New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Integration #119

Open
neandrake opened this Issue Jan 25, 2015 · 89 comments

Comments

Projects
None yet
@neandrake

neandrake commented Jan 25, 2015

Ability to authenticate users against LDAP rather than users requiring to create accounts.

@mquandalle mquandalle added the Feature label Jan 25, 2015

@mquandalle

This comment has been minimized.

Show comment
Hide comment
@mquandalle

mquandalle Jan 28, 2015

Member

Is this just an idea, or a feature you plan to use when it gets ready?

Member

mquandalle commented Jan 28, 2015

Is this just an idea, or a feature you plan to use when it gets ready?

@gomex

This comment has been minimized.

Show comment
Hide comment
@gomex

gomex Jan 28, 2015

It is a really good feature.

gomex commented Jan 28, 2015

It is a really good feature.

@neandrake

This comment has been minimized.

Show comment
Hide comment
@neandrake

neandrake Jan 28, 2015

This is a feature request. Libreboard would need settings/configuration page to add LDAP authentication. Currently the authentication is against the application database. Having the ability to delegate authentication to LDAP allows for all users in an organization to have immediate access. Rather than requiring each user to register their own account.

neandrake commented Jan 28, 2015

This is a feature request. Libreboard would need settings/configuration page to add LDAP authentication. Currently the authentication is against the application database. Having the ability to delegate authentication to LDAP allows for all users in an organization to have immediate access. Rather than requiring each user to register their own account.

@gomex

This comment has been minimized.

Show comment
Hide comment
@gomex

gomex Jan 29, 2015

It would be nice if that configuration we can block registration of new account too.

gomex commented Jan 29, 2015

It would be nice if that configuration we can block registration of new account too.

@miketweaver

This comment has been minimized.

Show comment
Hide comment
@miketweaver

miketweaver Feb 11, 2015

I would certainly use this feature.

miketweaver commented Feb 11, 2015

I would certainly use this feature.

@CNek

This comment has been minimized.

Show comment
Hide comment
@CNek

CNek Mar 2, 2015

We use LDAP at our organization for better management, LDAP support is mandatory for any new tool / service :/

CNek commented Mar 2, 2015

We use LDAP at our organization for better management, LDAP support is mandatory for any new tool / service :/

@Guybrush333

This comment has been minimized.

Show comment
Hide comment
@Guybrush333

Guybrush333 May 2, 2015

For groups using this tool in conjunction with several other self hosted tools, ldap support is a must. I would be very happy to see this in this formidable project. The sooner the better!

Guybrush333 commented May 2, 2015

For groups using this tool in conjunction with several other self hosted tools, ldap support is a must. I would be very happy to see this in this formidable project. The sooner the better!

@snolahc

This comment has been minimized.

Show comment
Hide comment
@snolahc

snolahc Jul 9, 2015

+1024 :)
@mquandalle i'd be up to work on it with you ~week 30 (end of july) :)

snolahc commented Jul 9, 2015

+1024 :)
@mquandalle i'd be up to work on it with you ~week 30 (end of july) :)

@rysiekpl

This comment has been minimized.

Show comment
Hide comment
@rysiekpl

rysiekpl Oct 4, 2015

Any news on this? This would be a game-changer.

There seems to be a meteor LDAP accounts plugin available: https://atmospherejs.com/typ/accounts-ldap

Would that be helpful?

If one was to try implementing LDAP in wekan, where one should look first?

rysiekpl commented Oct 4, 2015

Any news on this? This would be a game-changer.

There seems to be a meteor LDAP accounts plugin available: https://atmospherejs.com/typ/accounts-ldap

Would that be helpful?

If one was to try implementing LDAP in wekan, where one should look first?

@neandrake

This comment has been minimized.

Show comment
Hide comment
@neandrake

neandrake Oct 5, 2015

I had tried browsing the code to see where authentication occurs, but hadn't found anything. I have no idea what Meteor does exactly but I'm assuming that by doing install/build there's some authentication dependency that gets loaded which takes care of it. I would be willing to assist with this but I don't have much of a dedicated effort to setting up a build/test environment, as well as learning Meteor and the wekan codebase.

I took a quick peek at the accounts-ldap package @rysiekpl linked, and some things look a little concerning.

  1. The package claims to be a step above proof-of-concept, to my mind means changes are likely needed upstream in this package.
  2. The example of logging in is listed as "Client Side", and appears to allow specifying raw LDAP dn query. This is a little worrying as it might allow a client to construct probing queries. The LDAP query should only ever be constructed server-side, much like a SQL query.
  3. An item under "Issues + Notes" reads: "... the user/password are sent to the server unencrypted. I still need to figure out a solution for this." - I'm pretty sure this is the reason why an install should be using HTTPS and not plain HTTP. This is how most logins work and why your browser should warn with having password fields on a plaintext connection.

If someone who is familiar with Meteor and how accounts are managed/authenticated I would be willing to assist and provide any insights from my experience with LDAP. Here are some other resources which might be useful:

  1. A different meteor account ldap package: https://github.com/UK-AS-HIVE/meteor-accounts-ldap
  2. A large js library for both client and server features: http://ldapjs.org/client.html
  3. This looks like a very simple library which only aims to provide authentication support: https://github.com/trentm/node-ldapauth

neandrake commented Oct 5, 2015

I had tried browsing the code to see where authentication occurs, but hadn't found anything. I have no idea what Meteor does exactly but I'm assuming that by doing install/build there's some authentication dependency that gets loaded which takes care of it. I would be willing to assist with this but I don't have much of a dedicated effort to setting up a build/test environment, as well as learning Meteor and the wekan codebase.

I took a quick peek at the accounts-ldap package @rysiekpl linked, and some things look a little concerning.

  1. The package claims to be a step above proof-of-concept, to my mind means changes are likely needed upstream in this package.
  2. The example of logging in is listed as "Client Side", and appears to allow specifying raw LDAP dn query. This is a little worrying as it might allow a client to construct probing queries. The LDAP query should only ever be constructed server-side, much like a SQL query.
  3. An item under "Issues + Notes" reads: "... the user/password are sent to the server unencrypted. I still need to figure out a solution for this." - I'm pretty sure this is the reason why an install should be using HTTPS and not plain HTTP. This is how most logins work and why your browser should warn with having password fields on a plaintext connection.

If someone who is familiar with Meteor and how accounts are managed/authenticated I would be willing to assist and provide any insights from my experience with LDAP. Here are some other resources which might be useful:

  1. A different meteor account ldap package: https://github.com/UK-AS-HIVE/meteor-accounts-ldap
  2. A large js library for both client and server features: http://ldapjs.org/client.html
  3. This looks like a very simple library which only aims to provide authentication support: https://github.com/trentm/node-ldapauth
@rysiekpl

This comment has been minimized.

