented on GitHub (Nov 20, 2024): @morgan55555 @WilsonZiweiWang
Author
Owner

@stondino00 commented on GitHub (Nov 20, 2024):

Keep getting this with tls disabled on ports 389 and 3268 non tls ports.

image

image

When I do this command it shows this at the bottom each time I try and login with an ldap credential.

My domain controller does show ldap attempts from the IP of the open-webui server so it appears to be reaching out but is not successful.

image

sudo docker logs

<!-- gh-comment-id:2487252941 --> @stondino00 commented on GitHub (Nov 20, 2024): Keep getting this with tls disabled on ports 389 and 3268 non tls ports. ![image](https://github.com/user-attachments/assets/06484090-5781-4794-9378-55394ada58b7) ![image](https://github.com/user-attachments/assets/8b2c3d22-ee88-4d78-a8a8-7b26cbba75df) When I do this command it shows this at the bottom each time I try and login with an ldap credential. My domain controller does show ldap attempts from the IP of the open-webui server so it appears to be reaching out but is not successful. ![image](https://github.com/user-attachments/assets/a1ca0835-8c5f-45c3-89c2-6f45e7c82772) sudo docker logs
Author
Owner

@zsy5172 commented on GitHub (Nov 20, 2024):

@stondino00 In Active Directory, the attribute for username should be sAMAccountName, my configuration works fine.

@tjbck Could you consider adding a "test" button in the LDAP settings? This way, users can know if the configuration is correct.

and. print result in HTTPException detail will be better.

02e94c8264/backend/open_webui/apps/webui/routers/auths.py (L210-L211)

Change to

 if not connection_app.bind(): 
     raise HTTPException(400, detail=f"Application account bind failed, result:{connection_app.result}, last error:{connection_app.last_error}") 

if connection fail, it will show something like

Bind failed: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Last error: invalidCredentials
<!-- gh-comment-id:2487706614 --> @zsy5172 commented on GitHub (Nov 20, 2024): @stondino00 In Active Directory, the attribute for username should be sAMAccountName, my configuration works fine. @tjbck Could you consider adding a "test" button in the LDAP settings? This way, users can know if the configuration is correct. and. print result in HTTPException detail will be better. > https://github.com/open-webui/open-webui/blob/02e94c826440162e381cad382d3ac1b0eb2b3d73/backend/open_webui/apps/webui/routers/auths.py#L210-L211 Change to ```python if not connection_app.bind(): raise HTTPException(400, detail=f"Application account bind failed, result:{connection_app.result}, last error:{connection_app.last_error}") ``` if connection fail, it will show something like ```txt Bind failed: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'} Last error: invalidCredentials ```
Author
Owner

@fq393 commented on GitHub (Nov 20, 2024):

image
Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email

<!-- gh-comment-id:2487899177 --> @fq393 commented on GitHub (Nov 20, 2024): ![image](https://github.com/user-attachments/assets/d0c2bd7a-2dd2-4859-aeb1-c8c62433484d) Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email
Author
Owner

@stondino00 commented on GitHub (Nov 20, 2024):

Still no luck. Where would one put the public certificate if trying over tls ports?

image

Get Invalid CA Public Key File with the above config.

<!-- gh-comment-id:2488639556 --> @stondino00 commented on GitHub (Nov 20, 2024): Still no luck. Where would one put the public certificate if trying over tls ports? ![image](https://github.com/user-attachments/assets/7278370b-6e80-4bcc-830f-d6f724035f0a) Get Invalid CA Public Key File with the above config.
Author
Owner

@zsy5172 commented on GitHub (Nov 20, 2024):

try without tls first, then use tls if success. seems your cert path is wrong, it should be the path inside container.

<!-- gh-comment-id:2488671824 --> @zsy5172 commented on GitHub (Nov 20, 2024): try without tls first, then use tls if success. seems your cert path is wrong, it should be the path inside container.
Author
Owner

@tjbck commented on GitHub (Nov 20, 2024):

@zsy5172 PR welcome!

<!-- gh-comment-id:2488701548 --> @tjbck commented on GitHub (Nov 20, 2024): @zsy5172 PR welcome!
Author
Owner

@stondino00 commented on GitHub (Nov 20, 2024):

Can an option be made in the ldap config to check a box to disable tls/ssl verification of the certificate? We use self signed domain certs in our active directory and it doesn't appear the ldap in open-webui likes self signed even when the public cert is supplied.

<!-- gh-comment-id:2489056065 --> @stondino00 commented on GitHub (Nov 20, 2024): Can an option be made in the ldap config to check a box to disable tls/ssl verification of the certificate? We use self signed domain certs in our active directory and it doesn't appear the ldap in open-webui likes self signed even when the public cert is supplied.
Author
Owner

@stondino00 commented on GitHub (Nov 20, 2024):

Ok I think I figured this out on my end by getting it the right certificate it was needing.

I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui?

Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?

<!-- gh-comment-id:2489313876 --> @stondino00 commented on GitHub (Nov 20, 2024): Ok I think I figured this out on my end by getting it the right certificate it was needing. I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui? Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?
Author
Owner

@zsy5172 commented on GitHub (Nov 21, 2024):

Ok I think I figured this out on my end by getting it the right certificate it was needing.

I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui?

Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates?

if you already use docker, you can make -v open-webui:/app/backend/data useful. put your certificate in volume open-webui and point the path to /app/backend/data/your_certificate in your ldap configuration

<!-- gh-comment-id:2489862128 --> @zsy5172 commented on GitHub (Nov 21, 2024): > Ok I think I figured this out on my end by getting it the right certificate it was needing. > > > > I did have to send the certificate to the container for it to see it. How do we do this with the container updating with newer versions of open-webui? > > > > Could a paste certificate be added to the ldap section so it's kept in the database and will survive container updates? if you already use docker, you can make `-v open-webui:/app/backend/data` useful. put your certificate in volume `open-webui` and point the path to `/app/backend/data/your_certificate` in your ldap configuration
Author
Owner

@WilsonZiweiWang commented on GitHub (Nov 21, 2024):

Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email

@vanche1212 The main purpose of getting this attribute is to create the WebUI user. Could you be more specific about the issue you are having?

<!-- gh-comment-id:2489975516 --> @WilsonZiweiWang commented on GitHub (Nov 21, 2024): > Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email @vanche1212 The main purpose of getting this attribute is to create the WebUI user. Could you be more specific about the issue you are having?
Author
Owner

@morgan55555 commented on GitHub (Nov 21, 2024):

Can be related to https://github.com/open-webui/open-webui/pull/7162

<!-- gh-comment-id:2491157639 --> @morgan55555 commented on GitHub (Nov 21, 2024): Can be related to https://github.com/open-webui/open-webui/pull/7162
Author
Owner

@adamoutler commented on GitHub (Nov 27, 2024):

image Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email

Please make everything configurable. These default values will not work for all situations for example my search filter is:
(&(objectClass=Person)(memberOf=CN=my-users,OU=Groups,DC=domain,DC=ad,DC=mycompany,DC=com)(|(sAMAccountName=%s)(companyEmailAlias=%s)))
Which would allow the user in a specific group to login with the email or username they're familiar with. the mail attribute is something the user may have never seen before. I can't seem to get my config working for login.

