LDAP Authentication
Calibre-Web Automated supports LDAP (Lightweight Directory Access Protocol) authentication, enabling seamless integration with enterprise directories like Active Directory, OpenLDAP, and other LDAP-compliant systems. This guide covers everything you need to know about configuring and using LDAP authentication in CWA.
CWA's LDAP implementation provides enterprise-grade authentication with the following features:
- β Auto-User Creation: Automatically creates user accounts on first LDAP login (default: enabled)
- β Default Permissions: New LDAP users inherit all default configuration settings
- β Seamless Integration: Works with Active Directory, OpenLDAP, and LDAP-compliant systems
- β API/OPDS Support: LDAP authentication works for API and OPDS access
- β Enterprise Ready: Designed for corporate environments with centralized authentication
- β Fallback Support: Can be combined with standard username/password authentication
- β Comprehensive Logging: Detailed authentication logs for troubleshooting and auditing
- Log in as an Admin user
- Navigate to Admin Panel β Basic Configuration
- Scroll down to the LDAP Settings section
Configure your LDAP server connection:
LDAP Server: ldap://your-ldap-server.com:389
LDAP Encryption: None (or SSL/TLS as required)
LDAP Base DN: dc=company,dc=com
LDAP User Object Filter: (&(objectClass=user)(sAMAccountName=%s))
LDAP Authentication: Simple Bind
β Enable "Auto-create users from LDAP" (enabled by default)
This allows LDAP users to automatically get accounts created on their first successful login, providing a seamless user experience.
- Test Configuration: Use a test LDAP user to verify connectivity
- Save Configuration: Click Submit to apply settings
- Restart CWA: Some LDAP changes may require a restart
When Auto-create users from LDAP is enabled (default):
- First Login: User authenticates successfully against LDAP server
- User Lookup: CWA checks if user account already exists
- Auto-Creation: If not found, creates new user with default settings
- Immediate Access: User is logged in automatically without manual account creation
New LDAP users automatically inherit all default configuration settings:
- π Default Role: Configured role permissions
- π Sidebar View: Default sidebar visibility settings
- π Locale: Default interface language
- π Default Language: Default book language filter
- π·οΈ Tag Restrictions: Default allowed/denied tags
- π Content Restrictions: Default column restrictions
- π¨ Theme: Default CWA theme setting
- π± Kobo Sync: Default Kobo integration settings
This ensures LDAP users get the same permissions and interface settings as manually created users.
| Setting | Description | Example |
|---|---|---|
| LDAP Server | LDAP server hostname/IP and port | ldap://dc.company.com:389 |
| LDAP Encryption | Security level (None/SSL/TLS) |
None (internal network) or SSL/TLS (external) |
| LDAP Base DN | Base Distinguished Name for searches | dc=company,dc=com |
| Setting | Description | Example |
|---|---|---|
| LDAP User Object Filter | LDAP query to find user objects | (&(objectClass=user)(sAMAccountName=%s)) |
| LDAP Authentication | Authentication method |
Simple Bind (most common) |
| LDAP Admin Username | Admin DN for LDAP binding (if required) | cn=admin,dc=company,dc=com |
| LDAP Admin Password | Password for admin binding | [admin-password] |
| Setting | Description | Default |
|---|---|---|
| Auto-create users from LDAP | Enable automatic user creation | β Enabled |
LDAP Server: ldap://dc.company.com:389
LDAP Encryption: None (or SSL for external access)
LDAP Base DN: dc=company,dc=com
LDAP User Object Filter: (&(objectClass=user)(sAMAccountName=%s))
LDAP Authentication: Simple Bind
Auto-create users from LDAP: β
Enabled
Login Format: Users log in with their Active Directory username (e.g., john.doe)
LDAP Server: ldap://openldap.company.com:389
LDAP Encryption: None (or TLS for security)
LDAP Base DN: ou=people,dc=company,dc=org
LDAP User Object Filter: (&(objectClass=inetOrgPerson)(uid=%s))
LDAP Authentication: Simple Bind
Auto-create users from LDAP: β
Enabled
Login Format: Users log in with their UID (e.g., jdoe)
LDAP Server: ldap://ipa.company.com:389
LDAP Encryption: TLS (recommended)
LDAP Base DN: cn=users,cn=accounts,dc=company,dc=com
LDAP User Object Filter: (&(objectClass=person)(uid=%s))
LDAP Authentication: Simple Bind
Auto-create users from LDAP: β
Enabled
- Configure LDAP settings in the admin panel
- Test with known user: Try logging in with an existing LDAP user
- Check logs: Review CWA logs for authentication details
- Verify auto-creation: Confirm new user appears in user management
Cause: Incorrect server configuration or user credentials Solution:
- Verify LDAP server is accessible from CWA
- Check LDAP Base DN and User Object Filter
- Test with LDAP admin tools (ldapsearch, etc.)
