mirror of
https://github.com/open-webui/open-webui.git
synced 2026-05-26 11:27:54 -05:00
[GH-ISSUE #668] feat: LDAP User management #99164
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/open-webui#99164
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @this-josh on GitHub (Feb 7, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/668
Is your feature request related to a problem? Please describe.
Users should be managed via LDAP, similar to Portainer
Describe the solution you'd like
LDAP user management implemented
Describe alternatives you've considered
I believe LDAP is the best starting point
Additional context
One key feature of
ollama-webuiis its ability to have users, but without LDAP this doesn't have same network level utility.@jannikstdl commented on GitHub (Feb 7, 2024):
Yes agree, this would be a use case for us as well.
@tjbck commented on GitHub (Feb 7, 2024):
Related: https://github.com/ollama-webui/ollama-webui/issues/483
@UberMetroid commented on GitHub (Feb 18, 2024):
I can help test this.
@eingemaischt commented on GitHub (Apr 10, 2024):
This would be great for us as well - an auth via Header, set by an reverse proxy, would be a great alternative. Then we could add different auth mechanisms (OpenID, LDAP, Kerberos etc) without implementing each of them in webui itself...
@justinh-rahb commented on GitHub (Apr 10, 2024):
Excellent news, this has been implemented:
@Manfredzimmermann commented on GitHub (Jul 3, 2024):
How can I connect Open-WebUI with Microsoft Active directory? I'm looking for an excellent solution. A fixed module in Open-WebUI for Active Directory (LDAP) would be a dream
@FritzHeiden commented on GitHub (Jul 26, 2024):
I'd really like to see this feature implemented aswell
@dorianborovina commented on GitHub (Aug 1, 2024):
Me too! +1 from me.
@hostingnuggets commented on GitHub (Aug 1, 2024):
Me too! +100 from me ;-)
@peske commented on GitHub (Aug 2, 2024):
+1
@sry9681 commented on GitHub (Aug 12, 2024):
+1
@lduplaga commented on GitHub (Aug 16, 2024):
Would be awesome to have this feature.
@seal61 commented on GitHub (Aug 30, 2024):
+1
@lduplaga commented on GitHub (Aug 30, 2024):
I solved my case with Microsoft authentication by this
https://docs.openwebui.com/tutorial/sso#microsoft
@seal61 commented on GitHub (Aug 30, 2024):
does not help with local active directory / ldap server sadly, but might be useful for some.
@WilsonZiweiWang commented on GitHub (Aug 30, 2024):
My implementation:
f4e487480fIt worked in my case with my LDAP server. Feel free to play with it and leave a comment. Thanks.
@hostingnuggets commented on GitHub (Aug 30, 2024):
Bravo @WilsonZiweiWang for your LDAP implementation. @tjbck could @WilsonZiweiWang's code be integrated to this project?
@tjbck commented on GitHub (Aug 30, 2024):
Feel free to make a PR!
@justinh-rahb commented on GitHub (Aug 30, 2024):
WilsonZiweiWang with some refac that might be workable for more servers. Not working on my AD server, but honestly I'm fairly sure it's either a layer8 problem, or we just need more environment variables to tune the (too many) options for LDAP binding, user search and field mappings.
@Peter-De-Ath commented on GitHub (Aug 31, 2024):
I wasn't quite able able to get this working out the box, but adding
LDAP_USER_DN = f'cn={cn},{LDAP_USERS_DN}'inside
if uid == form_data.user:@justinh-rahb commented on GitHub (Aug 31, 2024):
I got this to work with @Peter-De-Ath's modification on a test LDAP server, but still unable to get working on my (probably misconfigured by my predecessor) AD domain.
Some notes I'd add:
WEBUI_LOGIN=false, the email/username and password fields are hiddenemailfield for login? We already get it from the LDAP server to create the account@WilsonZiweiWang commented on GitHub (Aug 31, 2024):
hi all, thanks for testing my code and leaving comments, I have created the PR for this issue: https://github.com/open-webui/open-webui/pull/5056
@tjbck commented on GitHub (Nov 6, 2024):
LDAP support merged to dev. More testing wanted from the community here!
@arthur-flam commented on GitHub (Nov 6, 2024):
Hello! We managed to make it work with LDAP. Thanks a lot for adding this feature.
Some small issues I ran into:
Auths.insert_new_authonly getsmail/hash/cnparameters. Other auth methods also accept a role (default topendingotherwise no matter howDEFAULT_USER_ROLEis defined. It's also not possible to add profile picture (although it could be difficult with ldap, at least in my experience with our LDAP,ldapsearchreturns a path to a temp image file, not a real URL).LDAP_SEARCH_FILTERSis always messy to get right. I didn't understand that it already did f&(LDAP_ATTRIBUTE_FOR_USERNAME={login})({LDAP_SEARCH_FILTERS}).In any case testing with
devwas very easy, amazing work all around.@nordy1145 commented on GitHub (Nov 7, 2024):
I also got LDAP working with a simple ldap filter to a specific group, TLS and no issues authenticating. The only issue I see is the default Role is Pending instead of User as mentioned above.
@GabrielRamirez commented on GitHub (Nov 7, 2024):
Are the LDAP variables set in the .env file?
@WilsonZiweiWang commented on GitHub (Nov 8, 2024):
You can set initial values to them in the .env file or edit them with the interface
@UberMetroid commented on GitHub (Nov 20, 2024):
works great. thank you.
@VfBfoerst commented on GitHub (Nov 20, 2024):
thanks for the implementation :) I also tested it, works like a charm.
@wixyskywriter commented on GitHub (Nov 24, 2024):
would it be possible to share a sample of a working configuration?
@WilsonZiweiWang commented on GitHub (Nov 25, 2024):
You will need to know how your active directory is configured.
@wixyskywriter commented on GitHub (Nov 26, 2024):
I know, but still not able to integrate and the binding error appearing. If there is a guide or tutorial for setting up AD integration would be helpful to everyone.
@WilsonZiweiWang commented on GitHub (Nov 28, 2024):
The configurations can be very different from case to case, I think first it is best that you let us know what errors you are having. You could create an issue.
@AndreasUpb commented on GitHub (Dec 2, 2024):
Thank you for the hard work! I have the LDAP auth running but wondering how am i able to map different Ldap-Groups to OpenWebUI's Permission-Groups. Is this to customized so that i have to fork or do you see the same use case?
@nordy1145 commented on GitHub (Dec 3, 2024):
Why not just create a single group and nest groups under that one?
@AndreasUpb commented on GitHub (Dec 3, 2024):
I already have a meta-group in ldap, so that the login works for both groups. But i want ldap-group-a to have openwebui-permission-group-a (can only access model llamaX) and ldap-group-b to have openwebui-permission-group-b (can also access model gpt4 + working area).