<!-- gh-comment-id:2504471092 --> @adamoutler commented on GitHub (Nov 27, 2024): > ![image](https://private-user-images.githubusercontent.com/19466281/388012082-d0c2bd7a-2dd2-4859-aeb1-c8c62433484d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzI3Mjk3NzAsIm5iZiI6MTczMjcyOTQ3MCwicGF0aCI6Ii8xOTQ2NjI4MS8zODgwMTIwODItZDBjMmJkN2EtMmRkMi00ODU5LWFlYjEtYzhjNjI0MzM0ODRkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDExMjclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMTI3VDE3NDQzMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFiNjlhNmVhYzMwNWRjMDBkOWU0YTRiMTRhZDdkMjFmMGYwNzAwMjI2YWIyNGM5ZTE4MTdjNzNhZDgzNWVkMDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.83NYwpie-kiKLaPq3T3dDLufRbKgagaY2HaBWFPZ8B8) Can this field of ldap not be written dead? The name of the ldap service deployed by oneself may be email Please make everything configurable. These default values will not work for all situations for example my search filter is: `(&(objectClass=Person)(memberOf=CN=my-users,OU=Groups,DC=domain,DC=ad,DC=mycompany,DC=com)(|(sAMAccountName=%s)(companyEmailAlias=%s)))` Which would allow the user in a specific group to login with the email or username they're familiar with. the mail attribute is something the user may have never seen before. I can't seem to get my config working for login.
Author
Owner

@WilsonZiweiWang commented on GitHub (Nov 28, 2024):

the mail attribute is something the user may have never seen before

WebUI will need the email to create the user in the current workflow. Where does that come from in your case?

<!-- gh-comment-id:2505141150 --> @WilsonZiweiWang commented on GitHub (Nov 28, 2024): > the mail attribute is something the user may have never seen before WebUI will need the email to create the user in the current workflow. Where does that come from in your case?
Author
Owner

@adamoutler commented on GitHub (Nov 28, 2024):

CompanyEmailAlias property. Not this name directly, but as an approximation. It should be customizable.

There's still some stuff to do to make this universal. Usually with ldap setups you'd want to customize the container which may be uid or cn which is the identifier of the account. There should be a unique property as well to account for account deletions followed by a new user creation with username reuse. The user may login with email property or username property depending on preference. The email may be something different than expected. The profile picture may be different per-configuration. The filter should be able to override the login username as well.

<!-- gh-comment-id:2505210460 --> @adamoutler commented on GitHub (Nov 28, 2024): CompanyEmailAlias property. Not this name directly, but as an approximation. It should be customizable. There's still some stuff to do to make this universal. Usually with ldap setups you'd want to customize the container which may be uid or cn which is the identifier of the account. There should be a unique property as well to account for account deletions followed by a new user creation with username reuse. The user may login with email property or username property depending on preference. The email may be something different than expected. The profile picture may be different per-configuration. The filter should be able to override the login username as well.
Author
Owner

@smccreadie1 commented on GitHub (Dec 2, 2024):

Hello, I am trying out the new LDAP feature. I am excited to use this as it will make this manageable in our environment.
I am running into the issue ( I think) of the LDAP implementation not trusting our internal CA TLS certs. The error message says "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak"
I am thinking this is because it doesnt like the internal CA authority, as the cert appears to be SHA256RSA
Any help is appreciated. Thanks

<!-- gh-comment-id:2510551710 --> @smccreadie1 commented on GitHub (Dec 2, 2024): Hello, I am trying out the new LDAP feature. I am excited to use this as it will make this manageable in our environment. I am running into the issue ( I think) of the LDAP implementation not trusting our internal CA TLS certs. The error message says "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak" I am thinking this is because it doesnt like the internal CA authority, as the cert appears to be SHA256RSA Any help is appreciated. Thanks
Author
Owner

@smccreadie1 commented on GitHub (Dec 2, 2024):

Hello, I am trying out the new LDAP feature. I am excited to use this as it will make this manageable in our environment. I am running into the issue ( I think) of the LDAP implementation not trusting our internal CA TLS certs. The error message says "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak" I am thinking this is because it doesnt like the internal CA authority, as the cert appears to be SHA256RSA Any help is appreciated. Thanks

I see my Domain Controller certs are using a key size of 1024 bits, maybe that is the issue here? If so, does anyone know the minimum key size that the LDAP module requires? Thanks

<!-- gh-comment-id:2510779067 --> @smccreadie1 commented on GitHub (Dec 2, 2024): > Hello, I am trying out the new LDAP feature. I am excited to use this as it will make this manageable in our environment. I am running into the issue ( I think) of the LDAP implementation not trusting our internal CA TLS certs. The error message says "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak" I am thinking this is because it doesnt like the internal CA authority, as the cert appears to be SHA256RSA Any help is appreciated. Thanks I see my Domain Controller certs are using a key size of 1024 bits, maybe that is the issue here? If so, does anyone know the minimum key size that the LDAP module requires? Thanks
Author
Owner

@robby-d commented on GitHub (Jan 28, 2025):

Trying to log in with my Samba-based active directory DC. I supply the public key chain for the AD server, but when connecting to port 389, still get:

socket ssl wrapping error: [Errno 104] Connection reset by peer

The system supports starttls on port 389 fine, but not straight SSL. Is the "TLS" option actually trying to connect via SSL?
I also try turning off the "TLS" option, but then I get the error:

400: Application account bind failed

The bind account specified is tested and working elsewhere. I've turned up logging to DEBUG and nothing useful. In the docker container I just see:

"POST /api/v1/auths/ldap HTTP/1.1" 400 Bad Request
<!-- gh-comment-id:2617626695 --> @robby-d commented on GitHub (Jan 28, 2025): Trying to log in with my Samba-based active directory DC. I supply the public key chain for the AD server, but when connecting to port 389, still get: ``` socket ssl wrapping error: [Errno 104] Connection reset by peer ``` The system supports starttls on port 389 fine, but not straight SSL. Is the "TLS" option actually trying to connect via SSL? I also try turning off the "TLS" option, but then I get the error: ``` 400: Application account bind failed ``` The bind account specified is tested and working elsewhere. I've turned up logging to DEBUG and nothing useful. In the docker container I just see: ``` "POST /api/v1/auths/ldap HTTP/1.1" 400 Bad Request ```
Author
Owner

@Vinc89 commented on GitHub (Jan 30, 2025):

Hi, I have a bit different error when using TLS for LDAP. I'm using a full chain cert signed by a trusted authority.
socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)

<!-- gh-comment-id:2624736169 --> @Vinc89 commented on GitHub (Jan 30, 2025): Hi, I have a bit different error when using TLS for LDAP. I'm using a full chain cert signed by a trusted authority. socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)
Author
Owner

@LeeVinBin commented on GitHub (Feb 3, 2025):

Open-WebUI v0.5.7
This works !!!

