LDAP authentication process modification #825

Closed

aitzol wants to merge 10 commits from (deleted):ldap-auth-changes into develop

pull from: (deleted):ldap-auth-changes

merge into: AkkomaGang:develop

AkkomaGang:develop

AkkomaGang:better-stats

AkkomaGang:stable

AkkomaGang:translations

AkkomaGang:customizable-docker-db

AkkomaGang:static-adminfe

AkkomaGang:bad-uploader-config-warning

AkkomaGang:docker

AkkomaGang:user-expiry-backfill

AkkomaGang:config-db-keys

AkkomaGang:ensure-scrubbers-loaded

AkkomaGang:otp26

AkkomaGang:code-shaking-does-not-go-brr

AkkomaGang:elixir1.15

AkkomaGang:circleci

AkkomaGang:backup-fixes

AkkomaGang:mod-task

AkkomaGang:policy

AkkomaGang:mrf-coolness

AkkomaGang:frontend-switcher-9000

AkkomaGang:contentMap

AkkomaGang:language-on-posts

AkkomaGang:rabbit

AkkomaGang:credo-on-pr

AkkomaGang:unify-http

AkkomaGang:normalise-markup-by-default

AkkomaGang:buildx

Conversation 3 Commits 10 Files changed 57 +934 -366

aitzol commented 2024-08-05 10:03:24 +00:00

First-time contributor

Copy link

1. Added eldap module, see issue 671
2. Modified LDAP authentication process. In some servers it is not possible to authenticate the user using the UID, since it is not part of the user's DN required for the simple bind. In the proposed way, a search for the user is performed using his UID, obtaining at that moment his CN and then authenticating himself. For the changes to work it is necessary to add the login credentials to the LDAP server using environment variables in the .env file, like this:

LDAP_READONLY_USER_USERNAME="readonly"
LDAP_READONLY_USER_PASSWORD="secret"

1. Added **eldap** module, see [issue 671](https://akkoma.dev/AkkomaGang/akkoma/issues/671) 2. Modified **LDAP** authentication process. In some servers it is not possible to authenticate the user using the `UID`, since it is not part of the user's `DN` required for the _simple bind_. In the proposed way, a search for the user is performed using his `UID`, obtaining at that moment his `CN` and then authenticating himself. For the changes to work it is necessary to add the login credentials to the **LDAP** server using environment variables in the `.env` file, like this: ```bash LDAP_READONLY_USER_USERNAME="readonly" LDAP_READONLY_USER_PASSWORD="secret" ```

aitzol added 1 commit 2024-08-05 10:03:25 +00:00

LDAP authentication process modification 72a831099e

aitzol added 1 commit 2024-08-25 18:01:03 +00:00

Merge branch 'develop' into ldap-auth-changes 962f58daf5

aitzol added 1 commit 2024-09-26 03:30:22 +00:00

Merge branch 'develop' into ldap-auth-changes 027ae524df

Oneric commented 2024-10-15 17:04:55 +00:00

Member

Copy link

I’m not familiar with LDAP nor Akkoma’s code for it, but according to the docs this "simple bind" cn=user,base scheme is already supposed to be supported by setting the uid parameter to cn instead of uid. On a glance your changes appear to break the uid scheme though due to hardcoding attr = "cn" as the prefix

I’m not familiar with LDAP nor Akkoma’s code for it, but according to [the docs](https://docs.akkoma.dev/stable/configuration/cheatsheet/#ldap) this "simple bind" `cn=user,base` scheme is already supposed to be supported by setting the uid parameter to `cn` instead of `uid`. On a glance your changes appear to break the `uid` scheme though due to hardcoding `attr = "cn"` as the prefix

aitzol commented 2024-10-15 20:31:25 +00:00

Author

First-time contributor

Copy link

I’m not familiar with LDAP nor Akkoma’s code for it, but according to the docs this "simple bind" cn=user,base scheme is already supposed to be supported by setting the uid parameter to cn instead of uid. On a glance your changes appear to break the uid scheme though due to hardcoding attr = "cn" as the prefix

Often the CN attribute on many LDAP servers is usually a compound name, i.e. first name y last name, which is not useful as a username/nick for logging Akkoma. That is another reason for me to make the above changes using the UID.

> I’m not familiar with LDAP nor Akkoma’s code for it, but according to [the docs](https://docs.akkoma.dev/stable/configuration/cheatsheet/#ldap) this "simple bind" `cn=user,base` scheme is already supposed to be supported by setting the uid parameter to `cn` instead of `uid`. On a glance your changes appear to break the `uid` scheme though due to hardcoding `attr = "cn"` as the prefix Often the `CN` attribute on many LDAP servers is usually a compound name, i.e. first name y last name, which is not useful as a username/nick for logging Akkoma. That is another reason for me to make the above changes using the `UID`.

aitzol added 1 commit 2024-10-16 16:48:51 +00:00

changelog.md 1a080be59f

aitzol added 5 commits 2024-10-16 17:06:08 +00:00

merge Federate emoji as anonymous objects #815 68896227ae

Merge pull request 'fork syncking' (#1) from AkkomaGang/akkoma:develop into develop ... b1736f58a8

Reviewed-on: aitzol/akkoma#1

ldap-auth-changes d3e275461c

Merge branch 'ldap-auth-changes' into develop f1104cb216

Merge pull request 'develop' (#2) from develop into ldap-auth-changes ... f64fb443ec

Reviewed-on: aitzol/akkoma#2

Oneric commented 2024-10-17 21:49:41 +00:00

Member

Copy link

It sounds like you want to add a new mode, which is in principle fine, but you shouldn’t break existing modes and usecases in the process. E.g. adding mapped_cn or something as a third option besides uid and cn

It sounds like you want to add a new mode, which is in principle fine, but you shouldn’t break existing modes and usecases in the process. E.g. adding `mapped_cn` or something as a third option besides `uid` and `cn`

aitzol added 1 commit 2024-11-02 06:50:21 +00:00

LDAP authentication process modification fec332a627

aitzol closed this pull request 2024-11-02 06:57:16 +00:00

Some checks are pending

Hide all checks

ci/woodpecker/pr/build-amd64 Pipeline is pending approval

Details

ci/woodpecker/pr/build-arm64 Pipeline is pending approval

Details

ci/woodpecker/pr/docs Pipeline is pending approval

Details

ci/woodpecker/pr/lint Pipeline is pending approval

Details

ci/woodpecker/pr/test Pipeline is pending approval

Details

ci/woodpecker/pull_request_closed/build-amd64 Pipeline is pending approval

Details

ci/woodpecker/pull_request_closed/build-arm64 Pipeline is pending approval

Details

ci/woodpecker/pull_request_closed/docs Pipeline is pending approval

Details

ci/woodpecker/pull_request_closed/lint Pipeline is pending approval

Details

ci/woodpecker/pull_request_closed/test Pipeline is pending approval

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#825

No description provided.