Show comment
Hide comment
@rysiekpl

rysiekpl Oct 5, 2015

@neandrake so I am not alone. ;)

  1. The package claims to be a step above proof-of-concept, to my mind means changes are likely needed upstream in this package.

We can always fork.

  1. The example of logging in is listed as "Client Side", and appears to allow specifying raw LDAP dn query. This is a little worrying as it might allow a client to construct probing queries. The LDAP query should only ever be constructed server-side, much like a SQL query.

True.

  1. An item under "Issues + Notes" reads: "... the user/password are sent to the server unencrypted. I still need to figure out a solution for this."

There's no way around it, I guess. "Encrypting" in JS just gives a false sense of security. HTTPS is the way to go, full stop.

rysiekpl commented Oct 5, 2015

@neandrake so I am not alone. ;)

  1. The package claims to be a step above proof-of-concept, to my mind means changes are likely needed upstream in this package.

We can always fork.

  1. The example of logging in is listed as "Client Side", and appears to allow specifying raw LDAP dn query. This is a little worrying as it might allow a client to construct probing queries. The LDAP query should only ever be constructed server-side, much like a SQL query.

True.

  1. An item under "Issues + Notes" reads: "... the user/password are sent to the server unencrypted. I still need to figure out a solution for this."

There's no way around it, I guess. "Encrypting" in JS just gives a false sense of security. HTTPS is the way to go, full stop.

@ninja-

This comment has been minimized.

Show comment
Hide comment
@ninja-

ninja- Oct 5, 2015

IF wekan is Also on meteor, try getting some code from rocket.chat

ninja- commented Oct 5, 2015

IF wekan is Also on meteor, try getting some code from rocket.chat

@anhenghuang

This comment has been minimized.

Show comment
Hide comment
@anhenghuang

anhenghuang Jun 7, 2016

you can try this. Change login ways by change this to ldapLogin template. I made it.

anhenghuang commented Jun 7, 2016

you can try this. Change login ways by change this to ldapLogin template. I made it.

@anhenghuang

This comment has been minimized.

Show comment
Hide comment
@anhenghuang

anhenghuang Jun 7, 2016

Be careful to put accounts-password package after hive:accounts-ldap

anhenghuang commented Jun 7, 2016

Be careful to put accounts-password package after hive:accounts-ldap

@skx

This comment has been minimized.

Show comment
Hide comment
@skx

skx Jun 8, 2016

@Umi97 - That sounds like a useful pointer. Would it be possible for you to document things more fully, such that the users following the bug could try it out?

Specifically which changes need to be made, and which packages installed.

Once present I assume it will allow logins to work via LDAP credentials, but will it also create new users in the mongodb store?

skx commented Jun 8, 2016

@Umi97 - That sounds like a useful pointer. Would it be possible for you to document things more fully, such that the users following the bug could try it out?

Specifically which changes need to be made, and which packages installed.

Once present I assume it will allow logins to work via LDAP credentials, but will it also create new users in the mongodb store?

@ocdtrekkie

This comment has been minimized.

Show comment
Hide comment
@ocdtrekkie

ocdtrekkie Feb 6, 2017

Contributor

As a point of note, LDAP support for Sandstorm is now available for free: https://sandstorm.io/news/2017-02-06-sandstorm-returning-to-community-roots

Contributor

ocdtrekkie commented Feb 6, 2017

As a point of note, LDAP support for Sandstorm is now available for free: https://sandstorm.io/news/2017-02-06-sandstorm-returning-to-community-roots

@gramakri

This comment has been minimized.

Show comment
Hide comment
@gramakri

gramakri Mar 19, 2017

I just made the Cloudron wekan app use LDAP to authenticate internally. If anyone is look for reference code, it's in https://git.cloudron.io/cloudron/accounts-cloudron. You can also see how the accounts package is used to setup wekan in https://git.cloudron.io/cloudron/wekan-app.

When I find more time, I will try to get our code upstreamed.

gramakri commented Mar 19, 2017

I just made the Cloudron wekan app use LDAP to authenticate internally. If anyone is look for reference code, it's in https://git.cloudron.io/cloudron/accounts-cloudron. You can also see how the accounts package is used to setup wekan in https://git.cloudron.io/cloudron/wekan-app.

When I find more time, I will try to get our code upstreamed.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Mar 19, 2017

Member

@gramakri

Thanks, pull request very welcome wehen you find more time! :)

Pull requests are much easier for me to test than to figure out what has changed in outside repos.

Member

xet7 commented Mar 19, 2017

@gramakri

Thanks, pull request very welcome wehen you find more time! :)

Pull requests are much easier for me to test than to figure out what has changed in outside repos.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Mar 19, 2017

Member

@gramakri

Pull request can be done to Wekan devel branch.

Member

xet7 commented Mar 19, 2017

@gramakri

Pull request can be done to Wekan devel branch.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Apr 4, 2017

Member

I did some cleanup on this issue, to make it easier to implement in future.

Member

xet7 commented Apr 4, 2017

I did some cleanup on this issue, to make it easier to implement in future.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Jul 19, 2018

Member

@corecache

Can you provide example values to above and info what is optional?

Member

xet7 commented Jul 19, 2018

@corecache

Can you provide example values to above and info what is optional?

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Jul 19, 2018

Member

Also anyone else that is following this issue, and is familiar with LDAP, could provide info.

Previously I did maintain LDAP some years ago, and I did not do much configuring, so when I'm testing this, I'll need to setup LDAP server etc, and read more about usage.

Member

xet7 commented Jul 19, 2018

Also anyone else that is following this issue, and is familiar with LDAP, could provide info.

Previously I did maintain LDAP some years ago, and I did not do much configuring, so when I'm testing this, I'll need to setup LDAP server etc, and read more about usage.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7
Member

xet7 commented Jul 19, 2018

@dogcalas

This comment has been minimized.

Show comment
Hide comment
@dogcalas

dogcalas Jul 19, 2018

In the future, it should be possible to modify the values from the administration panel

dogcalas commented Jul 19, 2018

In the future, it should be possible to modify the values from the administration panel

@rysiekpl

This comment has been minimized.

Show comment
Hide comment
@rysiekpl

rysiekpl Jul 19, 2018

To the best of my knowledge:

LDAP_Host

LDAP host, an IP address (192.168.1.2), a domain name (ldap.example.com), or a hostname (ldapserver).

LDAP_Port

A TCP/IP port, usually 389 (for cleartext comunication) or 636 (for LDAPS).

LDAP_Reconnect

Not sure

LDAP_Internal_Log_Level

Not sure

LDAP_Timeout

Overall timeout, in seconds.

LDAP_Connect_Timeout

Connection timeout, in seconds.