Host: 192.168.1.1
Port: 389
Application DN:cn=ldapauth,cn=users,dc=test,dc=com
Application DN Password: ldapauth user password
Attribute for Username: sAMAccountName (modify)
Search Base: dc=test,dc=com
Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com))
TLS: Disable

Add AD users to the openwebui group

<!-- gh-comment-id:2630336594 --> @LeeVinBin commented on GitHub (Feb 3, 2025): Open-WebUI v0.5.7 This works !!! Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName **(modify)** Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable Add AD users to the openwebui group
Author
Owner

@Vasyl-svy commented on GitHub (Feb 4, 2025):

We use the same configuration for LDAP without TLS, but get the error - "the application account bind failed". How it fix or check connection?

<!-- gh-comment-id:2633699716 --> @Vasyl-svy commented on GitHub (Feb 4, 2025): We use the same configuration for LDAP without TLS, but get the error - "the application account bind failed". How it fix or check connection?
Author
Owner

@adamoutler commented on GitHub (Feb 4, 2025):

Check your Bind Account Credentials @Vasyl-svy

<!-- gh-comment-id:2633708664 --> @adamoutler commented on GitHub (Feb 4, 2025): Check your Bind Account Credentials @Vasyl-svy
Author
Owner

@Vasyl-svy commented on GitHub (Feb 4, 2025):

thanks for quick response, the credentials is good, because used in another config. So, if you use .env file this configuration of LDAP we add to this file or type via gui in admin of OpenWebUI

<!-- gh-comment-id:2633729905 --> @Vasyl-svy commented on GitHub (Feb 4, 2025): thanks for quick response, the credentials is good, because used in another config. So, if you use .env file this configuration of LDAP we add to this file or type via gui in admin of OpenWebUI
Author
Owner

@lwdnxu commented on GitHub (Feb 7, 2025):

@adamoutler hello,When I log in with LDAP, I get an error: list index out of range, regardless of whether my password is correct or not. However, when I search with ldapsearch, I can find it. Please!

<!-- gh-comment-id:2642118045 --> @lwdnxu commented on GitHub (Feb 7, 2025): @adamoutler hello,When I log in with LDAP, I get an error: list index out of range, regardless of whether my password is correct or not. However, when I search with ldapsearch, I can find it. Please!
Author
Owner

@0x9394 commented on GitHub (Feb 13, 2025):

@lwdnxu check if the user id is in the member group or not. (follow LeeVinBin's example)

<!-- gh-comment-id:2655669633 --> @0x9394 commented on GitHub (Feb 13, 2025): @lwdnxu check if the user id is in the member group or not. (follow `LeeVinBin`'s example)
Author
Owner

@Gum97 commented on GitHub (Feb 19, 2025):

Open-WebUI v0.5.7 This works !!!

Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable

Add AD users to the openwebui group

Open-WebUI v0.5.14 Not works
(latest)

Host: 192.168.1.1
Port: 389
Application DN:cn=ldapauth,cn=users,dc=test,dc=com
Application DN Password: ldapauth user password
Attribute for Mail: mail
Attribute for Username: sAMAccountName (modify)
Search Base: dc=test,dc=com
Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com))
TLS: Disable

<!-- gh-comment-id:2668263601 --> @Gum97 commented on GitHub (Feb 19, 2025): > Open-WebUI v0.5.7 This works !!! > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName **(modify)** Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable > > Add AD users to the openwebui group Open-WebUI v0.5.14 Not works [(latest)](https://github.com/open-webui/open-webui/releases/tag/v0.5.14) Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable
Author
Owner

@LeeVinBin commented on GitHub (Feb 20, 2025):

Open-WebUI v0.5.7 This works !!!
Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable
Add AD users to the openwebui group

Open-WebUI v0.5.14 Not works (latest)

Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable

I verified it works !!!

Image
<!-- gh-comment-id:2670255676 --> @LeeVinBin commented on GitHub (Feb 20, 2025): > > Open-WebUI v0.5.7 This works !!! > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName **(modify)** Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable > > Add AD users to the openwebui group > > Open-WebUI v0.5.14 Not works [(latest)](https://github.com/open-webui/open-webui/releases/tag/v0.5.14) > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable I verified it works !!! <img width="394" alt="Image" src="https://github.com/user-attachments/assets/58ac8f84-e3aa-4824-8b63-fada460a9484" />
Author
Owner

@waterdrops commented on GitHub (Feb 20, 2025):

Open-WebUI v0.5.7 This works !!!
Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable
Add AD users to the openwebui group

Open-WebUI v0.5.14 Not works (latest)

Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable

Same here, It works well with version 0.5.14 of Open-WebUI.

@stondino00 Check all configurable settings, with special attention to the Search Filters section, and adjust the content based on your specific situation.

<!-- gh-comment-id:2670422882 --> @waterdrops commented on GitHub (Feb 20, 2025): > > Open-WebUI v0.5.7 This works !!! > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName **(modify)** Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable > > Add AD users to the openwebui group > > Open-WebUI v0.5.14 Not works [(latest)](https://github.com/open-webui/open-webui/releases/tag/v0.5.14) > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable Same here, It works well with version 0.5.14 of Open-WebUI. @stondino00 Check all configurable settings, with special attention to the `Search Filters` section, and adjust the content based on your specific situation.
Author
Owner

@bilalwaheedch commented on GitHub (Feb 23, 2025):

I can confirm it does indeed work, however I am unable to get the nested groups working. Ideas anyone?

<!-- gh-comment-id:2677015295 --> @bilalwaheedch commented on GitHub (Feb 23, 2025): I can confirm it does indeed work, however I am unable to get the nested groups working. Ideas anyone?
Author
Owner

@dont-touchme commented on GitHub (Mar 5, 2025):

Open-WebUI v0.5.7 This works !!!
Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable
Add AD users to the openwebui group

Open-WebUI v0.5.14 Not works (latest)
Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable

I verified it works !!!

Image

你好,按照你的设置方式,我登录时提示:400: Application account bind failed
我使用Microsoft AD,不知道你是否也是一样的环境?请教,谢谢!

