discourse-ldap-auth
discourse-ldap-auth copied to clipboard
jonmbake
Add groups from LDAP
It would be nice to have a group sync between LDAP and Discourse, i.e. when creating a new user on Discourse, assign it to the Discourse groups matching the groups on LDAP. What would be the best way to do this?
If you are using the list user create mode, you can specify groups in your ldap_user.yml and they will automatically be populated on user creation. Currently, the plugin does not support assigning Discourse groups directly from LDAP Groups.
Currently, the plugin does not support assigning Discourse groups directly from LDAP Groups.
Is this something you thought about doing or could be contributed? I'm not really well versed in ruby but I could give it a go.
Should all groups sync? What if the group doesn't exist in Discourse? Can you give your example use case for this feature? ie. What types of LDAP groups you want to sync with Discourse.
IMO only already existing groups should sync (on Discourse-side). Or it could do what it does for users, user choice between:
- Create groups
- Create groups only in whitelist
- Don't create groups (assign only)
You could probably specify a root DN under which all groups are, and/or a LDAP filter.
I'm also not really well verse in ruby, but if someone could give me a rough outline I could try out a PR as well. Looking at the code it wasn't clear how to get omniauth to return the groups so the plugin has access in the LDAPUser constructor or the auth_result function.
@wburningham From my recollection, what is passed back from omniauth is fixed. You can see what is returned by "putting" the auth_info in either plugin.rb or LDAPUser, e.g. put auth_info, which should print to the log.
This would be a very useful feature! My thoughts on how it could work are as follows:
- Manually specify a mapping of "group name" : "LDAP group" for allowed groups
- When a user logs in their LDAP login is checked against each of the specified LDAP groups and if they're a member of that LDAP group they're added to the corresponding discourse group and if they're not a member of that group they're removed from the corresponding discourse group.
That would enable the group membership to stay in-sync with the LDAP groups. If that would slow down the login too much the group membership check could just be done at account creation time with a "cleanup task" which could be run periodically to keep things in-sync
Looks like there is an outstanding PR in omniauth-ldap that is necessary in order to implement this change: Add options to retrieve LDAP group membership.
Unfortunately, this would require a code change to a dependent library so there is not much we can do. We could remove the dependency on omniauth-ldap and use something else, but I think the risk outweighs the benefits. Let me know if you guys have any other ideas.
We have successfully implemented it in discourse-ldap-auth, but currently it still requires a forked version of omniauth-ldap. I have tried to contact the maintainers, but the project doesn't really seem to be active anymore.
Thank you for doing this! It's exactly what I've been seeking for years. Any information on which fork or how to apply it?