LDAP_Idle_Timeout

Idle connection timeout, in seconds.

LDAP_Encryption

Not sure if this is boolean?

LDAP_CA_Cert

Certificate authority certificate for LDAPS.

LDAP_Reject_Unauthorized

LDAP_Authentication

Not sure, probably boolean

LDAP_Authentication_UserDN

The DN to use to authenticate with the server, if authenticate-before-search is enabled; for example cn=lookup,dc=example,dc=org.

LDAP_Authentication_Password

The password to use to authenticate with the server, if authenticate-before-search is enabled.

LDAP_Login_Fallback

Not sure

LDAP_BaseDN

The base DN to search for accounts if provided in the short form of just the login name (instead of a full DN).

This is used if a user logs in as username instead of (say) uid=username,ou=people,dc=example,dc=org. In such a case, Base DN would be set to ou=people,dc=example,dc=org.

LDAP_User_Search_Filter

The search filter used to search for accounts if provided in the short form of just the login name (instead of a full DN).

This is used if a user logs in as username instead of (say) uid=username,ou=people,dc=example,dc=org. In such a case, User Search Filter could be set to (objectCategory=person).

LDAP_User_Search_Scope

One of base search only in the provided DN), one (search only in the provided DN and one level deep), or subtree (search the whole subtree). More info.

LDAP_User_Search_Field

Probably the attribute to treat as the username/user ID field. In the example above that would be uid.

LDAP_Search_Page_Size

Not sure

LDAP_Search_Size_Limit

Not sure

LDAP_Group_Filter_Enable

Not sure, probably boolean

LDAP_Group_Filter_ObjectClass

The ObjectClass of the group entries (like groupOfNames).

LDAP_Group_Filter_Group_Id_Attribute

The attribute to treat as the groupname/group ID; like gid.

LDAP_Group_Filter_Group_Member_Attribute

The attribute to treat as the one describing members of the group; like member.

LDAP_Group_Filter_Group_Member_Format

Not sure, probably DN or just the username

LDAP_Group_Filter_Group_Name

Not sure

rysiekpl commented Jul 19, 2018

To the best of my knowledge:

LDAP_Host

LDAP host, an IP address (192.168.1.2), a domain name (ldap.example.com), or a hostname (ldapserver).

LDAP_Port

A TCP/IP port, usually 389 (for cleartext comunication) or 636 (for LDAPS).

LDAP_Reconnect

Not sure

LDAP_Internal_Log_Level

Not sure

LDAP_Timeout

Overall timeout, in seconds.

LDAP_Connect_Timeout

Connection timeout, in seconds.

LDAP_Idle_Timeout

Idle connection timeout, in seconds.

LDAP_Encryption

Not sure if this is boolean?

LDAP_CA_Cert

Certificate authority certificate for LDAPS.

LDAP_Reject_Unauthorized

LDAP_Authentication

Not sure, probably boolean

LDAP_Authentication_UserDN

The DN to use to authenticate with the server, if authenticate-before-search is enabled; for example cn=lookup,dc=example,dc=org.

LDAP_Authentication_Password

The password to use to authenticate with the server, if authenticate-before-search is enabled.

LDAP_Login_Fallback

Not sure

LDAP_BaseDN

The base DN to search for accounts if provided in the short form of just the login name (instead of a full DN).

This is used if a user logs in as username instead of (say) uid=username,ou=people,dc=example,dc=org. In such a case, Base DN would be set to ou=people,dc=example,dc=org.

LDAP_User_Search_Filter

The search filter used to search for accounts if provided in the short form of just the login name (instead of a full DN).

This is used if a user logs in as username instead of (say) uid=username,ou=people,dc=example,dc=org. In such a case, User Search Filter could be set to (objectCategory=person).

LDAP_User_Search_Scope

One of base search only in the provided DN), one (search only in the provided DN and one level deep), or subtree (search the whole subtree). More info.

LDAP_User_Search_Field

Probably the attribute to treat as the username/user ID field. In the example above that would be uid.

LDAP_Search_Page_Size

Not sure

LDAP_Search_Size_Limit

Not sure

LDAP_Group_Filter_Enable

Not sure, probably boolean

LDAP_Group_Filter_ObjectClass

The ObjectClass of the group entries (like groupOfNames).

LDAP_Group_Filter_Group_Id_Attribute

The attribute to treat as the groupname/group ID; like gid.

LDAP_Group_Filter_Group_Member_Attribute

The attribute to treat as the one describing members of the group; like member.

LDAP_Group_Filter_Group_Member_Format

Not sure, probably DN or just the username

LDAP_Group_Filter_Group_Name

Not sure

@tezukzai

This comment has been minimized.

Show comment
Hide comment
@tezukzai

tezukzai Jul 19, 2018

https://rocket.chat/docs/administrator-guides/authentication/ldap/

It'd be great if we could copy what RocketChat has done. They have LDAP settings in the admin section. I have screened them below.

ldap settings

tezukzai commented Jul 19, 2018

https://rocket.chat/docs/administrator-guides/authentication/ldap/

It'd be great if we could copy what RocketChat has done. They have LDAP settings in the admin section. I have screened them below.

ldap settings

@corecache

This comment has been minimized.

Show comment
Hide comment
@corecache

corecache Jul 19, 2018

The fields are straight from RocketChat - I can elaborate with examples on them as well, since I have RocketChat in usage with LDAP.

I am currently trying to bind the ldap authentication with the accounts-base loginhandler, but apparently there is a flaw in the accounts-base package which never calls further loginhandlers once accounts-password is loaded AND the accounts-base loginhandler only forwards the password as sha256 digest, which is not of use, since we need to login with the user credentials at the Slapd/AD in order verify the credentials. Unless anyone has a better suggestion, it seems we have to work around accounts-base here, and only forward to accounts-password once we failed to log in.

corecache commented Jul 19, 2018

The fields are straight from RocketChat - I can elaborate with examples on them as well, since I have RocketChat in usage with LDAP.

I am currently trying to bind the ldap authentication with the accounts-base loginhandler, but apparently there is a flaw in the accounts-base package which never calls further loginhandlers once accounts-password is loaded AND the accounts-base loginhandler only forwards the password as sha256 digest, which is not of use, since we need to login with the user credentials at the Slapd/AD in order verify the credentials. Unless anyone has a better suggestion, it seems we have to work around accounts-base here, and only forward to accounts-password once we failed to log in.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Jul 19, 2018

Member

I have not yet looked how RocketChat makes all those authentication methods configurable. It would be useful to bring all those to Wekan somehow.

Member

xet7 commented Jul 19, 2018

I have not yet looked how RocketChat makes all those authentication methods configurable. It would be useful to bring all those to Wekan somehow.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Jul 19, 2018

Member

Another way would be to use Rocket.Chat for all authentication, and also login to Wekan with the same auth. If that is possible.

