[GH-ISSUE #1791] 💬 [Question] Connect via LDAP

kerem commented

2026-02-25 21:35:43 +03:00

Owner

Originally created by @rfpg1 on GitHub (Nov 12, 2025).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/1791

Hello everyone,

I've read the documentation in: https://github.com/cypht-org/cypht/wiki/How-to-setup-LDAP-Authentication

But still I can't login via LDAP and can't find where logs are because data/logs is empty to understand what the actual problem is.

I've tried settings the values in docker-compose.yml and .env files but still nothing

When I did docker exec -it container bash and checked .env inside the docker it has different values from my docker-compose.yml

Could this be the problem? If so, how to fix?

Thanks for the help

Originally created by @rfpg1 on GitHub (Nov 12, 2025). Original GitHub issue: https://github.com/cypht-org/cypht/issues/1791 Hello everyone, I've read the documentation in: https://github.com/cypht-org/cypht/wiki/How-to-setup-LDAP-Authentication But still I can't login via LDAP and can't find where logs are because data/logs is empty to understand what the actual problem is. I've tried settings the values in docker-compose.yml and .env files but still nothing When I did docker exec -it container bash and checked .env inside the docker it has different values from my docker-compose.yml Could this be the problem? If so, how to fix? Thanks for the help

kerem

2026-02-25 21:35:43 +03:00

closed this issue
added the
question

awaiting feedback
labels

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 12, 2025):

Hello @rfpg1,

Are you able to authenticate to your LDAP server using this command

ldapwhoami -x -H ldaps://<ip-address> -D "uid=user,dc=example,dc=com" -W

@IrAlfred commented on GitHub (Nov 12, 2025): Hello @rfpg1, Are you able to authenticate to your LDAP server using this command ``` ldapwhoami -x -H ldaps://<ip-address> -D "uid=user,dc=example,dc=com" -W ```

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

Hello @IrAlfred,

I cannot authenticate that way. What I normally do is

ldapwhoami -x -H ldap://<ip-address> -D "cn=user,dc=example,dc=com" -W

My LDAP server is an Active Directory. Could that be the problem?

Edit:
Also tried changing LDAP_UID_ATTR to cn or sAMAccountName but neither worked

If I could read some logs to understand why the authentication is failing that could do it, but I can't find the log file

@rfpg1 commented on GitHub (Nov 13, 2025): Hello @IrAlfred, I cannot authenticate that way. What I normally do is ``` ldapwhoami -x -H ldap://<ip-address> -D "cn=user,dc=example,dc=com" -W ``` My LDAP server is an Active Directory. Could that be the problem? Edit: Also tried changing LDAP_UID_ATTR to cn or sAMAccountName but neither worked If I could read some logs to understand why the authentication is failing that could do it, but I can't find the log file

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

My LDAP server is an Active Directory. Could that be the problem?

Of course no.

There are exactly two configs

# For Cypht Addressbook
LDAP_UID_ATTR="cn"

# For Cypht Authentication
LDAP_AUTH_UID_ATTR="cn"

@IrAlfred commented on GitHub (Nov 13, 2025): > My LDAP server is an Active Directory. Could that be the problem? Of course no. There are exactly two configs ``` # For Cypht Addressbook LDAP_UID_ATTR="cn" # For Cypht Authentication LDAP_AUTH_UID_ATTR="cn" ```

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

I meant LDAP_AUTH_UID_ATTR instead of LDAP_UID_ATTR, my mistake for confusing both

LDAP_AUTH_UID_ATTR is what I'm using in compose file

This is my docker-compose.yml file:

services:
  db:
    image: mariadb:10
    ports:
      - "3306:3306"
    volumes:
      - ./data/mysql:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=DB_ROOT_PASSWORD
      - MYSQL_DATABASE=DB_NAME
      - MYSQL_USER=DB_USER
      - MYSQL_PASSWORD=DB_PASS
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-uDB_USER", "-pDB_PASS"]
      interval: 10s
      timeout: 5s
      retries: 5

