-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for LDAP. #1124
base: master
Are you sure you want to change the base?
Added support for LDAP. #1124
Conversation
additional options are only visible when they are selected Signed-off-by: Aisha Tammy <[email protected]>
…to use a modified version of the old one
Add LDAP support with auto user creation: Signed-off-by: Aisha Tammy <[email protected]>
Added support for LDAP filters and attribute search
Added LDAP Morphology Triggers.
Add support for LDAP Groups, minor fixes
Note that no period has been added after the example url, and places where an "if" statement doesn't contain a "{" haven't been changed.
@ByteHamster.
|
Especially in projects developed by many different people, it is important to always use braces. Not using braces caused a pretty terrible bug in Apple's SSL stack a few years ago: https://en.wikipedia.org/wiki/Unreachable_code#goto_fail_bug
I would be highly surprised if any code ran faster just because of a missing curly brace. |
@ByteHamster, I'll add curly braces, then. |
@ByteHamster, I've added curly braces. Is there anything else I should check/change? |
I would just put the url in quotation marks and add the period afterwards. That way, the linter should be happy. |
Give me 2 minutes. |
@ByteHamster, Done. |
Also, @ByteHamster, I was thinking of adding a feature where users could login using PATs instead of their password, it's not common to see PATs implemented in a LDAP database, but I think it would be beneficial for Baïkal to implement it. Should I commit it to this pull? |
Hmm. One of the main goals of Baikal is to be easy to set up - even for people who bought their first php server, who have no experience whatsoever. This sounds like it will add even more settings that such users are overwhelmed by. |
Well, @ByteHamster, I'd argue, that if you're setting up LDAP authentication, you're going to know what you're doing with the LDAP settings, It'll otherwise be hidden if LDAP is not selected. |
@El-Virus awesome work. I've used it for a while now and it seems to be working well. Any holdups on this being merged? I'll start adding the SMTP after this. |
Great! Haven't found any issues in my installation neither.
I'm currently waiting for a member to tell me if I should add PATs to the PR, as well as merge it.
Also great, I'm using your old SMTP implementation at the moment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I finally had time to have a look at this. Some things I noticed:
URI of the LDAP server
is shown even when LDAP is not selected- The list of settings is huge, making the screen rather cluttered ==> I don't think there should be yet another setting for PAT
- Please move the "tooltip"-like text (replacements, etc) below the text boxes, so they have more horizontal space - like it is already done for the invite address. This should save some vertical space.
- Some settings say "default: xy". What does that mean? Does it mean that if I leave the box blank, I get that as a default?
- Given that the number of LDAP related settings in the list is quite huge, it is rather hard to see where LDAP stops and where the remaining settings (admin password) start. I think it would be more clear if the admin password was moved up, so that all remaining settings on the page are LDAP only.
- Is there a way to somehow group the LDAP settings? Eg by showing them with their own heading?
- All those LDAP settings get added to the main section of the config file. Is there a way to create an extra section that deals with LDAP? That way, users know that they don't need to look at these when changing the config file and not having configured LDAP. Maybe that could work together with the point above, so we could have two different settings "sections" and configuration classes?
I didn't set up an LDAP server for testing yet, will do that once the UI is completed.
@@ -135,6 +135,8 @@ protected function initServer() { | |||
$authBackend = new \Baikal\Core\PDOBasicAuth($this->pdo, $this->authRealm); | |||
} elseif ($this->authType === 'Apache') { | |||
$authBackend = new \Sabre\DAV\Auth\Backend\Apache(); | |||
} elseif ($this->authType === 'LDAP') { | |||
$authBackend = new \Baikal\Core\LDAP($this->pdo, 'users', $config['system']['ldap_mode'], $config['system']['ldap_uri'], $config['system']['ldap_bind_dn'], $config['system']['ldap_bind_password'], $config['system']['ldap_dn'], $config['system']['ldap_cn'], $config['system']['ldap_mail'], $config['system']['ldap_search_base'], $config['system']['ldap_search_attribute'], $config['system']['ldap_search_filter'], $config['system']['ldap_group']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With an LDAP-specific settings section, you could pass that full section in a single parameter instead of extracting this huge number of settings here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't quite get what you mean, that parameter would still need to read the values from the config file, resulting in even larger code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about something like $authBackend = new \Baikal\Core\LDAP($this->pdo, 'users', $config['ldap]);
. The constructor internally needs a ton of lines to assign everything to member variables anyway.