<!-- gh-comment-id:2700618222 --> @dont-touchme commented on GitHub (Mar 5, 2025): > > > Open-WebUI v0.5.7 This works !!! > > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Username: sAMAccountName **(modify)** Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable > > > Add AD users to the openwebui group > > > > > > Open-WebUI v0.5.14 Not works [(latest)](https://github.com/open-webui/open-webui/releases/tag/v0.5.14) > > Host: 192.168.1.1 Port: 389 Application DN:cn=ldapauth,cn=users,dc=test,dc=com Application DN Password: ldapauth user password Attribute for Mail: mail Attribute for Username: sAMAccountName (modify) Search Base: dc=test,dc=com Search Filters: (&(objectClass=user)(memberOf=cn=openwebui,cn=users,dc=test,dc=com)) TLS: Disable > > I verified it works !!! > > <img alt="Image" width="394" src="https://private-user-images.githubusercontent.com/43717020/414985978-58ac8f84-e3aa-4824-8b63-fada460a9484.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDEwOTI4NTQsIm5iZiI6MTc0MTA5MjU1NCwicGF0aCI6Ii80MzcxNzAyMC80MTQ5ODU5NzgtNThhYzhmODQtZTNhYS00ODI0LThiNjMtZmFkYTQ2MGE5NDg0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAzMDQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMzA0VDEyNDkxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWNjMDM3NzcyYTkzOGVlNjkwYjQyMTJkMTBhZDZmMDI0ODU1NTg5YTc4Mzk2NzVhMmFkN2JlMjhhYzE0YzRhNWYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.str3_UrJ-TwF7YhauWXm045dgpHQz17H101HFa_LJTI"> 你好,按照你的设置方式,我登录时提示:400: Application account bind failed 我使用Microsoft AD,不知道你是否也是一样的环境?请教,谢谢!
Author
Owner

@bbotte commented on GitHub (Mar 12, 2025):

Image

windows AD config, it is work well

<!-- gh-comment-id:2716932685 --> @bbotte commented on GitHub (Mar 12, 2025): ![Image](https://github.com/user-attachments/assets/80d55c96-cd5d-4a81-a570-4e9a37954d28) windows AD config, it is work well
Author
Owner

@adamoutler commented on GitHub (Mar 12, 2025):

My home Active Directory config, without TLS, in Docker Compose format.

Image

<!-- gh-comment-id:2717031270 --> @adamoutler commented on GitHub (Mar 12, 2025): My home Active Directory config, without TLS, in Docker Compose format. ![Image](https://github.com/user-attachments/assets/77cf35f2-498e-4ff9-90e4-a04ca4287dcf)
Author
Owner

@adamoutler commented on GitHub (Mar 12, 2025):

Does anyone know how to allow both email and username for login? Eg.

(&(mail=%s)(sAMAccountName=%s))

Seems appropriate as the rest of Open WebUI uses email, but usually AD requires username, so why not both?

<!-- gh-comment-id:2717040766 --> @adamoutler commented on GitHub (Mar 12, 2025): Does anyone know how to allow both email and username for login? Eg. ``` (&(mail=%s)(sAMAccountName=%s)) ``` Seems appropriate as the rest of Open WebUI uses email, but usually AD requires username, so why not both?
Author
Owner

@dont-touchme commented on GitHub (Mar 19, 2025):

Image

windows AD config, it is work well

Is ldapauth the username with administrative privileges? Does the DN password correspond to the password of the ldapauth username?Thank you.

<!-- gh-comment-id:2736017690 --> @dont-touchme commented on GitHub (Mar 19, 2025): > ![Image](https://github.com/user-attachments/assets/80d55c96-cd5d-4a81-a570-4e9a37954d28) > > windows AD config, it is work well Is ldapauth the username with administrative privileges? Does the DN password correspond to the password of the ldapauth username?Thank you.
Author
Owner

@adamoutler commented on GitHub (Mar 19, 2025):

Is ldapauth the username with administrative privileges? Does the DN password correspond to the password of the ldapauth username?Thank you.

It's the bind user and pass. It's def not the admin. Usually bind has no groups or just enough permissions to perform the task of looking up a username. You create an account just for binding between your app and AD/LDAP. Someone chose very weird names. I think it was someone who knows OAUTH but was kinda unfamiliar with AD

  • LDAP = Connection Name
  • LDAP server = Host
  • Application DN = Bind DN
  • Application Password = Bind Password
  • Search Base = User Search Base
  • Search Filters = User Filter (without %s or $user)
<!-- gh-comment-id:2736272876 --> @adamoutler commented on GitHub (Mar 19, 2025): > Is ldapauth the username with administrative privileges? Does the DN password correspond to the password of the ldapauth username?Thank you. It's the bind user and pass. It's def not the admin. Usually bind has no groups or just enough permissions to perform the task of looking up a username. You create an account just for binding between your app and AD/LDAP. Someone chose very weird names. I think it was someone who knows OAUTH but was kinda unfamiliar with AD * LDAP = Connection Name * LDAP server = Host * Application DN = Bind DN * Application Password = Bind Password * Search Base = User Search Base * Search Filters = User Filter (without %s or $user)
Author
Owner

@EJansenMSFT commented on GitHub (Apr 4, 2025):

Has anyone got TLS working? I configured LDAP to work with the Active Directory domain in my lab just fine, but it's doing SIMPLE binds, and the passwords are sent in clear text which obviously most people wouldn't want. In my lab I just issued client / server auth certs to the DCs for testing purposes, and I exported a .p7b file with the Root/Sub CA certs in it. I assume, I'd put the .p7b (if that's even supported?) somewhere in the volume on the container and point to the .p7b where it says 'Enter Certificate Path'?

What I did so far that didn't work is I copied the Root CA and SubCA certs to the following path:

docker cp C:\temp\ROOTCA-CA.cer open-webui-doclib:/app/backend/data
docker cp C:\temp\SubCA-CA.cer open-webui-doclib:/app/backend/data

docker exec -it open-webui-doclib bash
update-ca-certificates

Then went into the Admin Settings within OpenWebUI, enabled TLS pointing to:

/app/backend/data/SubCA-CA.cer

changed the port to 636, saved the config, logged off, and then tried to log on with a test user, while running Wireshark on the DC.

I see a Client Hello sent to the DC using TLSv1 over port 636, but the DC didn't respond with a Server Hello and it just failed with the following error:

Image

Also, the LDAP Server that I defined in Admin Settings uses the FQDN of the server, and the cert has the FDQN defined in the SAN on the cert. The Cert has the Server Authentication and Client Authentication EKUs, it chains, and it has the private key.

Any ideas would be much appreciated.

Well, I found one of my issues... The FQDN of the server in the SAN was missing a .

For anyone else trying to do this, also keep these considerations in mind when generating your cert request:

Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Learn
[Solved] ID 1220 LDAPS 8009030e No credentials are available in the security package
Troubleshooting LDAP Over SSL | Microsoft Community Hub

At least the Server is sending a Server Hello now, but it's still failing from OpenWebUI. The Wireshark trace on the DC shows the following:

Image

and on the OpenWebUI end, it shows the following:

Image

Getting closer..

UPDATE - The Next Day:

Since then, I read that Linux ( I don't know Linux very well at all. ) doesn't like the .cer format for certificates, so I changed them to .crt. The certs are Base64 Encoded btw. I also put them in the /usr/local/share/ca-certificates directory and then reran the following:

docker exec -it open-webui-doclib bash
update-ca-certificates

Still getting the same error, so I figured I'd try a dev build based on @rgaricano suggestion.

