ldap

docs/features/auth/ldap.mdx

@@ -131,7 +131,11 @@ LDAP_APP_PASSWORD="admin"
 LDAP_SEARCH_BASE="dc=example,dc=org"
 LDAP_ATTRIBUTE_FOR_USERNAME="uid"
 LDAP_ATTRIBUTE_FOR_MAIL="mail"
-LDAP_SEARCH_FILTER="(uid=%(user)s)" # More secure and performant
+# LDAP_SEARCH_FILTER is optional and used for additional filtering conditions.
+# The username filter is automatically added by Open WebUI, so do NOT include 
+# user placeholder syntax like %(user)s or %s - these are not supported.
+# Leave empty for simple setups, or add group membership filters, e.g.:
+# LDAP_SEARCH_FILTER="(memberOf=cn=allowed-users,ou=groups,dc=example,dc=org)"
 ```
 
 ### UI Configuration

docs/getting-started/env-configuration.mdx

@@ -4620,13 +4620,13 @@ This is useful when you need a JWT access token for downstream validation or whe
 
 - Type: `str`
 - Default: `None`
-- Description: Sets a single filter to use for LDAP search. Alternative to `LDAP_SEARCH_FILTERS`.
+- Description: Sets additional filter conditions for LDAP user search. This filter is **appended** to the automatically-generated username filter. Open WebUI automatically constructs the username portion of the filter using `LDAP_ATTRIBUTE_FOR_USERNAME`, so you should **not** include user placeholders like `%(user)s` or `%s` — these are not supported. Use this for additional conditions such as group membership restrictions (e.g., `(memberOf=cn=allowed-users,ou=groups,dc=example,dc=com)`). Alternative to `LDAP_SEARCH_FILTERS`.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
 #### `LDAP_SEARCH_FILTERS`
 
 - Type: `str`
-- Description: Sets the filter to use for LDAP search.
+- Description: Sets additional filter conditions for LDAP user search. This is an alias for `LDAP_SEARCH_FILTER`. The filter is appended to the automatically-generated username filter — do **not** include user placeholders like `%(user)s` or `%s`.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
 #### `LDAP_USE_TLS`