Alternatively, how about using an LdapConfig
struct? Something like this:
class LdapConfig {
public $ldap_mode;
public $ldap_uri;
...
}
$LdapConfig = new LdapConfig();
$LdapConfig->ldap_uri = $config['xy];
...
$authBackend = new \Baikal\Core\LDAP($this->pdo, 'users', $LdapConfig);
class LDAP extends \Sabre\DAV\Auth\Backend\AbstractBasic {
protected $LdapConfig;
public function __construct(..., $LdapConfig) {
$this->LdapConfig = $LdapConfig;
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ByteHamster, I see what you mean, but as LDAP config is set in "System Settings", it'll be saved under $config['system']
. So either we create a new tab or we could add code in set
to handle LDAP set the values independently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, an additional settings section sounds like a lot of work and also quite hacky. How do you feel about that "struct"? It would reduce the long list of constructor parameters, making it a bit easier to comprehend
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ByteHamster, is this ok?
Co-authored-by: ByteHamster <[email protected]>
@ByteHamster All the issues in the last review have been fixed. |
Okay, turns out that the backslash before The error message when entering a wrong user name is Instead of sometimes returning There are the There is UI allowing to change user attributes in the Baikal web interface - which creates even more inconsistencies with LDAP. Maybe Baikal could refuse to edit users when LDAP auth is enabled. |
|
Currently there are some code paths on which protected function ldapOpen($username, $password) {
$conn = ldap_connect($this->ldap_config->ldap_uri);
if (!$conn) {
return false;
}
try {
// ...
if (authentication failed) {
return false;
}
createUserIfNecessary();
} finally {
ldap_close($conn);
}
return true; |
@ByteHamster but wouldn't that |
The |
We're looking to run Baikal, and this PR looks very useful to us. Would it be helpful that we apply this PR locally and do some testing of it? |
Of course, testing is always welcome! |
I have applied and tested this PR, and it's been solid so far. Really nice work @El-Virus and @epsilon-0 thank you! So far, I have encountered two minors inconveniences related to each other: 1- Using the 2- When a user authenticates himself using his calendar URI (https://baikal.mydomain.com/dav.php/calendars/// ) this process not only authenticates the CalDAV user but will in fact also create a different CalDAV user if the credentials entered use |
@solo-wanderer, Thank you for your feedback, I'll fix the bugs in the next revision. |
Thank you very much for your ongoing efforts around this integration. |
@ByteHamster, I'm implementing user federation, and need to access |
May I enquire the progress of this feature? I'm quite eager to use LDAP auth, but it seems that this has stalled for quite a few months |
I also wonder if this is implemented or not? |
@mxmeeple @BobWs @luggesexe . Yes, indeed the PR has been stale the last months. I've been quite busy with other projects and life in general, and this one is quite ambitious (Implementing User Federation, which is what needs to be done now is quite the task). But seeing that a few people depend on this, I'll be bumping this to the top of my TODO list. I'll resume development in about a month. Thank you for your support. |
Thank you for your work on LDAP integration. I am also waiting for a release. |
@HDValentin: User Federation is not a LDAP feature. It will serve as a base for LDAP and other future authentication methods. Its purpose is to manage concurrent usage of multiple user sources, which will hopefully solve some of the issues of the current implementation. |
Hi there! Any news? |
Added support for LDAP.
Supports authentication via DN, attribute, filter & group.