Member

xet7 commented Jul 19, 2018

Another way would be to use Rocket.Chat for all authentication, and also login to Wekan with the same auth. If that is possible.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Jul 19, 2018

Member

Currently I'm looking here:
https://rocket.chat/docs/developer-guides/iframe-integration/authentication/
https://rocket.chat/docs/developer-guides/iframe-integration/

Some related unanswered question is at forum:
https://forums.rocket.chat/t/user-logged-out-of-server-rest-api-iframe-commands/1631

Maybe some authentication token could be used to also login to Wekan at the same time.

Wekan API currently is for admin permissions only:
https://github.com/wekan/wekan/wiki/REST-API

If someone has more info about this, it would be helpful.

Member

xet7 commented Jul 19, 2018

Currently I'm looking here:
https://rocket.chat/docs/developer-guides/iframe-integration/authentication/
https://rocket.chat/docs/developer-guides/iframe-integration/

Some related unanswered question is at forum:
https://forums.rocket.chat/t/user-logged-out-of-server-rest-api-iframe-commands/1631

Maybe some authentication token could be used to also login to Wekan at the same time.

Wekan API currently is for admin permissions only:
https://github.com/wekan/wekan/wiki/REST-API

If someone has more info about this, it would be helpful.

@corecache

This comment has been minimized.

Show comment
Hide comment
@corecache

corecache Jul 20, 2018

The LDAP module sitting in my wekan branch, is the one from RocketChat ported over to Wekan - all the options are the same. The only stuff missing is a) exposing the options somehow to the admin panel b) creating a client form which calls Meteor.LoginWithLDAP (which is already provided)

corecache commented Jul 20, 2018

The LDAP module sitting in my wekan branch, is the one from RocketChat ported over to Wekan - all the options are the same. The only stuff missing is a) exposing the options somehow to the admin panel b) creating a client form which calls Meteor.LoginWithLDAP (which is already provided)

@Jean-Daniel

This comment has been minimized.

Show comment
Hide comment
@Jean-Daniel

Jean-Daniel Jul 20, 2018

LDAP_Port
A TCP/IP port, usually 389 (for cleartext comunication) or 636 (for LDAPS).

From OpenLDAP FAQ

ldaps:// is deprecated in favor of Start TLS [RFC2830]. OpenLDAP 2.0 supports both.

So having a setting to support Start TLS would be welcome.

Jean-Daniel commented Jul 20, 2018

LDAP_Port
A TCP/IP port, usually 389 (for cleartext comunication) or 636 (for LDAPS).

From OpenLDAP FAQ

ldaps:// is deprecated in favor of Start TLS [RFC2830]. OpenLDAP 2.0 supports both.

So having a setting to support Start TLS would be welcome.

@Akuket

This comment has been minimized.

Show comment
Hide comment
@Akuket

Akuket Aug 2, 2018

Contributor

I give you all handers for snap. It will take someone to complete what I did next to my comments.

DESCRIPTION_LDAP_HOST="The url of the server where is located the LDAP."
DEFAULT_LDAP_HOST="ldap://ldap.example.com or ldaps://ldap.example.com"
KEY_LDAP_HOST="ldap-host"

DESCRIPTION_LDAP_PORT="A TCP/IP port, usually 389 for LDAP or 636 for LDAPS."
DEFAULT_LDAP_PORT="389"
KEY_LDAP_PORT="ldap-port"

DESCRIPTION_LDAP_RECONNECT="Try to reconnect automatically when the connection is interrupted by some reason."
DEFAULT_LDAP_RECONNECT="true"
KEY_LDAP_RECONNECT="ldap-reconnect"

// No idea
DESCRIPTION_LDAP_INTERNAL_LOG_LEVEL=""
DEFAULT_LDAP_INTERNAL_LOG_LEVEL=""
KEY_LDAP_INTERNAL_LOG_LEVEL="ldap-log-level"

// To check for the default value. Or if it's not just a boolean
DESCRIPTION_LDAP_TIMEOUT="Overall timeout, in seconds."
DEFAULT_LDAP_TIMEOUT=""
KEY_LDAP_TIMEOUT="ldap-timeout"

// To check for the default value.
DESCRIPTION_LDAP_CONNECT_TIMEOUT="Connection timeout, in seconds."
DEFAULT_LDAP_CONNECT_TIMEOUT=""
KEY_LDAP_CONNECT_TIMEOUT="ldap-connect-timeout"

// To check for the default value.
DESCRIPTION_LDAP_IDLE_TIMEOUT="Idle connection timeout, in seconds."
DEFAULT_LDAP_IDLE_TIMEOUT=""
KEY_LDAP_IDLE_TIMEOUT="ldap-idle-timeout"

// Boolean to enable it? Or chose the encryption mode (plain, ssl/ldaps, startTls)?
DESCRIPTION_LDAP_ENCRYPTION=""
DEFAULT_LDAP_ENCRYPTION=""
KEY_LDAP_ENCRYPTION="ldap-encryption"

DESCRIPTION_LDAP_CA_CERT="Certificate authority certificate for LDAPS."
DEFAULT_LDAP_CA_CERT=""
KEY_LDAP_CA_CERT="ldap-ca-cert"

DESCRIPTION_LDAP_REJECT_UNAUTHORIZED="Disable this option to allow certificates that can not be verified. Usually Self Signed Certificates will require this option disabled to work."
DEFAULT_LDAP_REJECT_UNAUTHORIZED="true"
KEY_LDAP_REJECT_UNAUTHORIZED="ldap-reject-unauthorized"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION="true=Search and bind authentication. false=Simple bind authentication."
DEFAULT_LDAP_AUTHENTIFICATION="false"
KEY_LDAP_AUTHENTIFICATION="ldap-authentication"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION_USERDN="Optional DN of the LDAP account used to search for the end-user's DN."
DEFAULT_LDAP_AUTHENTIFICATION_USERDN=""
KEY_LDAP_AUTHENTIFICATION_USERDN="ldap-authentication-userdn"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION_PASSWORD="Password of the LDAP account used to search for the end-user's DN if previoulsy set."
DEFAULT_LDAP_AUTHENTIFICATION_PASSWORD=""
KEY_LDAP_AUTHENTIFICATION_PASSWORD="ldap-authentication-password"

DESCRIPTION_LDAP_LOGIN_FALLBACK="If the login on LDAP is not successful try to login in default/local account system. Helps when the LDAP is down for some reason."
DEFAULT_LDAP_LOGIN_FALLBACK="true"
KEY_LDAP_LOGIN_FALLBACK="ldap-login-fallback"

