Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix LDAP auth configuration paths. #2167

Merged
merged 1 commit into from
Mar 16, 2019
Merged

Fix LDAP auth configuration paths. #2167

merged 1 commit into from
Mar 16, 2019

Conversation

wrouesnel
Copy link
Contributor

This commit fixes parameters broken in the latest version of adldap2.

Specifically:

  • adldap auth parameters have changed in the latest version.
    • "usernames" has become identities and discover has changed to
      discover_users_by, auth has changed to bind_users_by
  • Add the missing objectguid field to the users table for adldap2.
    • This is added as a nullable (optional) field at the moment to support
      tracking LDAP users as adldap2 wants to.

Fixes issue #1933 (completely).

Changes in this pull request:

  • Database migration for objectguid
  • Change the paths in config/ldap_auth.php to match up adldap2

With these changes I was able to get authentication with FreeIPA working correctly versus current master.

@JC5

@JC5
Copy link
Member

JC5 commented Mar 11, 2019

Looks good. Seems docs for ldap upgrade were half-complete. Please rename the migration.

Will inspect later when I have a PC

@wrouesnel
Copy link
Contributor Author

What convention should the migration be named after?

@JC5
Copy link
Member

JC5 commented Mar 11, 2019

Not after a version three releases ago. I suggest fix_ldap or something. Keep it simple.

@wrouesnel
Fix LDAP auth configuration paths.
cb4ff35 
This commit fixes parameters broken in the latest version of `adldap2`.

Specifically:

* `adldap` auth parameters have changed in the latest version.
  * "usernames" has become `identities` and `discover` has changed to
    `discover_users_by`, `auth` has changed to `bind_users_by`
* Add the missing objectguid field to the users table for adldap2.
  * This is added as a nullable (optional) field at the moment to support
    tracking LDAP users as adldap2 wants to.
@JC5
Copy link
Member

JC5 commented Mar 16, 2019

Looks good.

@JC5 JC5 merged commit 6462d2b into firefly-iii:develop Mar 16, 2019
JC5 added a commit that referenced this pull request Mar 16, 2019
@JC5
Rename class and add copyright statement @wrouesnel #2167
037d9b7
JC5 added a commit that referenced this pull request Mar 22, 2019
@JC5
Merge branch 'develop' into v480
6bd2b4f 
* develop: (21 commits)
  Update lock file
  Update change logs and config files.
  Enable norsk, update version of DB
  Various language string updates.
  Norwegian strings.
  Improve installer middleware for Sandstorm.
  Fix some issues with importer #2166
  Other delete thing.
  More debug things.
  Extra debug info for #2159 and some kernel changes.
  Extra debug info for #2159
  Fix #2173
  Rename class and add copyright statement @wrouesnel #2167
  Fix LDAP auth configuration paths.
  Fix some cache issues and a version bump.
  Updated file list.
  Updated list.
  New file list.
  Update composer file.
  Small fix in changelog.
  ...
@MrShibe
Copy link

MrShibe commented Mar 29, 2019

@wrouesnel would you mind posting an example of what your .env file looks like with this change? Upon upgrading to this version I am unable to authenticate with FreeIPA again, but as you were able to get this working I'm assuming it is down to a slight configuration issue on my end.

@wrouesnel
Copy link
Contributor Author

wrouesnel commented Mar 30, 2019
edited

@MrShibe A (sanitized) version of the LDAP section of my config file

# Firefly III has two options for user authentication. "eloquent" is the default,
# and "ldap" for LDAP servers.
# For full instructions on these settings please visit:
# https://firefly-iii.readthedocs.io/en/latest/installation/authentication.html
LOGIN_PROVIDER=ldap

# LDAP connection configuration
ADLDAP_CONNECTION_SCHEME=FreeIPA
ADLDAP_AUTO_CONNECT=true

# LDAP connection settings
ADLDAP_CONTROLLERS=ipa.server.local
ADLDAP_PORT=389
ADLDAP_TIMEOUT=5
ADLDAP_BASEDN="cn=users,cn=accounts,dc=server,dc=local"
ADLDAP_FOLLOW_REFFERALS=False
ADLDAP_USE_SSL=False
ADLDAP_USE_TLS=False

ADLDAP_ADMIN_USERNAME=uid=svc_accounting,cn=users,cn=accounts,dc=server,dc=local
ADLDAP_ADMIN_PASSWORD="svc_accounting password"

ADLDAP_ACCOUNT_PREFIX="uid="
ADLDAP_ACCOUNT_SUFFIX=",cn=users,cn=accounts,dc=server,dc=local"

# LDAP authentication settings.
ADLDAP_PASSWORD_SYNC=false
ADLDAP_LOGIN_FALLBACK=false

ADLDAP_DISCOVER_FIELD=uid
ADLDAP_AUTH_FIELD=uid

# Will allow SSO if your server provides an AUTH_USER field.
WINDOWS_SSO_DISCOVER=
WINDOWS_SSO_KEY=

# field to sync as local username.
ADLDAP_SYNC_FIELD=uid

@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wrouesnel @JC5 @MrShibe