From c2975c80c2b7bcd6767a2bebb3fea27d1d5a030e Mon Sep 17 00:00:00 2001
From: DrMelone <27028174+Classic298@users.noreply.github.com>
Date: Tue, 30 Dec 2025 15:45:03 +0100
Subject: [PATCH] ldap

---
 docs/features/auth/ldap.mdx                | 6 +++++-
 docs/getting-started/env-configuration.mdx | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/features/auth/ldap.mdx b/docs/features/auth/ldap.mdx
index 02500063..c0dbd407 100644
--- a/docs/features/auth/ldap.mdx
+++ b/docs/features/auth/ldap.mdx
@@ -131,7 +131,11 @@ LDAP_APP_PASSWORD="admin"
 LDAP_SEARCH_BASE="dc=example,dc=org"
 LDAP_ATTRIBUTE_FOR_USERNAME="uid"
 LDAP_ATTRIBUTE_FOR_MAIL="mail"
-LDAP_SEARCH_FILTER="(uid=%(user)s)" # More secure and performant
+# LDAP_SEARCH_FILTER is optional and used for additional filtering conditions.
+# The username filter is automatically added by Open WebUI, so do NOT include 
+# user placeholder syntax like %(user)s or %s - these are not supported.
+# Leave empty for simple setups, or add group membership filters, e.g.:
+# LDAP_SEARCH_FILTER="(memberOf=cn=allowed-users,ou=groups,dc=example,dc=org)"
 ```
 
 ### UI Configuration
diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx
index 93c44ca0..4eb7836f 100644
--- a/docs/getting-started/env-configuration.mdx
+++ b/docs/getting-started/env-configuration.mdx
@@ -4620,13 +4620,13 @@ This is useful when you need a JWT access token for downstream validation or whe
 
 - Type: `str`
 - Default: `None`
-- Description: Sets a single filter to use for LDAP search. Alternative to `LDAP_SEARCH_FILTERS`.
+- Description: Sets additional filter conditions for LDAP user search. This filter is **appended** to the automatically-generated username filter. Open WebUI automatically constructs the username portion of the filter using `LDAP_ATTRIBUTE_FOR_USERNAME`, so you should **not** include user placeholders like `%(user)s` or `%s` — these are not supported. Use this for additional conditions such as group membership restrictions (e.g., `(memberOf=cn=allowed-users,ou=groups,dc=example,dc=com)`). Alternative to `LDAP_SEARCH_FILTERS`.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
 #### `LDAP_SEARCH_FILTERS`
 
 - Type: `str`
-- Description: Sets the filter to use for LDAP search.
+- Description: Sets additional filter conditions for LDAP user search. This is an alias for `LDAP_SEARCH_FILTER`. The filter is appended to the automatically-generated username filter — do **not** include user placeholders like `%(user)s` or `%s`.
 - Persistence: This environment variable is a `PersistentConfig` variable.
 
 #### `LDAP_USE_TLS`