OpenTranscribe v0.4.1 - LDAP DN Fix & Keycloak PKI Compliance

We're releasing OpenTranscribe v0.4.1, a targeted patch that fixes a silent LDAP authentication failure for Active Directory users (issue #188) and adds Keycloak-as-PKI-broker support for government and FedRAMP deployments.

What's Fixed

LDAP Group Filtering Broken for Full AD DNs

If your organization uses full Active Directory Distinguished Names for group access control — for example:

LDAP_REQUIRED_USER_GROUPS=CN=Whisper_Users,CN=Users,DC=domain,DC=local

— then group filtering was silently failing. Users who should have been blocked by group membership requirements were being allowed in, and users who should have had access were being denied.

Root cause: Active Directory DNs use commas as structural separators inside each DN component. The previous code split group lists on commas, which shredded CN=Whisper_Users,CN=Users,DC=domain,DC=local into four useless fragments that could never match what the directory server returned.

Fix: Group lists now use semicolons as the multi-group separator. A single full DN containing no semicolons is treated as one group. Simple group names without = characters continue to work exactly as before.

# Single full DN — just paste it directly
LDAP_REQUIRED_USER_GROUPS=CN=Whisper_Users,CN=Users,DC=domain,DC=local

# Multiple groups — use semicolons
LDAP_REQUIRED_USER_GROUPS=CN=Whisper_Users,CN=Users,DC=domain,DC=local;CN=OtherGroup,DC=domain,DC=local

The same fix applies to LDAP_ADMIN_GROUPS and PKI_ADMIN_DNS.

What's New

Keycloak as an X.509/PKI Broker (Government & FedRAMP)

Government agencies using CAC/PIV smart cards can now use Keycloak as the X.509 authentication broker — Keycloak validates the client certificate via mTLS, then injects certificate metadata into the OIDC token as claims. OpenTranscribe extracts those claims automatically and stores them on the user record.

Browser / CAC Reader → Keycloak (mTLS) → OIDC token with cert claims → OpenTranscribe

Both claim name forms are handled automatically:

Short name	x509_cert_* alias
cert_dn	x509_cert_dn
cert_serial	x509_cert_serial
cert_issuer	x509_cert_issuer
cert_org	x509_cert_org

Users whose certificate DN appears in PKI_ADMIN_DNS receive admin access regardless of their Keycloak realm role — letting government system owners control admin access via PKI policy rather than manual Keycloak role assignments.

Government certificates typically carry space-separated CNs in the form LastName FirstName emailusername. OpenTranscribe now parses this format and renders the display name correctly as First Last.

See the updated Keycloak Setup guide for step-by-step configuration.

Upgrade Notes

Update your LDAP group environment variables to use semicolons as the multi-group separator:

# Before (broken for full DNs)
LDAP_ADMIN_GROUPS=CN=Admins,CN=Users,DC=domain,DC=local,CN=SuperAdmins,DC=domain,DC=local

# After (correct)
LDAP_ADMIN_GROUPS=CN=Admins,CN=Users,DC=domain,DC=local;CN=SuperAdmins,DC=domain,DC=local

No database migrations are required.

How to Update

docker compose pull
docker compose up -d

Full Changelog

See CHANGELOG.md for the complete list of changes.