// To check the default value. I have filled it to give an example but maybe the field must be empty by default for the code?
DESCRIPTION_LDAP_BASEDN="Base DN for the user search operation."
DEFAULT_LDAP_BASEDN="ou=people,dc=example,dc=org"
KEY_LDAP_BASEDN="ldap-basedn"

DESCRIPTION_LDAP_USER_SEARCH_FILTER="Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses"
DEFAULT_LDAP_USER_SEARCH_FILTER=""
KEY_LDAP_USER_SEARCH_FILTER="ldap-user-search-filter"

DESCRIPTION_LDAP_USER_SEARCH_SCOPE="One of base search only in the provided DN), one (search only in the provided DN and one level deep), or subtree (search the whole subtree)."
DEFAULT_LDAP_USER_SEARCH_SCOPE=""
KEY_LDAP_USER_SEARCH_SCOPE="ldap-user-search-scope"

DESCRIPTION_LDAP_USER_SEARCH_FIELD="Attribute to compare to the given login can be uid, cn, mail, ..."
DEFAULT_LDAP_USER_SEARCH_FIELD=""
KEY_LDAP_USER_SEARCH_FIELD="ldap-user-search-field"

//No idea
DESCRIPTION_LDAP_SEARCH_PAGE_SIZE=""
DEFAULT_LDAP_SEARCH_PAGE_SIZE=""
KEY_LDAP_SEARCH_PAGE_SIZE="ldap-search-page-size"

// No idea
DESCRIPTION_LDAP_SEARCH_SIZE_LIMIT=""
DEFAULT_LDAP_SEARCH_SIZE_LIMIT=""
KEY_LDAP_SEARCH_SIZE_LIMIT="ldap-search-size-limit"

DESCRIPTION_LDAP_GROUP_FILTER_ENABLE="Enable or disable group filter options"
DEFAULT_LDAP_GROUP_FILTER_ENABLE="false"
KEY_LDAP_GROUP_FILTER_ENABLE="ldap-group-filter-enable"

DESCRIPTION_LDAP_GROUP_FILTER_OBJECTCLASS="The ObjectClass of the group entries (like groupOfNames)."
DEFAULT_LDAP_GROUP_FILTER_OBJECTCLASS=""
KEY_LDAP_GROUP_FILTER_OBJECTCLASS="ldap-group-filter-objectclass"

DESCRIPTION_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE="The attribute to treat as the groupname/group ID; like gid."
DEFAULT_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=""
KEY_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE="ldap-group-filter-id-attribute"

DESCRIPTION_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE="The attribute to treat as the one describing members of the group; like member."
DEFAULT_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=""
KEY_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE="ldap-group-filter-member-attribute"

// To check
DESCRIPTION_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT="Optional base DN for group restriction"
DEFAULT_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=""
KEY_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT="ldap-group-filter-member-format"

// No idea
DESCRIPTION_LDAP_GROUP_FILTER_GROUP_NAME=""
DEFAULT_LDAP_GROUP_FILTER_GROUP_NAME=""
KEY_LDAP_GROUP_FILTER_GROUP_NAME="ldap-group-filter-name"

And if env vars in the code are formatted like that "LDAP_Host", it'll be necessary to update what I've done.
Example : DESCRIPTION_LDAP_HOST -> DESCRIPTION_LDAP_Host

Contributor

Akuket commented Aug 2, 2018

I give you all handers for snap. It will take someone to complete what I did next to my comments.

DESCRIPTION_LDAP_HOST="The url of the server where is located the LDAP."
DEFAULT_LDAP_HOST="ldap://ldap.example.com or ldaps://ldap.example.com"
KEY_LDAP_HOST="ldap-host"

DESCRIPTION_LDAP_PORT="A TCP/IP port, usually 389 for LDAP or 636 for LDAPS."
DEFAULT_LDAP_PORT="389"
KEY_LDAP_PORT="ldap-port"

DESCRIPTION_LDAP_RECONNECT="Try to reconnect automatically when the connection is interrupted by some reason."
DEFAULT_LDAP_RECONNECT="true"
KEY_LDAP_RECONNECT="ldap-reconnect"

// No idea
DESCRIPTION_LDAP_INTERNAL_LOG_LEVEL=""
DEFAULT_LDAP_INTERNAL_LOG_LEVEL=""
KEY_LDAP_INTERNAL_LOG_LEVEL="ldap-log-level"

// To check for the default value. Or if it's not just a boolean
DESCRIPTION_LDAP_TIMEOUT="Overall timeout, in seconds."
DEFAULT_LDAP_TIMEOUT=""
KEY_LDAP_TIMEOUT="ldap-timeout"

// To check for the default value.
DESCRIPTION_LDAP_CONNECT_TIMEOUT="Connection timeout, in seconds."
DEFAULT_LDAP_CONNECT_TIMEOUT=""
KEY_LDAP_CONNECT_TIMEOUT="ldap-connect-timeout"

// To check for the default value.
DESCRIPTION_LDAP_IDLE_TIMEOUT="Idle connection timeout, in seconds."
DEFAULT_LDAP_IDLE_TIMEOUT=""
KEY_LDAP_IDLE_TIMEOUT="ldap-idle-timeout"

// Boolean to enable it? Or chose the encryption mode (plain, ssl/ldaps, startTls)?
DESCRIPTION_LDAP_ENCRYPTION=""
DEFAULT_LDAP_ENCRYPTION=""
KEY_LDAP_ENCRYPTION="ldap-encryption"

DESCRIPTION_LDAP_CA_CERT="Certificate authority certificate for LDAPS."
DEFAULT_LDAP_CA_CERT=""
KEY_LDAP_CA_CERT="ldap-ca-cert"

DESCRIPTION_LDAP_REJECT_UNAUTHORIZED="Disable this option to allow certificates that can not be verified. Usually Self Signed Certificates will require this option disabled to work."
DEFAULT_LDAP_REJECT_UNAUTHORIZED="true"
KEY_LDAP_REJECT_UNAUTHORIZED="ldap-reject-unauthorized"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION="true=Search and bind authentication. false=Simple bind authentication."
DEFAULT_LDAP_AUTHENTIFICATION="false"
KEY_LDAP_AUTHENTIFICATION="ldap-authentication"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION_USERDN="Optional DN of the LDAP account used to search for the end-user's DN."
DEFAULT_LDAP_AUTHENTIFICATION_USERDN=""
KEY_LDAP_AUTHENTIFICATION_USERDN="ldap-authentication-userdn"

// To check
DESCRIPTION_LDAP_AUTHENTIFICATION_PASSWORD="Password of the LDAP account used to search for the end-user's DN if previoulsy set."
DEFAULT_LDAP_AUTHENTIFICATION_PASSWORD=""
KEY_LDAP_AUTHENTIFICATION_PASSWORD="ldap-authentication-password"

