open-webui icon indicating copy to clipboard operation
open-webui copied to clipboard
Published 4 weeks ago verified publisher icon open-webui

feat: LDAP Group-Based Authorization in OpenWebUI #12456 via Auth headers

Open codespg opened this issue 9 months ago • 1 comments

Added Variable - WEBUI_AUTH_TRUSTED_GROUP_HEADER Used the same variable to Identify the Request Header with Groups to sync in OpenWeb UI.

Group Configuration: Allow administrators to define groups in OpenWebUI and map them to existing LDAP groups.

Setup Apache/Reverse Proxy to send the Request header with Group details in Semicolon delimited.

Automatic Group Assignment: Upon login (via SSO Auth Headers) automatically assign users to their corresponding OpenWebUI groups based on their LDAP group memberships.

Note: The group parsing assumes a semicolon delimited string in the header. If different delimters needed we can configure variable accordingly and add another update.

codespg avatar Apr 04 '25 20:04 codespg

Hello,

Can you verify and merge this pull request?

codespg avatar Apr 22 '25 11:04 codespg

@codespg Thank you for this helpful task.

About the removal update process, I want to confirm whether Openwebui can still synchronize normally if when user is deleted from all groups, or should we not consider this scenario?

Assuming the original userA is member of Group 1 and Group 2, when the userA is removed from all existing Groups (Group 1, and Group 2), the Group information in the Header is empty, leading to the user_trusted_groups being []. Condition below would cause the removal update processing to be skipped incorrectly?

    # Remove groups that user is no longer a part of
    for group_model in user_current_groups:
        if user_trusted_groups and group_model.name not in user_trusted_groups:
            log.debug(
                f"Removing user from group {group_model.name} as it is no longer in their trusted header groups"
            )

Is it necessary to distinguish between the two scenarios of not obtaining group information in Headers and obtaining group information but the group is empty?

yu-xiaoli avatar May 06 '25 04:05 yu-xiaoli

Hello, I have reused same group remal code used in oAuth group management.

Since its better to add this condition to remove all group when empty list is received, i will add it and update here.

codespg avatar May 09 '25 18:05 codespg

Hello @yu-xiaoli, Thanks for your suggestion, I have removed the extra validation to not remove groups if user_trusted_groups is empty.

codespg avatar May 15 '25 20:05 codespg

Tested locally, works as expected, when passing the header via Authentik.

I only added a condition to ignore groups with specific prefixes (defined in WEBUI_AUTH_TRUSTED_GROUP_HEADER_IGNORED_PREFIX) when removing groups the user is no longer a part of. Groups with these prefixes will be retained.

Because I need some groups that are only managed inside OWUI.

# Remove groups that user is no longer a part of
    for group_model in user_current_groups:
        if (
        group_model.name not in user_trusted_groups and not
        group_model.name.startswith(WEBUI_AUTH_TRUSTED_GROUP_HEADER_IGNORED_PREFIX)
        ) :

ediiiz avatar May 23 '25 05:05 ediiiz

Closing in favour of cce5f024bd63ba3a83630c3d3a69d48251b71d1d

tjbck avatar May 24 '25 19:05 tjbck