  cypht:
    image: cypht/cypht:2.5.1
    depends_on:
      db:
        condition: service_healthy
    ports:
      - "80:80"
    environment:
      - DB_CONNECTION_TYPE=host
      - DB_DRIVER=mysql
      - DB_HOST=db
      - DB_NAME=DB_NAME
      - DB_USER=DB_USER
      - DB_PASS=DB_PASS
      - SESSION_TYPE=LDAP
      - USER_CONFIG_TYPE=DB
      - AUTH_TYPE=LDAP
      - LDAP_AUTH_PORT=389
      - LDAP_AUTH_SERVER=my_ip
      - LDAP_AUTH_TLS=false
      - LDAP_AUTH_BASE_DN=DC=example,DC=com
      - LDAP_AUTH_UID_ATTR=sAMAccountName
    volumes:
      - ./data/log/nginx:/var/log/nginx
      - ./data/log/php:/var/log/php
      - ./data/log/supervisord:/var/log/supervisord
      - ./data/fonts:/usr/local/share/cypht/site/fonts
      - ./data/user_settings:/var/lib/hm3/users          
      - ./data/user_attachments:/var/lib/hm3/attachments

Do you see anything wrong?

@rfpg1 commented on GitHub (Nov 13, 2025): I meant LDAP_AUTH_UID_ATTR instead of LDAP_UID_ATTR, my mistake for confusing both LDAP_AUTH_UID_ATTR is what I'm using in compose file This is my docker-compose.yml file: ``` services: db: image: mariadb:10 ports: - "3306:3306" volumes: - ./data/mysql:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD=DB_ROOT_PASSWORD - MYSQL_DATABASE=DB_NAME - MYSQL_USER=DB_USER - MYSQL_PASSWORD=DB_PASS healthcheck: test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-uDB_USER", "-pDB_PASS"] interval: 10s timeout: 5s retries: 5 cypht: image: cypht/cypht:2.5.1 depends_on: db: condition: service_healthy ports: - "80:80" environment: - DB_CONNECTION_TYPE=host - DB_DRIVER=mysql - DB_HOST=db - DB_NAME=DB_NAME - DB_USER=DB_USER - DB_PASS=DB_PASS - SESSION_TYPE=LDAP - USER_CONFIG_TYPE=DB - AUTH_TYPE=LDAP - LDAP_AUTH_PORT=389 - LDAP_AUTH_SERVER=my_ip - LDAP_AUTH_TLS=false - LDAP_AUTH_BASE_DN=DC=example,DC=com - LDAP_AUTH_UID_ATTR=sAMAccountName volumes: - ./data/log/nginx:/var/log/nginx - ./data/log/php:/var/log/php - ./data/log/supervisord:/var/log/supervisord - ./data/fonts:/usr/local/share/cypht/site/fonts - ./data/user_settings:/var/lib/hm3/users - ./data/user_attachments:/var/lib/hm3/attachments ``` Do you see anything wrong?

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

Thank you for providing the details. I'm investigating and will provide an update as soon as I have more information.

@IrAlfred commented on GitHub (Nov 13, 2025): Thank you for providing the details. I'm investigating and will provide an update as soon as I have more information.

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

@rfpg1

Do you structure your users within Organizational Units (OUs) in your LDAP directory?

@IrAlfred commented on GitHub (Nov 13, 2025): @rfpg1 Do you structure your users within Organizational Units (OUs) in your LDAP directory?

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

Yes, I do, also tried to put the OU in BASE_DN, but still not working

@rfpg1 commented on GitHub (Nov 13, 2025): Yes, I do, also tried to put the OU in BASE_DN, but still not working

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

Yes, I do, also tried to put the OU in BASE_DN, but still not working

Did you provide the full path, I mean from the root OU to the current user's. For example:

LDAP_AUTH_BASE_DN=OU=Sales,OU=Users,DC=company,DC=com

From right to left. In the example Sales is in Users

@IrAlfred commented on GitHub (Nov 13, 2025): > Yes, I do, also tried to put the OU in BASE_DN, but still not working Did you provide the full path, I mean from the root OU to the current user's. For example: ``` LDAP_AUTH_BASE_DN=OU=Sales,OU=Users,DC=company,DC=com ``` From right to left. In the example Sales is in Users

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

Yes, I did an LDAP search to check the full DN of my user and put that DN in there, excluding the CN

Aren't there any logs I can read?

@rfpg1 commented on GitHub (Nov 13, 2025): Yes, I did an LDAP search to check the full DN of my user and put that DN in there, excluding the CN Aren't there any logs I can read?

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

Yes, I did an LDAP search to check the full DN of my user and put that DN in there, excluding the CN

Aren't there any logs I can read?

Unfortunately no application-specific logs, only generic Docker logs.
If you don't mind, you can create a test account we can use for debugging ! This would be helpful

@IrAlfred commented on GitHub (Nov 13, 2025): > Yes, I did an LDAP search to check the full DN of my user and put that DN in there, excluding the CN > > Aren't there any logs I can read? Unfortunately no application-specific logs, only generic Docker logs. If you don't mind, you can create a test account we can use for debugging ! This would be helpful

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

Where to create the test account?

I've managed to login with AUTH_TYPE=DB (which is the default I believe) with credentials also defined in the docker-compose

But I really needed the LDAP login

@rfpg1 commented on GitHub (Nov 13, 2025): Where to create the test account? I've managed to login with AUTH_TYPE=DB (which is the default I believe) with credentials also defined in the docker-compose But I really needed the LDAP login

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

Where to create the test account?

I've managed to login with AUTH_TYPE=DB (which is the default I believe) with credentials also defined in the docker-compose

But I really needed the LDAP login

On your LDAP server so I can try to login on my side.

@IrAlfred commented on GitHub (Nov 13, 2025): > Where to create the test account? > > I've managed to login with AUTH_TYPE=DB (which is the default I believe) with credentials also defined in the docker-compose > > But I really needed the LDAP login On your LDAP server so I can try to login on my side.

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Nov 13, 2025):

You want an account on my LDAP server?

It is in a private network, you cannot access it even if I wanted to

@rfpg1 commented on GitHub (Nov 13, 2025): You want an account on my LDAP server? It is in a private network, you cannot access it even if I wanted to

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Nov 13, 2025):

You want an account on my LDAP server?

It is in a private network, you cannot access it even if I wanted to

Oh unfortunately! Maybe we can plan for a screenshare in that case. You can DM on gitter (iralfred:gitter.im) and join our Cypht Community (https://app.gitter.im/#/room/#cypht-org_community:gitter.im)

@IrAlfred commented on GitHub (Nov 13, 2025): > You want an account on my LDAP server? > > It is in a private network, you cannot access it even if I wanted to Oh unfortunately! Maybe we can plan for a screenshare in that case. You can DM on gitter (iralfred:gitter.im) and join our Cypht Community (https://app.gitter.im/#/room/#cypht-org_community:gitter.im)

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Jan 9, 2026):

Hello @rfpg1,

Let's try this.

First use LDAP_AUTH_UID_ATTR="cn"

Check the LDAP_AUTH_BASE_DN Setting
This setting depends on where the user account is located in Active Directory:

For users added globally (not in an Organizational Unit):
Use:

LDAP_AUTH_BASE_DN="cn=Users,dc=example,dc=com"

This is because Active Directory places globally created users in the cn=Users container by default.

For users created inside an Organizational Unit (OU), such as "Developers":
Use:

LDAP_AUTH_BASE_DN="ou=Developers,dc=example,dc=com"

Use the Full Name in the Cypht Login Form

When logging into Cypht, please use the user’s full name as stored in Active Directory, not the username.
For example:

Username in AD: john
Full name in AD: John Doe
Enter in Cypht login: John Doe

@IrAlfred commented on GitHub (Jan 9, 2026): Hello @rfpg1, Let's try this. First use LDAP_AUTH_UID_ATTR="cn" Next 1. Check the LDAP_AUTH_BASE_DN Setting This setting depends on where the user account is located in Active Directory: * For users added globally (not in an Organizational Unit): Use: ``` LDAP_AUTH_BASE_DN="cn=Users,dc=example,dc=com" ``` This is because Active Directory places globally created users in the cn=Users container by default. * For users created inside an Organizational Unit (OU), such as "Developers": Use: ``` LDAP_AUTH_BASE_DN="ou=Developers,dc=example,dc=com" ``` 2. Use the Full Name in the Cypht Login Form When logging into Cypht, please use the user’s full name as stored in Active Directory, not the username. For example: Username in AD: john Full name in AD: John Doe Enter in Cypht login: John Doe

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@marclaporte commented on GitHub (Jan 10, 2026):

It is in a private network, you cannot access it even if I wanted to

@rfpg1 I am very curious about your use of Cypht in a private network. What features are most useful, what features are missing, etc. If you'd like to chat, please reach out. My mail is my first name at my full name dot com. (And easy to find if you search my name online)

@marclaporte commented on GitHub (Jan 10, 2026): > It is in a private network, you cannot access it even if I wanted to @rfpg1 I am very curious about your use of Cypht in a private network. What features are most useful, what features are missing, etc. If you'd like to chat, please reach out. My mail is my first name at my full name dot com. (And easy to find if you search my name online)

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Jan 16, 2026):

@rfpg1
We have improved the documentation here https://github.com/cypht-org/cypht/wiki/How-to-setup-LDAP-Authentication

@IrAlfred commented on GitHub (Jan 16, 2026): @rfpg1 We have improved the documentation here [https://github.com/cypht-org/cypht/wiki/How-to-setup-LDAP-Authentication](https://github.com/cypht-org/cypht/wiki/How-to-setup-LDAP-Authentication)

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@IrAlfred commented on GitHub (Jan 18, 2026):

Hello @rfpg1,

We would like to inform you that LDAP authentication support has been significantly expanded and improved in Cypht 2.6.0. This new release adds better compatibility with Active Directory environments, including support for authentication using both UPN format (user@domain) and domain\user format. These enhancements address several limitations that existed in previous versions.

We recommend upgrading to Cypht 2.6.0 and testing your LDAP configuration again with this latest release. We believe the issues you encountered are resolved by the updated authentication implementation.

Since these improvements are now available, we will close this issue for the moment. However, please feel free to test with Cypht 2.6.0, and do not hesitate to reopen this issue if you continue to experience problems or need further assistance. We will be happy to investigate further with you.

Thank you again for your feedback and for helping us improve Cypht.

@IrAlfred commented on GitHub (Jan 18, 2026): Hello @rfpg1, We would like to inform you that LDAP authentication support has been significantly expanded and improved in Cypht 2.6.0. This new release adds better compatibility with Active Directory environments, including support for authentication using both UPN format (user@domain) and domain\user format. These enhancements address several limitations that existed in previous versions. We recommend upgrading to Cypht 2.6.0 and testing your LDAP configuration again with this latest release. We believe the issues you encountered are resolved by the updated authentication implementation. Since these improvements are now available, we will close this issue for the moment. However, please feel free to test with Cypht 2.6.0, and do not hesitate to reopen this issue if you continue to experience problems or need further assistance. We will be happy to investigate further with you. Thank you again for your feedback and for helping us improve Cypht.

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@rfpg1 commented on GitHub (Feb 6, 2026):

Hello @IrAlfred
I'll take a look at this in the future
For now I'm using SOGo but thanks anyway for the effort to make this great

@rfpg1 commented on GitHub (Feb 6, 2026): Hello @IrAlfred I'll take a look at this in the future For now I'm using SOGo but thanks anyway for the effort to make this great

kerem commented

2026-02-25 21:35:44 +03:00

Author

Owner

@marclaporte commented on GitHub (Feb 7, 2026):

@rfpg1

We are planning more enhancements for 2026. Can you suggest one or two things Cypht can learn from SOGo?

We could discuss at an upcoming https://github.com/cypht-org/cypht/wiki/Monthly-Community-Meetings

Thanks!

@marclaporte commented on GitHub (Feb 7, 2026): @rfpg1 We are planning more enhancements for 2026. Can you suggest one or two things Cypht can learn from SOGo? We could discuss at an upcoming https://github.com/cypht-org/cypht/wiki/Monthly-Community-Meetings Thanks!

Rows
Columns

[GH-ISSUE #1791] 💬 [Question] Connect via LDAP #711