I need some help please in getting BookStack and OpenLDAP to work to automatically map LDAP groups to BookStack Roles.
I have the BookStack authentication via LDAP working but all users seem to only have Viewer permissions.
I'm using this BookStack docker image: https://github.com/solidnerd/docker-bookstack
And this OpenLDAP docker image: https://github.com/osixia/docker-openldap
For anyone who has got the LDAP groups -> BookStack roles working, would you please offer some advice?
I have read conflicting opinions about the need to add a memberOf overlay when using openLDAP. Some articles say that I need to add it, but I don't seem to have config permissions (or I don't know how to access the LDAP server correctly with the docker image). I also saw this closed issue in the osixia/docker-openldap that made is seem that memberOf should work if I setup the LDAP entries correctly: https://github.com/osixia/docker-openldap/issues/258
From what I can tell, it seems that if memberOf is working, if I have an LDAP group named "Docs Admin", the users that are a member of that group should get automatically loaded with the role of Admin. Is there a list somewhere of the LDAP Group -> BookStack Roles? What is the LDAP group that a user needs to be a member of to get the Role of BookStack Admin?
Does anyone have any details regarding the exact LDAP structures that I need to create to get this to work?
Do I need to install some sort of memberOf overlay when using the osixia/docker-openldap image? Does anyone have the specific steps (I've tried a number of different examples on the host machine that is hosting the docker containers and they fail with "ldap_modify: Insufficient access (50)" (e.g. https://devopsideas.com/planning-of-ldap-dit-structure-and-config-of-overlays-access-ppolicy/ or https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/ )
Here's my BookStack docker-compose.yml:
version: '2'
services:
mysql:
image: mysql:5.7.21
environment:
- MYSQL_ROOT_PASSWORD=secret
- MYSQL_DATABASE=bookstack
- MYSQL_USER=bookstack
- MYSQL_PASSWORD=secret
volumes:
- mysql-data:/var/lib/mysql
bookstack:
image: solidnerd/bookstack:0.25.2
depends_on:
- mysql
environment:
- APP_DEBUG=true
- DB_HOST=mysql:3306
- DB_DATABASE=bookstack
- DB_USERNAME=bookstack
- DB_PASSWORD=secret
- AUTH_METHOD=ldap
- LDAP_SERVER=ldap://192.168.0.2:389
- LDAP_BASE_DN=dc=example,dc=com
- LDAP_DN=cn=admin,dc=example,dc=com
- LDAP_PASS=admin
- LDAP_USER_FILTER=(&(uid=$${user}))
- LDAP_EMAIL_ATTRIBUTE=mail
- LDAP_VERSION=3
- LDAP_USER_TO_GROUPS=true
- LDAP_GROUP_ATTRIBUTE="memberOf"
- LDAP_REMOVE_FROM_GROUPS=false
volumes:
- uploads:/var/www/bookstack/public/uploads
- storage-uploads:/var/www/bookstack/public/storage
ports:
- "8080:80"
volumes:
mysql-data:
uploads:
storage-uploads: