LDAP Integration #119
Comments
|
Is this just an idea, or a feature you plan to use when it gets ready? |
|
It is a really good feature. |
|
This is a feature request. Libreboard would need settings/configuration page to add LDAP authentication. Currently the authentication is against the application database. Having the ability to delegate authentication to LDAP allows for all users in an organization to have immediate access. Rather than requiring each user to register their own account. |
|
It would be nice if that configuration we can block registration of new account too. |
|
I would certainly use this feature. |
|
We use LDAP at our organization for better management, LDAP support is mandatory for any new tool / service :/ |
|
For groups using this tool in conjunction with several other self hosted tools, ldap support is a must. I would be very happy to see this in this formidable project. The sooner the better! |
|
+1024 :) |
|
Any news on this? This would be a game-changer. There seems to be a meteor LDAP accounts plugin available: https://atmospherejs.com/typ/accounts-ldap Would that be helpful? If one was to try implementing LDAP in wekan, where one should look first? |
|
I had tried browsing the code to see where authentication occurs, but hadn't found anything. I have no idea what Meteor does exactly but I'm assuming that by doing install/build there's some authentication dependency that gets loaded which takes care of it. I would be willing to assist with this but I don't have much of a dedicated effort to setting up a build/test environment, as well as learning Meteor and the wekan codebase. I took a quick peek at the accounts-ldap package @rysiekpl linked, and some things look a little concerning.
If someone who is familiar with Meteor and how accounts are managed/authenticated I would be willing to assist and provide any insights from my experience with LDAP. Here are some other resources which might be useful:
|
|
@neandrake so I am not alone. ;)
We can always fork.
True.
There's no way around it, I guess. "Encrypting" in JS just gives a false sense of security. HTTPS is the way to go, full stop. |
|
IF wekan is Also on meteor, try getting some code from rocket.chat |
|
Be careful to put accounts-password package after hive:accounts-ldap |
|
@Umi97 - That sounds like a useful pointer. Would it be possible for you to document things more fully, such that the users following the bug could try it out? Specifically which changes need to be made, and which packages installed. Once present I assume it will allow logins to work via LDAP credentials, but will it also create new users in the |
|
As a point of note, LDAP support for Sandstorm is now available for free: https://sandstorm.io/news/2017-02-06-sandstorm-returning-to-community-roots |
|
I just made the Cloudron wekan app use LDAP to authenticate internally. If anyone is look for reference code, it's in https://git.cloudron.io/cloudron/accounts-cloudron. You can also see how the accounts package is used to setup wekan in https://git.cloudron.io/cloudron/wekan-app. When I find more time, I will try to get our code upstreamed. |
|
Thanks, pull request very welcome wehen you find more time! :) Pull requests are much easier for me to test than to figure out what has changed in outside repos. |
|
Pull request can be done to Wekan devel branch. |
|
I did some cleanup on this issue, to make it easier to implement in future. |
|
Hello, Would it be possible to have a few lines explaining how to use this ldap modification ? I don't get what modifications / commands I should pass to Meteor and/or where to push the files. I tried git clone it to packages/ folder, then issue the following (after multiple unsucessful other tries) : So I see some ldapjs packages included, but no trace of vars from wekan-ldap. Any hint / howto ? Thanks a lot ! |
|
Ok, finally got it working. Should we report the auto-registration / sync issues on wekan-ldap or in wekan ? |
|
Report to wekan-ldap . |
|
I saw that the 4 commands of @Saruspete are included in the Dockerfile already.
PS: Docker-compose build failed due to tar error when installing meteor. Had to add install of bsdtar and use it for meteor extraction. Git clone with git:// protocol also failed. |
|
I'm no fan of any automated tool that embed its own filesystem, so I took the commands from the dockerfile, and replayed some modifications from https://github.com/wekan/wekan/pull/1826/files after learning a bit about meteor. A simplified script of mine would be : set -o nounset
set -o noclobber
typeset PKGVERS_WEKAN='v1.43'
typeset MYPATH="$(pwd -P)"
typeset DST_BUILD="$MYPATH/wekan.build"
typeset DST_RUN="$MYPATH/wekan-$PKGVERS_WEKAN"
typeset SRC_BASE="$MYPATH/wekan.src"
typeset SRC_PKGS="$SRC_BASE/packages"
# Download wekan sources (release)
mkdir -p "$SRC_BASE" && cd "$SRC_BASE"
curl -L "https://github.com/wekan/wekan/archive/${PKGVERS_WEKAN}.tar.gz" | tar -xz --strip=1
# Download packages
mkdir -p "$SRC_PKGS" && cd "$SRC_PKGS"
git clone --depth 1 -b master 'https://github.com/wekan/flow-router.git' 'kadira-flow-router'
git clone --depth 1 -b master 'https://github.com/meteor-useraccounts/core.git' 'meteor-useraccounts-core'
sed -i 's/api\.versionsFrom/\/\/api.versionsFrom/' 'meteor-useraccounts-core/package.js'
git clone --depth 1 -b master 'https://github.com/wekan/wekan-ldap.git' 'wekan-ldap'
# Implement LDAP patch (https://github.com/wekan/wekan/pull/1826/files)
cd "$SRC_BASE"
echo 'wekan:wekan-ldap' >> '.meteor/versions'
echo 'yasaricli:slugify@0.0.7' >> '.meteor/versions'
sed -Ee '/es6-promise/a\ "ldapjs": "^1.0.2",' -i package.json
# Do the patch...
patch -p0 <<EOT
diff --git client/components/main/layouts.jade client/components/main/layouts.jade
index b0024b3..b0f7b33 100644
--- client/components/main/layouts.jade
+++ client/components/main/layouts.jade
@@ -18,6 +18,9 @@ template(name="userFormsLayout")
img(src="{{pathFor '/wekan-logo.png'}}" alt="Wekan")
section.auth-dialog
+Template.dynamic(template=content)
+ if isLdap
+ .at-form
+ button#ldap(class='at-btn submit') {{ldapSignInLabel}}
if isCas
.at-form
button#cas(class='at-btn submit' type='submit') {{casSignInLabel}}
diff --git client/components/main/layouts.js client/components/main/layouts.js
index 6d6e616..0bfbc03 100644
--- client/components/main/layouts.js
+++ client/components/main/layouts.js
@@ -40,12 +40,18 @@ Template.userFormsLayout.helpers({
return t9nTag === curLang;
},
+ isLdap() {
+ return Meteor.settings.public.ldap;
+ },
isCas() {
return Meteor.settings.public &&
Meteor.settings.public.cas &&
Meteor.settings.public.cas.loginUrl;
},
+ ldapSignInLabel() {
+ return TAPi18n.__('ldapSignIn', {}, T9n.getLan
628C
guage() || 'en');
+ },
casSignInLabel() {
return TAPi18n.__('casSignIn', {}, T9n.getLanguage() || 'en');
},
@@ -64,6 +70,21 @@ Template.userFormsLayout.events({
}
});
},
+ 'click button#ldap'() {
+ const username = $('#at-field-username_and_email').val() ||
+ $('#at-field-username').val() ||
+ $('#at-field-email').val();
+ const password = $('#at-field-password').val();
+ const options = {};
+ Meteor.loginWithLDAP(username, password, options, function(err) {
+ if (err){
+ console.log(err);
+ }
+ if (FlowRouter.getRouteName() === 'atSignIn') {
+ FlowRouter.go('/');
+ }
+ });
+ },
});
Template.defaultLayout.events({
EOT
# Then go-on with compilation
meteor add standard-minifier-js
meteor npm install
meteor build --directory "$DST_BUILD"
cp "$SRC_BASE/fix-download-unicode/cfs_access-point.txt" "$DST_BUILD/programs/server/packages/cfs_access-point.js"
cd "$DST_BUILD/bundle/programs/server"
npm install
# Then deloy and run
cp -r "$DST_BUILD/bundle" "$DST_RUN"
ln -s "$DST_RUN" "$MYPATH/wekan-current"
# Export usual vars, and the settings for ldap
export ROOT_URL="..."