DESCRIPTION_LDAP_LOGIN_FALLBACK="If the login on LDAP is not successful try to login in default/local account system. Helps when the LDAP is down for some reason."
DEFAULT_LDAP_LOGIN_FALLBACK="true"
KEY_LDAP_LOGIN_FALLBACK="ldap-login-fallback"

// To check the default value. I have filled it to give an example but maybe the field must be empty by default for the code?
DESCRIPTION_LDAP_BASEDN="Base DN for the user search operation."
DEFAULT_LDAP_BASEDN="ou=people,dc=example,dc=org"
KEY_LDAP_BASEDN="ldap-basedn"

DESCRIPTION_LDAP_USER_SEARCH_FILTER="Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses"
DEFAULT_LDAP_USER_SEARCH_FILTER=""
KEY_LDAP_USER_SEARCH_FILTER="ldap-user-search-filter"

DESCRIPTION_LDAP_USER_SEARCH_SCOPE="One of base search only in the provided DN), one (search only in the provided DN and one level deep), or subtree (search the whole subtree)."
DEFAULT_LDAP_USER_SEARCH_SCOPE=""
KEY_LDAP_USER_SEARCH_SCOPE="ldap-user-search-scope"

DESCRIPTION_LDAP_USER_SEARCH_FIELD="Attribute to compare to the given login can be uid, cn, mail, ..."
DEFAULT_LDAP_USER_SEARCH_FIELD=""
KEY_LDAP_USER_SEARCH_FIELD="ldap-user-search-field"

//No idea
DESCRIPTION_LDAP_SEARCH_PAGE_SIZE=""
DEFAULT_LDAP_SEARCH_PAGE_SIZE=""
KEY_LDAP_SEARCH_PAGE_SIZE="ldap-search-page-size"

// No idea
DESCRIPTION_LDAP_SEARCH_SIZE_LIMIT=""
DEFAULT_LDAP_SEARCH_SIZE_LIMIT=""
KEY_LDAP_SEARCH_SIZE_LIMIT="ldap-search-size-limit"

DESCRIPTION_LDAP_GROUP_FILTER_ENABLE="Enable or disable group filter options"
DEFAULT_LDAP_GROUP_FILTER_ENABLE="false"
KEY_LDAP_GROUP_FILTER_ENABLE="ldap-group-filter-enable"

DESCRIPTION_LDAP_GROUP_FILTER_OBJECTCLASS="The ObjectClass of the group entries (like groupOfNames)."
DEFAULT_LDAP_GROUP_FILTER_OBJECTCLASS=""
KEY_LDAP_GROUP_FILTER_OBJECTCLASS="ldap-group-filter-objectclass"

DESCRIPTION_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE="The attribute to treat as the groupname/group ID; like gid."
DEFAULT_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=""
KEY_LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE="ldap-group-filter-id-attribute"

DESCRIPTION_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE="The attribute to treat as the one describing members of the group; like member."
DEFAULT_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=""
KEY_LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE="ldap-group-filter-member-attribute"

// To check
DESCRIPTION_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT="Optional base DN for group restriction"
DEFAULT_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=""
KEY_LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT="ldap-group-filter-member-format"

// No idea
DESCRIPTION_LDAP_GROUP_FILTER_GROUP_NAME=""
DEFAULT_LDAP_GROUP_FILTER_GROUP_NAME=""
KEY_LDAP_GROUP_FILTER_GROUP_NAME="ldap-group-filter-name"

And if env vars in the code are formatted like that "LDAP_Host", it'll be necessary to update what I've done.
Example : DESCRIPTION_LDAP_HOST -> DESCRIPTION_LDAP_Host

@maximest-pierre

This comment has been minimized.

Show comment
Hide comment
@maximest-pierre

maximest-pierre Aug 14, 2018

I submitted a PR for this issue #1826

maximest-pierre commented Aug 14, 2018

I submitted a PR for this issue #1826

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Aug 14, 2018

Member

@maximest-pierre

How does it work, step by step? Did you test it? Where are settings configured?

I think that to get this all working, following are required:

And these would need to be combined to pull request, that would make it possible, that if LDAP is enabled and settings set, LDAP would work.

Member

xet7 commented Aug 14, 2018

@maximest-pierre

How does it work, step by step? Did you test it? Where are settings configured?

I think that to get this all working, following are required:

And these would need to be combined to pull request, that would make it possible, that if LDAP is enabled and settings set, LDAP would work.

@maximest-pierre

This comment has been minimized.

Show comment
Hide comment
@maximest-pierre

maximest-pierre Aug 14, 2018

@xet7 The configuration are set in settings.json for now. I am currently in the middle of cleaning my meteor package and add documentation about all the fields and give an example of the settings.json.

To test it, I am currently run a docker with an ldapserver and manually created a user for testing.

There is still some bugs but they seem to be related to sync between MongoDB and ldap server(Missing fields).

Here are my not so pretty settings.json that made it all work:

{
  "public": {
    "ldap": true
  },
  "LDAP_Enable": true,
  "private": {
    "ldap": {
      "LDAP_Port": 389,
      "LDAP_Host": "localhost",
      "LDAP_BaseDN": "ou=user,dc=example,dc=org",
      "LDAP_Login_Fallback": false,
      "LDAP_Reconnect": true,
      "LDAP_Timeout": 10000,
      "LDAP_Idle_Timeout": 10000,
      "LDAP_Connect_Timeout": 10000,
      "LDAP_Authentication": true,
      "LDAP_Authentication_UserDN": "cn=admin,dc=example,dc=org",
      "LDAP_Authentication_Password": "admin",
      "LDAP_Internal_Log_Level": "debug",
      "LDAP_Background_Sync": false,
      "LDAP_Background_Sync_Interval": "100",
      "LDAP_Encryption": false,
      "LDAP_Reject_Unauthorized": false,
      "LDAP_Group_Filter_Enable": false,
      "LDAP_Search_Page_Size": 0,
      "LDAP_Search_Size_Limit": 0,
      "LDAP_User_Search_Filter": "",
      "LDAP_User_Search_Field": "uid",
      "LDAP_User_Search_Scope": "",
      "LDAP_Unique_Identifier_Field": "guid",
      "LDAP_Username_Field": "uid",
      "LDAP_Sync_User_Data": false,
      "LDAP_Sync_User_Data_FieldMap": "{\"cn\":\"name\", \"mail\":\"email\"}",
      "LDAP_Merge_Existing_Users": true,
      "UTF8_Names_Slugify": true
    }
  }
}

maximest-pierre commented Aug 14, 2018

@xet7 The configuration are set in settings.json for now. I am currently in the middle of cleaning my meteor package and add documentation about all the fields and give an example of the settings.json.

