Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Improve LDAP authentication support

See original GitHub issue

Scouts support for LDAP authentication is fairly basic and the login documentation contains some minor errors.

It would be nice to describe how to use the authentication variables, LDAP_BIND_USER_DN and LDAP_BIND_USER_PASSWORD and filtering variables LDAP_USER_DN and LDAP_GROUP_DN.

Also it would be good if we could mirror the function of LDAP_REQUIRED_GROUP so you could setup different user groups which has access to different softwares.

Errors

Configuration variable LDAP_REQUIRED_GROUP is not supported by flask-ldap3-login flask-ldap3-login
The documentation say that Scout supports login with username and password which is wrong. Scouts basic auth uses only email.

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

mhkccommented, Nov 1, 2021

@northwestwitch I have a functional setup with osixia/openldap and using wheelybird/ldap-user-manager to manage the database. It takes the configuration from a environment file which allows you to have separate environments and parameters for testing and production.

version: "3.9"
services:
  open-ldap:
    image: "osixia/openldap:${OPENLDAP_VERSION:-latest}"
    container_name: open-ldap
    volumes:
      - ./data/database:/var/lib/ldap
      - ./data/config:/etc/ldap/slapd.d
    environment:
      - LDAP_ORGANISATION=cmd
      - LDAP_DOMAIN=${ORGANISATION_NAME:-example}.${ORGANISATION_DOMAIN:-org}
      - LDAP_ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - LDAP_RFC2307BIS_SCHEMA=true
      - LDAP_REMOVE_CONFIG_AFTER_SETUP=true
      - LDAP_TLS_VERIFY_CLIENT=never
    ports:
      - 389:389
    networks:
      - ldap-net
    restart: unless-stopped


  ldap-user-manager:
    image: "wheelybird/ldap-user-manager:${USER_MANAGER_VERSION:-oldcookies}"
    container_name: ldap-manager
    volumes:
      - ./mail_functions.inc.php:/opt/ldap_user_manager/includes/mail_functions.inc.php
    environment:
      - ORGANISATION_NAME=${ORGANISATION_NAME:-example}
      - SERVER_HOSTNAME=10.0.224.64:8090
      - LDAP_URI=open-ldap
      - LDAP_BASE_DN=dc=${ORGANISATION_NAME:-example},dc=${ORGANISATION_DOMAIN:-org}
      - LDAP_ADMINS_GROUP=admins
      - LDAP_ADMIN_BIND_DN=cn=admin,dc=${ORGANISATION_NAME:-example},dc=${ORGANISATION_DOMAIN:-org}
      - LDAP_ADMIN_BIND_PWD=${ADMIN_PASSWORD:-admin}
      - LDAP_IGNORE_CERT_ERRORS=true
      - USERNAME_FORMAT={first_name}.{last_name}
      # email settings
      - SMTP_HOSTNAME=${SMTP_HOSTNAME}
      - SMTP_HOST_PORT=${SMTP_HOST_PORT}
      - SMTP_USE_TLS=false
      - SMTP_USE_SSL=false
      - EMAIL_FROM_ADDRESS=${EMAIL_FROM_ADDRESS:-noreply@$LDAP_DOMAIN}
      - EMAIL_DOMAIN=${ORGANISATION_NAME:-example}.${ORGANISATION_DOMAIN:-org}
      - EMAIL_FROM_NAME=CMD
      - ACCOUNT_REQUESTS_ENABLED=true
      - ACCOUNT_REQUESTS_EMAIL=${ACCOUNT_REQUESTS_EMAIL}
      - NEW_ACCOUNT_EMAIL_BODY=${NEW_ACCOUNT_EMAIL_BODY}
      - NEW_ACCOUNT_EMAIL_SUBJECT=${NEW_ACCOUNT_EMAIL_SUBJECT}
      # General
      - NO_HTTPS=true
      - SMTP_LOG_LEVEL=1
    expose:
      - '25'
    ports:
      - 8090:80
    networks:
      - ldap-net
    restart: unless-stopped

networks:
  ldap-net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.30.1.0/24

0reactions

northwestwitchcommented, Nov 1, 2021

I don’t think so, I was just looking for an easy-to use dockerized solution that contains all the options you might find when using a real LDAP server