# use settings.json from the snippet given by @maximest-pierre a few comments before.
export METOR_SETTINGS="$(cat $DST_RUN/settings.json)"
node main.js >>"$DST_RUN/wekan.out" 2>>"$DST_RUN/wekan.err" &@xet7 may I suggest to update the "latest release" tag from github ? That would enable automatic downloads such as https://github.com/wekan/wekan/releases/latest or their API https://api.github.com/repos/wekan/wekan/releases/latest ? Current "latest" is 1.07 |
|
I added newest Wekan release to latest tag. I will try adding LDAP to Wekan according to your script at your comment above. |
|
It seems that I do not yet have time to make changes. I added wekan/ldap#3 about what is required before integrating LDAP to Wekan. |
|
@Akuket has been doing additions to LDAP code of @maximest-pierre . From @Akuket Now, i must manage some use cases. Tell me what you think about them : 2 I must select the authentication method : In callback after try to connect by the LDAP : IF EXCEPTION AND LOGIN_FALLBACK (env var) IS TRUE From @xet7 If password login is disabled, and LDAP is enabled, requirement for logging in with LDAP is that LDAP user must belong to specific LDAP group that is allowed to use Wekan. In that case, Wekan should get details from LDAP, and create new Wekan user, and log user in. If login to Wekan is allowed to all LDAP users, and not limited to specific LDAP group, then all LDAP users can login, and Wekan user will be created for them, when they login. From @Akuket I have modificated the user model to add a boolean param named ldap. The person who made the code, use it in this code. Instead of that, one could imagine a connection variable that would contain the default authentication method of the user and that would be configurable from the admin panel In that way, we can seperate local accounts and ldap accounts or others. From @xet7 to all: There is currently in progress adding multiple auth methods. There is existing password auth, LDAP (this issue), OAuth2, Auth0 and CAS. Friend auth is not started yet. For identity providers, there are alternatives like:
Login experience?How should the login experience be? Single LoginIn single login, it would be best to get id provider logging to all apps at once. Currently there is 2 login steps:
It should be:
Multiple auth enabledIf there are multiple authentication methods enabled in wekan, like for example password / OAuth2 / LDAP, then maybe there would be
When new user would be created?When self-registration is turned off:
And also limiting OAuth2 and others to one domain #1904 Original RequirementsI added some comments.
Comments pleaseEveryone, please add comments if there is some use case I did not include yet. You can also help with current issues implementing this with helpful comments, pull requests etc. |
|
Hello, My opinion, When multiple authentication methods are enabled, the dropdown should only list enabled on the wekan instance. Requirement 3 : Yes I think it is enough to be able to filter on one group. At least for a first implementation. Requirements 3 /4 : Wekan should get information in LDAP fields and store them to wekan DB. Environment variables should allow Wekan administrators to select which LDAP field match with Wekan fields. Wekan should never try to write in LDAP. Requirement 5 : Don't think it is important. Requirement 6/7 : LDAP informations needed for Wekan must be retrieved from LDAP and not editable if LDAP is the selected method for the user. Administrator must be able to change authentication method for one or multiple users. Regards. |
|
Hello, Requirement 3/4: What is the leading unique user id? How would you handle conflicts on username or email between e.g. LDAP and local accounts? Requirement 6: The right to access Wekan via LDAP auth should depend on a LDAP group membership. Once the membership is revoked the user should no longer be able to access Wekan. No need to disable accounts individually for LDAP users. Best regards |
|
Hello, The main goal of a central Auth / DB is to have a single central management entry. So most information like group membership, user details (photo, name, email...) are to be stored there, and a flag should be set to limit the ability of the user to modify it locally (eg, cannot modify in wekan db).
Best regards, |
Thanks to maximest-pierre, Akuket and xet. Related #119
|
Wekan v1.53.2 snap+docker included latest IFTTT+LDAP, please test what works, but make sure you have backups. This is very experimental, brand new, and can contain bugs, or not work at all. Packagehttps://github.com/wekan/wekan-ldap Dockerhttps://github.com/wekan/wekan/blob/edge/Dockerfile https://github.com/wekan/wekan/blob/edge/docker-compose.yml Snaphttps://github.com/wekan/wekan/blob/edge/snap-src/bin/config Oops LDAP help missing from snap, should be added later. https://github.com/wekan/wekan/blob/edge/snap-src/bin/wekan-help |
|
Someone, please:
a) Add Wekan snap help LDAP options as pull request to this file, you see file format at this file: b) Add LDAP options to this snap wiki page: Thanks! |
|
For https://github.com/wekan/wekan/blob/edge/snap-src/bin/wekan-help echo -e "Ldap Enable." |
Thanks to GitHub user Akuket for contributions. Related #119
|
Thanks @Akuket , added to Wekan. Someone could add this remaining one: b) Add LDAP options to this snap wiki page: |
|
I can look into adding those information on the wiki. I am supposed to deploy the update to our internal Wekan today or tomorrow. |
|
@maximest-pierre LDAP is at Wekan Edge Docker: Snap is still broken, because I could not get MongoDB working correctly. I will add info to Edge ChangeLog when it works. |
|
LDAP login works now by using this docker-compose.yml file:
Using this docker-compose: With this command: Bounty participants: Please check your email and accept bounty payment. |
|
Wiki page for LDAP: https://github.com/wekan/wekan/wiki/LDAP |
no matter what the value is set,the error "'Base/one/subtree' is an invalid search scope" will return for logs |
|
There is an error, it's base or one or sub. |
|
scope is now fixed in newest Wekan. |
Ability to authenticate users against LDAP rather than users requiring to create accounts.
The text was updated successfully, but these errors were encountered: