LDAP Authentication
Authenticate users against LDAP directories like Active Directory, OpenLDAP, Authentik, and other LDAP-compliant systems.
requires v1.3.x or newer
Basic Configuration
Configuration Options
| Option | Default | Description |
|---|---|---|
enabled | false | Enable LDAP authentication |
server | required | LDAP server URL (ldap://host:389 or ldaps://host:636) |
baseDN | required | LDAP search base DN (e.g., dc=example,dc=com) |
userDN | required | Bind DN for service account |
userPassword | required | Password for service account |
userFilter | (&(cn=%s)(objectClass=user)) | Search filter for finding users |
userIdentifier | "" | LDAP attribute to use as username (e.g., mail, sAMAccountName) |
groupsClaim | memberOf | LDAP attribute containing group memberships |
adminGroup | "" | LDAP group DN or CN that grants admin privileges |
userGroups | [] | List of allowed groups (empty = allow all) |
disableVerifyTLS | false | Disable TLS certificate verification (testing only!) |
logoutRedirectUrl | "" | URL to redirect after logout |
How It Works
- User enters username and password on login page
- FileBrowser searches LDAP directory for the user using service account
- FileBrowser attempts to bind (authenticate) as the user with provided password
- On success, FileBrowser extracts groups from LDAP attributes
- User is created automatically if needed and logged in with a FileBrowser session token
Server URL Format
Standard LDAP (Unencrypted)
| |
Default port: 389
LDAPS (TLS/SSL Encrypted)
| |
Default port: 636
Production Recommendation: Always use ldaps:// (LDAP over TLS) in production to encrypt authentication credentials in transit.
Custom Ports
User Filter Examples
The userFilter determines how FileBrowser searches for users. Use %s as a placeholder for the username.
Active Directory
OpenLDAP / Standard LDAP
Authentik
Email-Based Login
Multiple Criteria
Require user to be in a specific OU:
User Identifier Mapping
By default, FileBrowser uses the login username. You can map a different LDAP attribute to be the FileBrowser username:
Use Email as Username
Active Directory - Use sAMAccountName
Note: The userIdentifier attribute must be included in the LDAP search attributes. FileBrowser automatically adds it to the search request.
Group-Based Authorization
Admin Group
Automatically grant admin privileges to users in a specific LDAP group:
FileBrowser matches both:
- Full DN:
cn=Admins,ou=groups,dc=example,dc=com - CN value:
Admins
Restrict to Specific Groups
Only allow users in specific LDAP groups:
Users not in these groups will be denied access even with valid LDAP credentials.
Custom Groups Attribute
Change which LDAP attribute contains groups (default: memberOf):
Provider Examples
Authentik
| |
Active Directory
| |
OpenLDAP
FreeIPA
TLS Configuration
Disable TLS Verification (Testing Only)
Security Warning: Only use for testing with self-signed certificates. Never use in production!
Production TLS Setup
For production with self-signed certificates, add the CA certificate to your system’s trust store instead of disabling verification.
Environment Variables Best Practice
Store sensitive credentials in environment variables:
| |
Reference in config:
Advanced Configuration
Multiple OUs (Organizational Units)
Search across multiple OUs by adjusting the baseDN:
Or search specific OU:
Nested Group Search
Active Directory supports nested groups in memberOf. FileBrowser uses the memberOf values directly, so nested group membership should work automatically in most cases.
Troubleshooting
Connection Issues
Problem: LDAP connection failed
Solutions:
- Verify server URL and port (389 for ldap://, 636 for ldaps://)
- Check firewall rules allow connection to LDAP server
- For ldaps://, ensure TLS certificate is valid or use
disableVerifyTLS: truefor testing - Test connection with
ldapsearch:1ldapsearch -x -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
“LDAP bind (service) failed”
Cause: Service account credentials are incorrect.
Solutions:
- Verify
userDNanduserPasswordare correct - Check service account has read permissions in LDAP
- Ensure service account is not locked or expired
- Test bind manually with ldapsearch
“user not found”
Cause: User search returned no results.
Solutions:
- Verify
baseDNincludes the user’s location - Check
userFiltermatches your LDAP schema - Test search with ldapsearch:
- Try different user filter patterns (see examples above)
“LDAP bind (user) failed”
Cause: User password is incorrect.
Solution: User entered wrong password. This is the expected error for incorrect credentials.
Multiple Entries Error
Problem: multiple entries for user: username
Cause: User search returns multiple LDAP entries.
Solutions:
- Make
userFiltermore specific to return only one entry - Add objectClass filter:
1userFilter: "(&(cn=%s)(objectClass=user))" - Narrow baseDN to specific OU:
1baseDN: "ou=users,dc=example,dc=com"
Group Authorization Not Working
Problem: Users not getting admin rights or being blocked by userGroups
Solutions:
- Check
groupsClaimmatches your LDAP attribute (default:memberOf) - Verify groups in LDAP entry:
- Use full DN or just CN value for
adminGroupanduserGroups - Check FileBrowser logs for group matching details
User Creation Fails
Users are now automatically created on first login.
Security Best Practices
Security Checklist:
✅ Use
ldaps://(LDAP over TLS) in production✅ Use dedicated service account with read-only permissions
✅ Store credentials in environment variables
✅ Configure
userGroupsto restrict access✅ Use specific
userFilterto prevent ambiguous matches✅ Monitor failed login attempts
✅ Regularly rotate service account password
Service Account Permissions
The LDAP service account needs:
- ✅ Read access to user objects in
baseDN - ✅ Read access to group membership attributes
- ❌ Does NOT need write access
- ❌ Does NOT need admin privileges
Testing Your Setup
1. Test LDAP Connection
2. Check FileBrowser Startup
Look for in logs:
| |
3. Test Login
- Go to FileBrowser login page
- Enter LDAP username and password
- Check logs for detailed authentication flow
4. Verify User Creation
Users are automatically created on first login. Check User Management to verify.
Migration from Password Auth
You can run LDAP alongside password authentication:
Users can choose their auth method:
- Existing password users continue with username/password
- New LDAP users authenticate via LDAP and are auto-created
- Admin can migrate users by changing their
loginMethod
Performance Considerations
- LDAP authentication requires network round-trip to LDAP server
- Consider using connection pooling (handled automatically)
- For large directories, ensure efficient
userFilterand narrowbaseDN - Session tokens avoid repeated LDAP lookups after initial login