easyauth icon indicating copy to clipboard operation
easyauth copied to clipboard

Published 20 hours ago verified publisher icon codemation

LDAP integration functionality

Open erevodifosin opened this issue 3 years ago • 3 comments

Implements functionality for authentication via LDAP. Tested on MS Active Directory.

erevodifosin avatar Dec 13 '21 15:12 erevodifosin

@erevodifosin - Great Addition, I have some points that would need to be looked into before we could consider merging.

  • [ ] - Documentation - Any potential changes / Additions will need to have some surrounding documentation. This is important so the feature can be tested, if not possible to cover in unit / integration tests.
  • [ ] - Tests - Is there an easy way to spin up an LDAP server to test this locally( i.e inside of docker). This would be a great addition to docs as well as allow us to add automated tests to verify functionality.
  • [ ] - ENV vs DB configuration - from what I gather looking at the current implementation, it would be ideal to add these LDAP configurations options as an Identity Provider option in the GUI, to more dynamically configure / update LDAP configuration, enabling / disabling. This would like be possible by creating a new Model to store LDAPConfig

I would be happy to help add the GUI options/ LDAP model that would make LDAP configurable from the Admin Page, but would need to know the steps to start a very basic but functional LDAP server that we could connect.

codemation avatar Dec 22 '21 22:12 codemation

This is my very first PR ever, so bear with me, please.

  • I will add the Documentation. I added some info in README.md but my lack of knowledge in git led me to delete this info.
  • ENV vs DB. I saw systems that used ENV variables, others use plain-text or config files(like self-hosted Gitlab, Observium), others use ui and db records(like self-hosted Jira, Keycloak). It depends on the implementation of the system.
  • Tests. This looks simple and easy to use. I have no experience in docker.

In order for the system to be versatile we need the below settings.

  • LDAP server = IP or FQDN
  • LDAP domain = Domain
  • LDAP port = TCP port, usually 389 (636 SSL)
  • LDAP SSL = True or False
  • LDAP Base DN = Base DN to find the users
  • LDAP username attribute = which ldap attribute contains the Username
  • LDAP first name attribute = which ldap attribute contains the First name
  • LDAP last name attribute = which ldap attribute contains the Last name
  • LDAP email attribute = which ldap attribute contains the Email.

Username, first name, last name and email LDAP attributes may vary between LDAP server implementations. (some of the I hardcoded them in my PR but it is easy to change in the future)

erevodifosin avatar Dec 23 '21 20:12 erevodifosin

Happy New Year! In case you missed I already added the LDAP config in the Docs.

Another thing that come to my mind is that we could do a mapping between easyauth groups and LDAP groups. So users will get their permission level based on the LDAP groups they are in.

erevodifosin avatar Jan 04 '22 12:01 erevodifosin

I did not find a predictable way of creating an LDAP server within tests, and do not have the time to research this. I will close this PR for now until we can ensure the features are tested.

codemation avatar Aug 17 '22 21:08 codemation

I am using this docker image : https://github.com/osixia/docker-openldap Works very well. @erevodifosin : don't you need also a "LDAP bind user login" and "LDAP bind user password" in your config to retrieve the directory tree ?

marc-odp avatar Oct 09 '22 13:10 marc-odp

@codemation : Why there is a need to create an LDAP server ? Even without docker, it is possible to use an online LDAP test server : https://www.forumsys.com/2022/05/10/online-ldap-test-server/

marc-odp avatar Oct 09 '22 13:10 marc-odp