LDAP/AD Server Authentication
You can use a Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users.
LDAP/AD Server Configuration
Basic Configuration
LDAP_URLandLDAP_USER_SEARCH_BASEare required.LDAP_SEARCH_FILTERis optional; if not specified, themailattribute is used by default. If specified, use the literal{{username}}to use the given username for the search.
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_URL | string | LDAP server URL. | LDAP_URL=ldap://localhost:389 |
| LDAP_BIND_DN | string | Bind DN | LDAP_BIND_DN=cn=root |
| LDAP_BIND_CREDENTIALS | string | Password for bindDN | LDAP_BIND_CREDENTIALS=password |
| LDAP_USER_SEARCH_BASE | string | LDAP user search base | LDAP_USER_SEARCH_BASE=o=users,o=example.com |
| LDAP_SEARCH_FILTER | string | LDAP search filter | LDAP_SEARCH_FILTER=mail={{username}} |
Field Mappings
You can specify a mapping between the attributes of Librechat users and those of LDAP users. Use these settings if the default mappings do not work properly.
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_ID | string | Specify a unique user ID. By default, uid or sAMAccountName, mail is used. | LDAP_ID=uid |
| LDAP_USERNAME | string | By default, it uses givenName or mail. | LDAP_USERNAME=givenName |
| LDAP_EMAIL | string | By default, it uses mail. | LDAP_EMAIL=userPrincipalName |
| LDAP_FULL_NAME | string | By default, it uses a combination of givenName and surname. | LDAP_FULL_NAME=givenName,surname |
Username or Email
By default, MyLinks uses an email address and password for authentication.
This may sometimes cause problem with LDAP and you may want to use a username instead.
Set the LDAP_SEARCH_FILTER to filter for the username instead (e.g. LDAP_SEARCH_FILTER=uid={{username}}
and configure MyLinks to request login via username:
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_LOGIN_USES_USERNAME | string | Use username instead of email. | LDAP_LOGIN_USES_USERNAME=true |
Active Directory over SSL
To connect via SSL (ldaps://), such as a company using Windows AD, specify the path to the internal CA certificate.
LDAP_TLS_REJECT_UNAUTHORIZED is optional;if not specified Librechat will reject TLS/SSL connections if the LDAP server’s certificate cannot be verified.
set LDAP_TLS_REJECT_UNAUTHORIZED to false (not recommended for production environments)
to allow Librechat to accept TLS/SSL connections even if the LDAP server’s certificate cannot be verified,
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_CA_CERT_PATH | string | CA certificate path. | LDAP_CA_CERT_PATH=/path/to/root_ca_cert.crt |
| LDAP_TLS_REJECT_UNAUTHORIZED | string | Disable TLS verification | LDAP_TLS_REJECT_UNAUTHORIZED=true |