To test it, I am currently run a docker with an ldapserver and manually created a user for testing.

There is still some bugs but they seem to be related to sync between MongoDB and ldap server(Missing fields).

Here are my not so pretty settings.json that made it all work:

{
  "public": {
    "ldap": true
  },
  "LDAP_Enable": true,
  "private": {
    "ldap": {
      "LDAP_Port": 389,
      "LDAP_Host": "localhost",
      "LDAP_BaseDN": "ou=user,dc=example,dc=org",
      "LDAP_Login_Fallback": false,
      "LDAP_Reconnect": true,
      "LDAP_Timeout": 10000,
      "LDAP_Idle_Timeout": 10000,
      "LDAP_Connect_Timeout": 10000,
      "LDAP_Authentication": true,
      "LDAP_Authentication_UserDN": "cn=admin,dc=example,dc=org",
      "LDAP_Authentication_Password": "admin",
      "LDAP_Internal_Log_Level": "debug",
      "LDAP_Background_Sync": false,
      "LDAP_Background_Sync_Interval": "100",
      "LDAP_Encryption": false,
      "LDAP_Reject_Unauthorized": false,
      "LDAP_Group_Filter_Enable": false,
      "LDAP_Search_Page_Size": 0,
      "LDAP_Search_Size_Limit": 0,
      "LDAP_User_Search_Filter": "",
      "LDAP_User_Search_Field": "uid",
      "LDAP_User_Search_Scope": "",
      "LDAP_Unique_Identifier_Field": "guid",
      "LDAP_Username_Field": "uid",
      "LDAP_Sync_User_Data": false,
      "LDAP_Sync_User_Data_FieldMap": "{\"cn\":\"name\", \"mail\":\"email\"}",
      "LDAP_Merge_Existing_Users": true,
      "UTF8_Names_Slugify": true
    }
  }
}

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Aug 14, 2018

Member

@maximest-pierre

Would it be possible that your meteor package be hosted at Wekan GitHub org? Because that way I would be able to make fixes directly to it. I would create new repo to https://github.com/wekan/ldap (or any other repo name) and invite you with commit access.

Member

xet7 commented Aug 14, 2018

@maximest-pierre

Would it be possible that your meteor package be hosted at Wekan GitHub org? Because that way I would be able to make fixes directly to it. I would create new repo to https://github.com/wekan/ldap (or any other repo name) and invite you with commit access.

@maximest-pierre

This comment has been minimized.

Show comment
Hide comment
@maximest-pierre

maximest-pierre Aug 14, 2018

@xet7 That would be possible 👍 it might be the simplest way of doing it.

maximest-pierre commented Aug 14, 2018

@xet7 That would be possible 👍 it might be the simplest way of doing it.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7
Member

xet7 commented Aug 14, 2018

@Saruspete

This comment has been minimized.

Show comment
Hide comment
@Saruspete

Saruspete Sep 3, 2018

Hello,

Would it be possible to have a few lines explaining how to use this ldap modification ? I don't get what modifications / commands I should pass to Meteor and/or where to push the files.

I tried git clone it to packages/ folder, then issue the following (after multiple unsucessful other tries) :

meteor add standard-minifier.js
meteor npm install
meteor build --directory ../wekan-1.39.ldap.build
cp -f fix-download-unicode/cfs_access-point.txt ../wekan-1.39.ldap.build/bundle/programs/server/packages/cfs_access-point.js

So I see some ldapjs packages included, but no trace of vars from wekan-ldap.

Any hint / howto ?

Thanks a lot !

Saruspete commented Sep 3, 2018

Hello,

Would it be possible to have a few lines explaining how to use this ldap modification ? I don't get what modifications / commands I should pass to Meteor and/or where to push the files.

I tried git clone it to packages/ folder, then issue the following (after multiple unsucessful other tries) :

meteor add standard-minifier.js
meteor npm install
meteor build --directory ../wekan-1.39.ldap.build
cp -f fix-download-unicode/cfs_access-point.txt ../wekan-1.39.ldap.build/bundle/programs/server/packages/cfs_access-point.js

So I see some ldapjs packages included, but no trace of vars from wekan-ldap.

Any hint / howto ?

Thanks a lot !

@Saruspete

This comment has been minimized.

Show comment
Hide comment
@Saruspete

Saruspete Sep 5, 2018

Ok, finally got it working. Should we report the auto-registration / sync issues on wekan-ldap or in wekan ?

Saruspete commented Sep 5, 2018

Ok, finally got it working. Should we report the auto-registration / sync issues on wekan-ldap or in wekan ?

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Sep 5, 2018

Member

@Saruspete

Report to wekan-ldap .

Member

xet7 commented Sep 5, 2018

@Saruspete

Report to wekan-ldap .

@jolentes

This comment has been minimized.

Show comment
Hide comment
@jolentes

jolentes Sep 7, 2018

I saw that the 4 commands of @Saruspete are included in the Dockerfile already.
What do I have to do to include wekan-ldap in the Docker build process?

  1. Clone wekan into /wekan
  2. Create packages/ folder in /wekan
  3. Clone wekan-ldap to folder <workdir/wekan/packages/wekan-ldap
  4. Source app.env
  5. Run docker-compose build

PS: Docker-compose build failed due to tar error when installing meteor. Had to add install of bsdtar and use it for meteor extraction. Git clone with git:// protocol also failed.

jolentes commented Sep 7, 2018

I saw that the 4 commands of @Saruspete are included in the Dockerfile already.
What do I have to do to include wekan-ldap in the Docker build process?

  1. Clone wekan into /wekan
  2. Create packages/ folder in /wekan
  3. Clone wekan-ldap to folder <workdir/wekan/packages/wekan-ldap
  4. Source app.env
  5. Run docker-compose build

PS: Docker-compose build failed due to tar error when installing meteor. Had to add install of bsdtar and use it for meteor extraction. Git clone with git:// protocol also failed.

@Saruspete

This comment has been minimized.

Show comment
Hide comment
@Saruspete

Saruspete Sep 7, 2018

I'm no fan of any automated tool that embed its own filesystem, so I took the commands from the dockerfile, and replayed some modifications from https://github.com/wekan/wekan/pull/1826/files after learning a bit about meteor.