- Verify user exists in LDAP directory
Cause: Auto-creation is disabled or failed Solution:
- Enable Auto-create users from LDAP in admin settings
- Check CWA logs for user creation errors
- Verify default user settings are configured
- Ensure database is writable
Cause: Default permissions not properly configured Solution:
- Configure default role and permissions in Admin β Basic Configuration β Feature Configuration
- Auto-created LDAP users inherit these default settings
- Manually adjust individual user permissions as needed
Cause: Network connectivity or firewall issues Solution:
- Verify LDAP server is reachable from CWA container
- Check firewall rules for LDAP ports (389/636)
- Test connectivity with tools like
telnetornc
Enable debug logging to troubleshoot LDAP issues:
- Set log level to Debug in admin panel
- Check container logs for detailed LDAP authentication flow
- Look for LDAP binding and search operations
- Review user creation process details
- Use TLS/SSL for LDAP connections when possible
- Restrict network access to LDAP servers using firewall rules
- Use dedicated service accounts for LDAP binding when required
- Monitor authentication logs for suspicious activity
- Review default permissions to ensure appropriate access levels
- Regularly audit auto-created accounts
- Implement account cleanup for terminated employees
- Use least-privilege principles for default role configuration
- Keep LDAP servers updated with security patches
- Use strong authentication methods when available
- Monitor LDAP server logs for authentication attempts
- Implement account lockout policies on LDAP server
LDAP authentication can be used alongside other authentication methods:
- Standard Authentication: Users can still log in with CWA passwords
- OAuth Integration: Combine LDAP with OAuth providers
- Reverse Proxy: Use LDAP with reverse proxy authentication
- Configure LDAP settings with auto-creation enabled
- Test with pilot users to verify configuration
- Communicate changes to all users
- Gradually migrate users to LDAP authentication
- Maintain standard auth as fallback during transition
When switching to LDAP:
- Existing users keep passwords: They can still use standard login
- LDAP users auto-created: New accounts created for LDAP users
- Manual linking: Admin can manually link LDAP users to existing accounts if needed
LDAP users can authenticate for API and OPDS access:
- OPDS Feeds: Use LDAP credentials for OPDS authentication
- API Endpoints: LDAP authentication works for REST API access
- Auto-Creation: API/OPDS access also triggers auto-creation
- Consistent Experience: Same authentication across web and API
OPDS Authentication:
URL: https://your-cwa.com/opds
Username: [LDAP username]
Password: [LDAP password]
API Authentication:
curl -u "ldap-user:ldap-password" https://your-cwa.com/api/v1/booksCustomize LDAP queries for specific directory structures:
| Directory Type | Recommended Filter |
|---|---|
| Active Directory | (&(objectClass=user)(sAMAccountName=%s)) |
| OpenLDAP | (&(objectClass=inetOrgPerson)(uid=%s)) |
| FreeIPA | (&(objectClass=person)(uid=%s)) |
| Custom | Adjust based on your LDAP schema |
For large LDAP directories:
- Use specific Base DNs to limit search scope
- Optimize user object filters for faster queries
- Consider LDAP indexing on frequently queried attributes
- Monitor LDAP server performance during peak usage
- β Auto-User Creation: Automatic account creation for LDAP users (enabled by default)
- β Default Permissions Inheritance: LDAP users inherit all default configuration settings
- β Enhanced API Support: LDAP authentication for OPDS and API access with auto-creation
- β Improved Error Handling: Better error messages and logging for LDAP issues
- β Security Enhancements: Input validation and protection against LDAP injection
- β Enterprise Integration: Optimized for corporate environment requirements
- π Group-based Role Assignment: Automatic role assignment based on LDAP group membership
- π User Attribute Synchronization: Sync user details from LDAP directory
- π Advanced Group Mapping: Support for multiple roles beyond admin/user
- π LDAP Schema Validation: Automatic detection and validation of LDAP schemas
- Check Logs: Enable debug logging and review container logs
- Test Configuration: Verify LDAP server connectivity and settings
- Community Support: Join our Discord for help
- GitHub Issues: Report bugs or request features on GitHub
- ldapsearch: Command-line LDAP search utility
- Apache Directory Studio: GUI LDAP browser and editor
- JXplorer: Cross-platform LDAP browser
- LDAP Admin: Windows LDAP administration tool
This documentation covers CWA's enhanced LDAP authentication implementation. For additional help, please visit our Discord community or check the GitHub repository.