Docs
Configuration
Authentication
LDAP/AD

LDAP/AD Server Authentication

You can use a Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users.

LDAP/AD Server Configuration

Basic Configuration

  • LDAP_URL and LDAP_USER_SEARCH_BASE are required.
  • LDAP_SEARCH_FILTER is optional; if not specified, the mail attribute is used by default. If specified, use the literal {{username}} to use the given username for the search.
KeyTypeDescriptionExample
LDAP_URLstringLDAP server URL.LDAP_URL=ldap://localhost:389
LDAP_BIND_DNstringBind DNLDAP_BIND_DN=cn=root
LDAP_BIND_CREDENTIALSstringPassword for bindDNLDAP_BIND_CREDENTIALS=password
LDAP_USER_SEARCH_BASEstringLDAP user search baseLDAP_USER_SEARCH_BASE=o=users,o=example.com
LDAP_SEARCH_FILTERstringLDAP search filterLDAP_SEARCH_FILTER=mail={{username}}

Field Mappings

You can specify a mapping between the attributes of Librechat users and those of LDAP users. Use these settings if the default mappings do not work properly.

KeyTypeDescriptionExample
LDAP_IDstringSpecify a unique user ID. By default, uid or sAMAccountName, mail is used.LDAP_ID=uid
LDAP_USERNAMEstringBy default, it uses givenName or mail.LDAP_USERNAME=givenName
LDAP_EMAILstringBy default, it uses mail.LDAP_EMAIL=userPrincipalName
LDAP_FULL_NAMEstringBy default, it uses a combination of givenName and surname.LDAP_FULL_NAME=givenName,surname

Username or Email

By default, LibreChat uses an email address and password for authentication. This may sometimes cause problem with LDAP and you may want to use a username instead. Set the LDAP_SEARCH_FILTER to filter for the username instead (e.g. LDAP_SEARCH_FILTER=uid={{username}} and configure LibreChat to request login via username:

KeyTypeDescriptionExample
LDAP_LOGIN_USES_USERNAMEstringUse username instead of email.LDAP_LOGIN_USES_USERNAME=true

Active Directory over SSL

To connect via SSL (ldaps://), such as a company using Windows AD, specify the path to the internal CA certificate. LDAP_TLS_REJECT_UNAUTHORIZED is optional;if not specified Librechat will reject TLS/SSL connections if the LDAP server’s certificate cannot be verified. set LDAP_TLS_REJECT_UNAUTHORIZED to false (not recommended for production environments) to allow Librechat to accept TLS/SSL connections even if the LDAP server’s certificate cannot be verified,

KeyTypeDescriptionExample
LDAP_CA_CERT_PATHstringCA certificate path.LDAP_CA_CERT_PATH=/path/to/root_ca_cert.crt
LDAP_TLS_REJECT_UNAUTHORIZEDstringDisable TLS verificationLDAP_TLS_REJECT_UNAUTHORIZED=true