After updating to the Dev build, I recopied my CA certs to the usr/local/share/ca-certificates directory and ran update-ca-certificates as I did before. This time, however, I went back into Admin Settings and cleared out the TLS Certificate path, leaving it blank. After doing that, logging off, and attempting to log back in with my test user, while doing a Wireshark trace on the DC, everything worked!

<!-- gh-comment-id:2777385828 --> @EJansenMSFT commented on GitHub (Apr 4, 2025): Has anyone got TLS working? I configured LDAP to work with the Active Directory domain in my lab just fine, but it's doing SIMPLE binds, and the passwords are sent in clear text which obviously most people wouldn't want. In my lab I just issued client / server auth certs to the DCs for testing purposes, and I exported a .p7b file with the Root/Sub CA certs in it. I assume, I'd put the .p7b (if that's even supported?) somewhere in the volume on the container and point to the .p7b where it says 'Enter Certificate Path'? What I did so far that didn't work is I copied the Root CA and SubCA certs to the following path: docker cp C:\temp\ROOTCA-CA.cer open-webui-doclib:/app/backend/data docker cp C:\temp\SubCA-CA.cer open-webui-doclib:/app/backend/data docker exec -it open-webui-doclib bash update-ca-certificates Then went into the Admin Settings within OpenWebUI, enabled TLS pointing to: /app/backend/data/SubCA-CA.cer changed the port to 636, saved the config, logged off, and then tried to log on with a test user, while running Wireshark on the DC. I see a Client Hello sent to the DC using TLSv1 over port 636, but the DC didn't respond with a Server Hello and it just failed with the following error: ![Image](https://github.com/user-attachments/assets/eda92c20-e51d-4867-9248-91c2b5014eea) Also, the LDAP Server that I defined in Admin Settings uses the FQDN of the server, and the cert has the FDQN defined in the SAN on the cert. The Cert has the Server Authentication and Client Authentication EKUs, it chains, and it has the private key. Any ideas would be much appreciated. Well, I found one of my issues... The FQDN of the server in the SAN was missing a . For anyone else trying to do this, also keep these considerations in mind when generating your cert request: [Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Learn](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority) [[Solved] ID 1220 LDAPS 8009030e No credentials are available in the security package](https://itluke.online/2017/09/08/solved-id-1220-ldaps-8009030e-no-credentials-are-available-in-the-security-package/) [Troubleshooting LDAP Over SSL | Microsoft Community Hub](https://techcommunity.microsoft.com/blog/askds/troubleshooting-ldap-over-ssl/395096) At least the Server is sending a Server Hello now, but it's still failing from OpenWebUI. The Wireshark trace on the DC shows the following: ![Image](https://github.com/user-attachments/assets/a82d9fb7-1612-4ee7-a782-6c8b8967b3ff) and on the OpenWebUI end, it shows the following: ![Image](https://github.com/user-attachments/assets/9efafb7a-1661-4f57-84b4-4c154cc3ca05) Getting closer.. **UPDATE** - The Next Day: Since then, I read that Linux ( I don't know Linux very well at all. ) doesn't like the .cer format for certificates, so I changed them to .crt. The certs are Base64 Encoded btw. I also put them in the /usr/local/share/ca-certificates directory and then reran the following: docker exec -it open-webui-doclib bash update-ca-certificates Still getting the same error, so I figured I'd try a dev build based on @rgaricano suggestion. After updating to the Dev build, I recopied my CA certs to the usr/local/share/ca-certificates directory and ran update-ca-certificates as I did before. This time, however, I went back into Admin Settings and cleared out the TLS Certificate path, leaving it blank. After doing that, logging off, and attempting to log back in with my test user, while doing a Wireshark trace on the DC, everything worked!
Author
Owner

@rgaricano commented on GitHub (Apr 4, 2025):

maybe this help you, there are a referenced fix on thread: https://github.com/open-webui/open-webui/issues/12408#issuecomment-2777838379

<!-- gh-comment-id:2778238211 --> @rgaricano commented on GitHub (Apr 4, 2025): maybe this help you, there are a referenced fix on thread: https://github.com/open-webui/open-webui/issues/12408#issuecomment-2777838379
Author
Owner

@EJansenMSFT commented on GitHub (Apr 4, 2025):

maybe this help you, there are a referenced fix on thread: #12408 (comment)

Updated to the Dev image, cleared the cert path, and that did the trick, thanks! I've also updated what I did in my original post to hopefully help someone else out.

<!-- gh-comment-id:2779291091 --> @EJansenMSFT commented on GitHub (Apr 4, 2025): > maybe this help you, there are a referenced fix on thread: [#12408 (comment)](https://github.com/open-webui/open-webui/issues/12408#issuecomment-2777838379) Updated to the Dev image, cleared the cert path, and that did the trick, thanks! I've also updated what I did in my original post to hopefully help someone else out.
Author
Owner

@rgaricano commented on GitHub (Apr 4, 2025):

(linux like .cer as .crt, it doesn't matter the name or ext, just if it's a valid cert file content)

<!-- gh-comment-id:2779335283 --> @rgaricano commented on GitHub (Apr 4, 2025): (linux like .cer as .crt, it doesn't matter the name or ext, just if it's a valid cert file content)
Author
Owner

@EJansenMSFT commented on GitHub (Apr 4, 2025):

Now I just need to figure out how to do SmartCard integration. From what I'm seeing, that's not natively supported with OpenWebUI. Any idea if there are plans to do so?

<!-- gh-comment-id:2779408493 --> @EJansenMSFT commented on GitHub (Apr 4, 2025): Now I just need to figure out how to do SmartCard integration. From what I'm seeing, that's not natively supported with OpenWebUI. Any idea if there are plans to do so?
Author
Owner

@mahasems commented on GitHub (Apr 10, 2025):

On v0.6.2 the Search Filter function seems broken.

If trying something like:
(&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s)))
The real request according to tcpdump is:
(&(samaccountname=bill.gates)(&(objectClass=user)(|(samaccountname=%s)(userprincipalname=%s))))

However correct would be:
(&(objectClass=user)(|(sAMAccountName=bill.gates)(userPrincipalName=bill.gates)))

Only solution I found is leavint Search Filters empty...

<!-- gh-comment-id:2792276847 --> @mahasems commented on GitHub (Apr 10, 2025): On v0.6.2 the Search Filter function seems broken. If trying something like: (&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s))) The real request according to tcpdump is: (&(samaccountname=bill.gates)(&(objectClass=user)(|(samaccountname=%s)(userprincipalname=%s)))) However correct would be: (&(objectClass=user)(|(sAMAccountName=bill.gates)(userPrincipalName=bill.gates))) Only solution I found is leavint Search Filters empty...
Author
Owner

@adamoutler commented on GitHub (Apr 10, 2025):

If trying something like: (&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s)))

@mahasems %s is not supported.

