LDAP/AD Server Authentication
You can use a Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users.
LDAP/AD Server Configuration
Basic Configuration
LDAP_URL
andLDAP_USER_SEARCH_BASE
are required.LDAP_SEARCH_FILTER
is optional; if not specified, themail
attribute is used by default. If specified, use the literal{{username}}
to use the given username for the search.
Key | Type | Description | Example |
---|---|---|---|
LDAP_URL | string | LDAP server URL. | LDAP_URL=ldap://localhost:389 |
LDAP_BIND_DN | string | Bind DN | LDAP_BIND_DN=cn=root |
LDAP_BIND_CREDENTIALS | string | Password for bindDN | LDAP_BIND_CREDENTIALS=password |
LDAP_USER_SEARCH_BASE | string | LDAP user search base | LDAP_USER_SEARCH_BASE=o=users,o=example.com |
LDAP_SEARCH_FILTER | string | LDAP search filter | LDAP_SEARCH_FILTER=mail={{username}} |
Field Mappings
You can specify a mapping between the attributes of Librechat users and those of LDAP users. Use these settings if the default mappings do not work properly.
Key | Type | Description | Example |
---|---|---|---|
LDAP_ID | string | Specify a unique user ID. By default, uid or sAMAccountName, mail is used. | LDAP_ID=uid |
LDAP_USERNAME | string | By default, it uses givenName or mail. | LDAP_USERNAME=givenName |
LDAP_EMAIL | string | By default, it uses mail. | LDAP_EMAIL=userPrincipalName |
LDAP_FULL_NAME | string | By default, it uses a combination of givenName and surname. | LDAP_FULL_NAME=givenName,surname |
Username or Email
By default, LibreChat uses an email address and password for authentication.
This may sometimes cause problem with LDAP and you may want to use a username instead.
Set the LDAP_SEARCH_FILTER
to filter for the username instead (e.g. LDAP_SEARCH_FILTER=uid={{username}}
and configure LibreChat to request login via username:
Key | Type | Description | Example |
---|---|---|---|
LDAP_LOGIN_USES_USERNAME | string | Use username instead of email. | LDAP_LOGIN_USES_USERNAME=true |
Active Directory over SSL
To connect via SSL (ldaps://), such as a company using Windows AD, specify the path to the internal CA certificate.
LDAP_TLS_REJECT_UNAUTHORIZED
is optional;if not specified Librechat will reject TLS/SSL connections if the LDAP server’s certificate cannot be verified.
set LDAP_TLS_REJECT_UNAUTHORIZED
to false (not recommended for production environments)
to allow Librechat to accept TLS/SSL connections even if the LDAP server’s certificate cannot be verified,
Key | Type | Description | Example |
---|---|---|---|
LDAP_CA_CERT_PATH | string | CA certificate path. | LDAP_CA_CERT_PATH=/path/to/root_ca_cert.crt |
LDAP_TLS_REJECT_UNAUTHORIZED | string | Disable TLS verification | LDAP_TLS_REJECT_UNAUTHORIZED=true |