LibreChat icon indicating copy to clipboard operation
LibreChat copied to clipboard

Published 20 hours ago verified publisher icon danny-avila

Enhancement: LDAP Authorization via security group

Open dirkpetersen opened this issue 1 year ago • 3 comments

What features would you like to see added?

Many organizations would like to start slowly with giving their users access to LLM and govern access with Active Directory authorization (membership in a security group). Currently one can use LDAP_SEARCH_FILTER as a workaround, however the user gets a confusing error message: Unable to login with the information provided. Please check your credentials and try again. This is because the filter prevents the user from being found: { title: '(requireLdapAuth) Error: No user' }

More details

This is my LDAP config :

LDAP_URL=ldaps://ldap.domain.edu:636
LDAP_USER_SEARCH_BASE=OU=User Accounts,dc=domain,dc=edu
LDAP_BIND_DN=CN=ldapuser,OU=User Accounts,DC=domain,DC=edu
LDAP_BIND_CREDENTIALS=1233456
LDAP_SEARCH_FILTER=(&(mail={{username}})(memberOf=CN=LLM-Chat-Users,OU=Groups,DC=domain,DC=edu))
LDAP_FULL_NAME=displayName

A super simple solution would be a code change that checks for the string memberOf= in LDAP_SEARCH_FILTER and displays a different error message to the end user, e.g. "You are currently not authorized to login, please contact the Administrator of this application for access"

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

dirkpetersen avatar Sep 09 '24 05:09 dirkpetersen

of course , login with username instead of email also works

LDAP_URL=ldaps://ldap.domain.edu:636
LDAP_USER_SEARCH_BASE=OU=User Accounts,dc=domain,dc=edu
LDAP_BIND_DN=CN=ldapuser,OU=User Accounts,DC=domain,DC=edu
LDAP_BIND_CREDENTIALS=1233456
LDAP_LOGIN_USES_USERNAME=true
LDAP_SEARCH_FILTER=(&(sAMAccountName={{username}})(memberOf=CN=LLM-Chat-Users,OU=Groups,DC=domain,DC=edu))
LDAP_FULL_NAME=displayName

dirkpetersen avatar Sep 09 '24 06:09 dirkpetersen

I have a problem with connecting to Ldap. I applied the settings exactly as you explained, but this error { title: '(requireLdapAuth) Error: No user'} I get it, do you have a solution? Im Using ActiveDirectory

amin-ziaei avatar Feb 18 '25 11:02 amin-ziaei

Try setting up a filter for one specific user and try to log in. This way you will find the filter you need and then substitute {{username}} there. This helped me.

My steps:

  1. LDAP_SEARCH_FILTER="sAMAccountName=j.smith" Recreated the docker
  2. Successful authorization on behalf of j.smith
  3. I realized that the filter should be by sAMAccountName.
  4. LDAP_SEARCH_FILTER="sAMAccountName={{username}}" Recreated the docker and everything started working for all users.

imf1ne avatar Apr 25 '25 11:04 imf1ne