<!-- gh-comment-id:2792394459 --> @adamoutler commented on GitHub (Apr 10, 2025): > If trying something like: (&(objectClass=user)(|(sAMAccountName=%s)(userPrincipalName=%s))) @mahasems `%s` is not supported.
Author
Owner

@mahasems commented on GitHub (Apr 10, 2025):

Good to know. So the sample is missleading:

Image

<!-- gh-comment-id:2792492394 --> @mahasems commented on GitHub (Apr 10, 2025): Good to know. So the sample is missleading: ![Image](https://github.com/user-attachments/assets/927b83f8-de20-43d6-8276-7bb77b3a75a0)
Author
Owner

@adamoutler commented on GitHub (Apr 10, 2025):

@mahasems yeah. Otherwise i'd have (&(objectClass=user)(|(mail=%s)(samaccountname=%s))(memberOf=cn=ai...)) to allow both user and email login.

<!-- gh-comment-id:2793035415 --> @adamoutler commented on GitHub (Apr 10, 2025): @mahasems yeah. Otherwise i'd have `(&(objectClass=user)(|(mail=%s)(samaccountname=%s))(memberOf=cn=ai...))` to allow both user and email login.
Author
Owner

@chAyubTahir commented on GitHub (Apr 29, 2025):

@tjbck I am having a problem with setting up LDAP in OpenWebUI.
I also bought your sponsorship. Could you please help? Thanks

<!-- gh-comment-id:2839424566 --> @chAyubTahir commented on GitHub (Apr 29, 2025): @tjbck I am having a problem with setting up LDAP in OpenWebUI. I also bought your sponsorship. Could you please help? Thanks
Author
Owner

@nasm0king commented on GitHub (May 29, 2025):

I am not sure if this is still an issue. I was able to resolve my issue with ldap with a added a ca cert. I am not using docker but have a standalone instance in linux. I had to change the port for ldap to 636 for ldaps on the open-webui portal. I tested with "openssl s_client -connect :636"

I also read the openwebui_access logs for auth issues. There was a cert issue afterwards that I resolved and rebooted my machine. I was able to auth in ldaps.

My Questions: (if needed to add a new thread I can)

I am trying to confirm where these settings are stored for non-docker installs and seems like it uses sqllite3 to contain that data. Can that be verified?

Also I am trying to have this authenticated with a specific security group, I am assuming that is the group that is specified in open-webui portal? Can you control permissions on those users as you would with a created user in open webui?

Also I see that this doesnt create a homedir for users that use ldap, does it still run the models that you add to ollama since they need be loaded in respective home dirs?

<!-- gh-comment-id:2919583182 --> @nasm0king commented on GitHub (May 29, 2025): I am not sure if this is still an issue. I was able to resolve my issue with ldap with a added a ca cert. I am not using docker but have a standalone instance in linux. I had to change the port for ldap to 636 for ldaps on the open-webui portal. I tested with "openssl s_client -connect <ldap-server-ip>:636" I also read the openwebui_access logs for auth issues. There was a cert issue afterwards that I resolved and rebooted my machine. I was able to auth in ldaps. My Questions: (if needed to add a new thread I can) I am trying to confirm where these settings are stored for non-docker installs and seems like it uses sqllite3 to contain that data. Can that be verified? Also I am trying to have this authenticated with a specific security group, I am assuming that is the group that is specified in open-webui portal? Can you control permissions on those users as you would with a created user in open webui? Also I see that this doesnt create a homedir for users that use ldap, does it still run the models that you add to ollama since they need be loaded in respective home dirs?
Author
Owner

@Fmstrat commented on GitHub (Aug 1, 2025):

So, I had LDAP working with AD (A Samba4 AD, but an AD nonetheless). I was running via docker:

ghcr.io/open-webui/open-webui@sha256:a070f41cdf1dae295992050a46bb80cecedb087ca73342729bba743ab09d5fcc # [target: latest] [tags: git-4269df0 latest main]

But then I updated to:

ghcr.io/open-webui/open-webui@sha256:24669393b06bc05b5193b26ae59483b6d53e8b47a5a74217053373cef5e1ae7d # [target: latest] [tags: git-b8da4a8 latest main]

And am now getting:

|aiweb-open-webui | 2025-08-01T16:36:22.148800292Z 2025-08-01 16:36:22.148 | INFO     | open_webui.routers.auths:ldap_auth:249 - LDAP search attributes: ['samaccountname', 'mail', 'cn'] - {}
|aiweb-open-webui | 2025-08-01T16:36:22.151870186Z 2025-08-01 16:36:22.151 | ERROR    | open_webui.routers.auths:ldap_auth:447 - LDAP authentication error: 400: User not found in the LDAP server - {}
|aiweb-open-webui | 2025-08-01T16:36:22.153234028Z 2025-08-01 16:36:22.152 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.3.99:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {}

However the user exists, and works fine in other services, and worked previously. In addition, despite getting the User not found error, I'm not seeing a connection on the Samba server at all.

EDIT
In my case, it turned out that the latest OpenWebUI doesn't like the classic AD style of samaccountname filter.

This no longer works:

(&(memberof=CN=AI,DC=corp,DC=domain,DC=com)(samaccountname=%s))

But thjis does:

(memberof=CN=AI,DC=corp,DC=domain,DC=com)

The samaccountname portion is handled in the UI outside of filters, but this filter has always worked in the past. So if you're using a filter built for another app, maybe take a look there.

<!-- gh-comment-id:3145156161 --> @Fmstrat commented on GitHub (Aug 1, 2025): So, I had LDAP working with AD (A Samba4 AD, but an AD nonetheless). I was running via docker: ``` ghcr.io/open-webui/open-webui@sha256:a070f41cdf1dae295992050a46bb80cecedb087ca73342729bba743ab09d5fcc # [target: latest] [tags: git-4269df0 latest main] ``` But then I updated to: ``` ghcr.io/open-webui/open-webui@sha256:24669393b06bc05b5193b26ae59483b6d53e8b47a5a74217053373cef5e1ae7d # [target: latest] [tags: git-b8da4a8 latest main] ``` And am now getting: ``` |aiweb-open-webui | 2025-08-01T16:36:22.148800292Z 2025-08-01 16:36:22.148 | INFO | open_webui.routers.auths:ldap_auth:249 - LDAP search attributes: ['samaccountname', 'mail', 'cn'] - {} |aiweb-open-webui | 2025-08-01T16:36:22.151870186Z 2025-08-01 16:36:22.151 | ERROR | open_webui.routers.auths:ldap_auth:447 - LDAP authentication error: 400: User not found in the LDAP server - {} |aiweb-open-webui | 2025-08-01T16:36:22.153234028Z 2025-08-01 16:36:22.152 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.3.99:0 - "POST /api/v1/auths/ldap HTTP/1.1" 400 - {} ``` However the user exists, and works fine in other services, and worked previously. In addition, despite getting the `User not found` error, I'm not seeing a connection on the Samba server at all. **EDIT** In my case, it turned out that the latest OpenWebUI doesn't like the classic AD style of `samaccountname` filter. This no longer works: ``` (&(memberof=CN=AI,DC=corp,DC=domain,DC=com)(samaccountname=%s)) ``` But thjis does: ``` (memberof=CN=AI,DC=corp,DC=domain,DC=com) ``` The `samaccountname` portion is handled in the UI outside of filters, but this filter has always worked in the past. So if you're using a filter built for another app, maybe take a look there.
Author
Owner

@MDKAOD commented on GitHub (Aug 27, 2025):

@Fmstrat
Can you provide a sanitized screenshot of your config? I'm having a heck of a time getting this to work in my configuration, and am having the same "User not found error".

<!-- gh-comment-id:3228208089 --> @MDKAOD commented on GitHub (Aug 27, 2025): @Fmstrat Can you provide a sanitized screenshot of your config? I'm having a heck of a time getting this to work in my configuration, and am having the same "User not found error".
Author
Owner

@dmessano commented on GitHub (Aug 31, 2025):

@Fmstrat Can you provide a sanitized screenshot of your config? I'm having a heck of a time getting this to work in my configuration, and am having the same "User not found error".

Image

Works with 0.6.22 and 0.6.26.

This is for any valid user, i don't need group restrictions, and this is a Self-signed CA

<!-- gh-comment-id:3240244558 --> @dmessano commented on GitHub (Aug 31, 2025): > [@Fmstrat](https://github.com/Fmstrat) Can you provide a sanitized screenshot of your config? I'm having a heck of a time getting this to work in my configuration, and am having the same "User not found error". <img width="1181" height="459" alt="Image" src="https://github.com/user-attachments/assets/b76ef11f-1542-4752-a5cb-7cad901b0893" /> Works with 0.6.22 and 0.6.26. This is for any valid user, i don't need group restrictions, and this is a Self-signed CA
Author
Owner

@MDKAOD commented on GitHub (Sep 4, 2025):

Image

All I can mangage to get is "LDAP authentication error: 400 User not found in the LDAP server". I've tried many iterations of the configuration. The Search Base values are currently CN=usercn,DC=foo,DC=bar, but trimming down to a less granular DC=foo,DC=bar doesn't help and going all the way down to DC=bar gives me "LDAP authentication error: invalid server address".

I have a Nextcloud install that works with Active Directory without an issue and Active Directory Explorer authenticates and permits browsing the AD tree, so I'm lost on how to proceed to troubleshoot further.

<!-- gh-comment-id:3253860115 --> @MDKAOD commented on GitHub (Sep 4, 2025): <img width="882" height="464" alt="Image" src="https://github.com/user-attachments/assets/be51b396-6b70-471f-8b69-0ec6b9cbb23a" /> All I can mangage to get is "LDAP authentication error: 400 User not found in the LDAP server". I've tried many iterations of the configuration. The Search Base values are currently CN=usercn,DC=foo,DC=bar, but trimming down to a less granular DC=foo,DC=bar doesn't help and going all the way down to DC=bar gives me "LDAP authentication error: invalid server address". I have a Nextcloud install that works with Active Directory without an issue and Active Directory Explorer authenticates and permits browsing the AD tree, so I'm lost on how to proceed to troubleshoot further.
Author
Owner

@saschacontes commented on GitHub (Sep 17, 2025):

Image

All I can mangage to get is "LDAP authentication error: 400 User not found in the LDAP server". I've tried many iterations of the configuration. The Search Base values are currently CN=usercn,DC=foo,DC=bar, but trimming down to a less granular DC=foo,DC=bar doesn't help and going all the way down to DC=bar gives me "LDAP authentication error: invalid server address".

I have a Nextcloud install that works with Active Directory without an issue and Active Directory Explorer authenticates and permits browsing the AD tree, so I'm lost on how to proceed to troubleshoot further.

For a quick test, I would shorten the Search Base to: DC=foo,DC=bar
CN=usercn,DC=foo,DC=bar would point to exatly this one user or if its an OU than its a typo and should be adjusted to OU=usercn,DC=foo,DC=bar

<!-- gh-comment-id:3301494984 --> @saschacontes commented on GitHub (Sep 17, 2025): > <img alt="Image" width="882" height="464" src="https://private-user-images.githubusercontent.com/1223587/485348978-be51b396-6b70-471f-8b69-0ec6b9cbb23a.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTgwOTAzOTAsIm5iZiI6MTc1ODA5MDA5MCwicGF0aCI6Ii8xMjIzNTg3LzQ4NTM0ODk3OC1iZTUxYjM5Ni02YjcwLTQ3MWYtOGI2OS0wZWM2YjljYmIyM2EucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MDkxNyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTA5MTdUMDYyMTMwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZTlhNzRlMDRlOWZkNGU3NjNjMjM2NDg4MTFkNzQ4NTgzNzM4OWE1NDZiMDhkYjI5MjljN2E5YWFiZDc1Mjc5ZCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.okPCX0NAlKOuaLbUXddtLdgH96m7BzYieqt8Dy8e4Pc"> > > All I can mangage to get is "LDAP authentication error: 400 User not found in the LDAP server". I've tried many iterations of the configuration. The Search Base values are currently CN=usercn,DC=foo,DC=bar, but trimming down to a less granular DC=foo,DC=bar doesn't help and going all the way down to DC=bar gives me "LDAP authentication error: invalid server address". > > I have a Nextcloud install that works with Active Directory without an issue and Active Directory Explorer authenticates and permits browsing the AD tree, so I'm lost on how to proceed to troubleshoot further. For a quick test, I would shorten the Search Base to: DC=foo,DC=bar CN=usercn,DC=foo,DC=bar would point to exatly this one user or if its an OU than its a typo and should be adjusted to OU=usercn,DC=foo,DC=bar
Author
Owner

@stfast commented on GitHub (Sep 18, 2025):

This works for me:

  • LDAP

Label: LDAP-domain.us

Host: domain.us

Port: 389

Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us

Application DN Password: **********

Attribute for Mail: mail

Attribute for Username: userPrincipalName

Search Base: OU=Users,OU=domain.us,DC=domain,DC=us

Search Filters: (objectClass=user)

  • LDAPS

Label: LDAP-domain.us

Host: domain.us

Port: 636

Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us

Application DN Password: **********

Attribute for Mail: mail

Attribute for Username: userPrincipalName

Search Base: OU=Users,OU=domain.us,DC=domain,DC=us

Search Filters: (&(objectClass=user)(memberof=CN=cgpt_user,OU=cgpt_domain_us,OU=CGPT,OU=Groups,OU=domain.us,DC=domain,DC=us))

TLS: (TOGGLE ON)

Certificate Path: (LEAVE EMPTY)

Validate certificate: (TOGGLE OFF)

Ciphers: ALL

$ docker logs open-webui
....
2025-09-18 23:13:55.637 | INFO | open_webui.routers.auths:ldap_auth:259 - LDAP search attributes: ['userPrincipalName', 'mail', 'cn']
2025-09-18 23:13:55.677 | INFO | open_webui.models.auths:authenticate_user_by_email:158 - authenticate_user_by_email: one.email@domain.com
2025-09-18 23:13:55.687 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "POST /api/v1/auths/ldap HTTP/1.1" 200
2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200
2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200
2025-09-18 23:13:55.834 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/changelog HTTP/1.1" 200
2025-09-18 23:13:55.846 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/archived?page=1&order_by=updated_at&direction=desc HTTP/1.1" 200
2025-09-18 23:13:55.876 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/folders/ HTTP/1.1" 200
2025-09-18 23:13:55.877 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/?page=1 HTTP/1.1" 200
2025-09-18 23:13:55.894 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/channels/ HTTP/1.1" 200
2025-09-18 23:13:55.898 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/users/user/settings HTTP/1.1" 200
2025-09-18 23:13:55.927 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/all/tags HTTP/1.1" 200
2025-09-18 23:13:55.939 | INFO | open_webui.routers.ollama:get_all_models:348 - get_all_models()

<!-- gh-comment-id:3310013859 --> @stfast commented on GitHub (Sep 18, 2025): This works for me: - LDAP Label: LDAP-domain.us Host: domain.us Port: 389 Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us Application DN Password: ********** Attribute for Mail: mail Attribute for Username: userPrincipalName Search Base: OU=Users,OU=domain.us,DC=domain,DC=us Search Filters: (objectClass=user) - LDAPS Label: LDAP-domain.us Host: domain.us Port: 636 Application DN: CN=CGPT AD. Bind,OU=Services,OU=Users,OU=domain.us,DC=domain,DC=us Application DN Password: ********** Attribute for Mail: mail Attribute for Username: userPrincipalName Search Base: OU=Users,OU=domain.us,DC=domain,DC=us Search Filters: (&(objectClass=user)(memberof=CN=cgpt_user,OU=cgpt_domain_us,OU=CGPT,OU=Groups,OU=domain.us,DC=domain,DC=us)) TLS: (TOGGLE ON) Certificate Path: (LEAVE EMPTY) Validate certificate: (TOGGLE OFF) Ciphers: ALL $ docker logs open-webui .... 2025-09-18 23:13:55.637 | INFO | open_webui.routers.auths:ldap_auth:259 - LDAP search attributes: ['userPrincipalName', 'mail', 'cn'] 2025-09-18 23:13:55.677 | INFO | open_webui.models.auths:authenticate_user_by_email:158 - authenticate_user_by_email: one.email@domain.com 2025-09-18 23:13:55.687 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "POST /api/v1/auths/ldap HTTP/1.1" 200 2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200 2025-09-18 23:13:55.714 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/config HTTP/1.1" 200 2025-09-18 23:13:55.834 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/changelog HTTP/1.1" 200 2025-09-18 23:13:55.846 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/archived?page=1&order_by=updated_at&direction=desc HTTP/1.1" 200 2025-09-18 23:13:55.876 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/folders/ HTTP/1.1" 200 2025-09-18 23:13:55.877 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/?page=1 HTTP/1.1" 200 2025-09-18 23:13:55.894 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/channels/ HTTP/1.1" 200 2025-09-18 23:13:55.898 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/users/user/settings HTTP/1.1" 200 2025-09-18 23:13:55.927 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - 192.168.70.103:0 - "GET /api/v1/chats/all/tags HTTP/1.1" 200 2025-09-18 23:13:55.939 | INFO | open_webui.routers.ollama:get_all_models:348 - get_all_models()
Author
Owner

@dmessano commented on GitHub (Sep 19, 2025):

@MDKAOD

Looking at your picture you have a typo for the Attribute for Username
You have saAMAccountName instead of sAMAccountName, notice the extra a.

More tips for poeple having this issue
You are only using the username when you try to login, no domain or @?

Yes:
myuser

No:
domain\myuser
myuser@domain

finally, if the account doesn't have an email address in the LDAP server you will get LDAP authentication error: 400: User does not have a valid email address

<!-- gh-comment-id:3313188080 --> @dmessano commented on GitHub (Sep 19, 2025): @MDKAOD Looking at your picture you have a typo for the Attribute for Username You have `saAMAccountName` instead of `sAMAccountName`, notice the extra `a`. More tips for poeple having this issue You are only using the username when you try to login, no domain or @? Yes: myuser No: domain\myuser myuser@domain finally, if the account doesn't have an email address in the LDAP server you will get `LDAP authentication error: 400: User does not have a valid email address`
Author
Owner

@MDKAOD commented on GitHub (Sep 19, 2025):

@MDKAOD

Looking at your picture you have a typo for the Attribute for Username You have saAMAccountName instead of sAMAccountName, notice the extra a.

..Well then. I guess when you're close to an issue and having a tough time, it's easy to overlook a typo. Remember the days where you could drop a semi-colon in 10,000 lines of code and nothing worked? sigh

More tips for poeple having this issue You are only using the username when you try to login, no domain or @?

This was the other tip that I needed. I had tried with and without @domain.top but having confirmation on the specific requirement is super helpful. I assumed it would run the check against mail OR username.

Thank you @dmessano you nailed my issue.

<!-- gh-comment-id:3313350246 --> @MDKAOD commented on GitHub (Sep 19, 2025): > [@MDKAOD](https://github.com/MDKAOD) > > Looking at your picture you have a typo for the Attribute for Username You have `saAMAccountName` instead of `sAMAccountName`, notice the extra `a`. ..Well then. I guess when you're close to an issue and having a tough time, it's easy to overlook a typo. Remember the days where you could drop a semi-colon in 10,000 lines of code and nothing worked? *sigh* > More tips for poeple having this issue You are only using the username when you try to login, no domain or @? This was the other tip that I needed. I had tried with and without @domain.top but having confirmation on the specific requirement is super helpful. I assumed it would run the check against mail _OR_ username. Thank you @dmessano you nailed my issue.
Author
Owner

@dmessano commented on GitHub (Sep 19, 2025):

@MDKAOD - good to hear you got it working, and the small things always get us.

If you want to use email only for login then swap sAMAccountName with userPrincipalName (tested on v0.6.30)
Want to use both? I couldn't find a way, but I did find that I had an incorrect setting on my picture.

I had mail set for Attribute for Mail. Set it to userPrincipalName and you will no longer need to add an email to their profile for logins to work.

Image
<!-- gh-comment-id:3313759268 --> @dmessano commented on GitHub (Sep 19, 2025): @MDKAOD - good to hear you got it working, and the small things always get us. If you want to use email only for login then swap `sAMAccountName` with `userPrincipalName` (tested on v0.6.30) Want to use both? I couldn't find a way, but I did find that I had an incorrect setting on my picture. I had `mail` set for `Attribute for Mail`. Set it to `userPrincipalName` and you will no longer need to add an email to their profile for logins to work. <img width="264" height="173" alt="Image" src="https://github.com/user-attachments/assets/820391db-c6f6-44e8-a63d-b259362b54e1" />
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#85329