A simplified script of mine would be :

set -o nounset
set -o noclobber
typeset PKGVERS_WEKAN='v1.43'

typeset MYPATH="$(pwd -P)"
typeset DST_BUILD="$MYPATH/wekan.build"
typeset DST_RUN="$MYPATH/wekan-$PKGVERS_WEKAN"
typeset SRC_BASE="$MYPATH/wekan.src"
typeset SRC_PKGS="$SRC_BASE/packages"

# Download wekan sources (release)
mkdir -p "$SRC_BASE" && cd "$SRC_BASE"
curl -L "https://github.com/wekan/wekan/archive/${PKGVERS_WEKAN}.tar.gz" | tar -xz --strip=1

# Download packages
mkdir -p "$SRC_PKGS" && cd "$SRC_PKGS"
git clone --depth 1 -b master 'https://github.com/wekan/flow-router.git' 'kadira-flow-router'
git clone --depth 1 -b master 'https://github.com/meteor-useraccounts/core.git' 'meteor-useraccounts-core'
sed -i 's/api\.versionsFrom/\/\/api.versionsFrom/' 'meteor-useraccounts-core/package.js'
git clone --depth 1 -b master 'https://github.com/wekan/wekan-ldap.git' 'wekan-ldap'

# Implement LDAP patch (https://github.com/wekan/wekan/pull/1826/files)
cd "$SRC_BASE"
echo 'wekan:wekan-ldap' >> '.meteor/versions'
echo 'yasaricli:slugify@0.0.7' >> '.meteor/versions'
sed -Ee '/es6-promise/a\    "ldapjs": "^1.0.2",' -i package.json

# Do the patch...
patch -p0 <<EOT
diff --git client/components/main/layouts.jade client/components/main/layouts.jade
index b0024b3..b0f7b33 100644
--- client/components/main/layouts.jade
+++ client/components/main/layouts.jade
@@ -18,6 +18,9 @@ template(name="userFormsLayout")
       img(src="{{pathFor '/wekan-logo.png'}}" alt="Wekan")
     section.auth-dialog
       +Template.dynamic(template=content)
+      if isLdap
+         .at-form
+         button#ldap(class='at-btn submit') {{ldapSignInLabel}}
       if isCas
         .at-form
           button#cas(class='at-btn submit' type='submit') {{casSignInLabel}}
diff --git client/components/main/layouts.js client/components/main/layouts.js
index 6d6e616..0bfbc03 100644
--- client/components/main/layouts.js
+++ client/components/main/layouts.js
@@ -40,12 +40,18 @@ Template.userFormsLayout.helpers({
     return t9nTag === curLang;
   },
 
+  isLdap() {
+     return Meteor.settings.public.ldap;
+  },
   isCas() {
     return Meteor.settings.public &&
       Meteor.settings.public.cas &&
       Meteor.settings.public.cas.loginUrl;
   },
 
+  ldapSignInLabel() {
+     return TAPi18n.__('ldapSignIn', {}, T9n.getLanguage() || 'en');
+  },
   casSignInLabel() {
     return TAPi18n.__('casSignIn', {}, T9n.getLanguage() || 'en');
   },
@@ -64,6 +70,21 @@ Template.userFormsLayout.events({
       }
     });
   },
+  'click button#ldap'() {
+     const username = $('#at-field-username_and_email').val() ||
+           $('#at-field-username').val() ||
+           $('#at-field-email').val();
+     const password = $('#at-field-password').val();
+     const options = {};
+     Meteor.loginWithLDAP(username, password, options, function(err) {
+       if (err){
+         console.log(err);
+       }
+       if (FlowRouter.getRouteName() === 'atSignIn') {
+         FlowRouter.go('/');
+       }
+     });
+   },
 });
 
 Template.defaultLayout.events({
EOT

# Then go-on with compilation
meteor add standard-minifier-js
meteor npm install
meteor build --directory "$DST_BUILD"
cp "$SRC_BASE/fix-download-unicode/cfs_access-point.txt" "$DST_BUILD/programs/server/packages/cfs_access-point.js"
cd "$DST_BUILD/bundle/programs/server"
npm install

# Then deloy and run
cp -r "$DST_BUILD/bundle" "$DST_RUN"
ln -s "$DST_RUN" "$MYPATH/wekan-current"

# Export usual vars, and the settings for ldap
export ROOT_URL="..."
# use settings.json from the snippet given by @maximest-pierre a few comments before.
export METOR_SETTINGS="$(cat $DST_RUN/settings.json)"
node main.js >>"$DST_RUN/wekan.out" 2>>"$DST_RUN/wekan.err" &

@xet7 may I suggest to update the "latest release" tag from github ? That would enable automatic downloads such as https://github.com/wekan/wekan/releases/latest or their API https://api.github.com/repos/wekan/wekan/releases/latest ? Current "latest" is 1.07
Automation seems possible too from https://developer.github.com/v3/repos/releases/#create-a-release

Saruspete commented Sep 7, 2018

I'm no fan of any automated tool that embed its own filesystem, so I took the commands from the dockerfile, and replayed some modifications from https://github.com/wekan/wekan/pull/1826/files after learning a bit about meteor.

A simplified script of mine would be :

set -o nounset
set -o noclobber
typeset PKGVERS_WEKAN='v1.43'

typeset MYPATH="$(pwd -P)"
typeset DST_BUILD="$MYPATH/wekan.build"
typeset DST_RUN="$MYPATH/wekan-$PKGVERS_WEKAN"
typeset SRC_BASE="$MYPATH/wekan.src"
typeset SRC_PKGS="$SRC_BASE/packages"

# Download wekan sources (release)
mkdir -p "$SRC_BASE" && cd "$SRC_BASE"
curl -L "https://github.com/wekan/wekan/archive/${PKGVERS_WEKAN}.tar.gz" | tar -xz --strip=1

# Download packages
mkdir -p "$SRC_PKGS" && cd "$SRC_PKGS"
git clone --depth 1 -b master 'https://github.com/wekan/flow-router.git' 'kadira-flow-router'
git clone --depth 1 -b master 'https://github.com/meteor-useraccounts/core.git' 'meteor-useraccounts-core'
sed -i 's/api\.versionsFrom/\/\/api.versionsFrom/' 'meteor-useraccounts-core/package.js'
git clone --depth 1 -b master 'https://github.com/wekan/wekan-ldap.git' 'wekan-ldap'

# Implement LDAP patch (https://github.com/wekan/wekan/pull/1826/files)
cd "$SRC_BASE"
echo 'wekan:wekan-ldap' >> '.meteor/versions'
echo 'yasaricli:slugify@0.0.7' >> '.meteor/versions'
sed -Ee '/es6-promise/a\    "ldapjs": "^1.0.2",' -i package.json

# Do the patch...
patch -p0 <<EOT
diff --git client/components/main/layouts.jade client/components/main/layouts.jade
index b0024b3..b0f7b33 100644
--- client/components/main/layouts.jade
+++ client/components/main/layouts.jade
@@ -18,6 +18,9 @@ template(name="userFormsLayout")
       img(src="{{pathFor '/wekan-logo.png'}}" alt="Wekan")
     section.auth-dialog
       +Template.dynamic(template=content)
+      if isLdap
+         .at-form
+         button#ldap(class='at-btn submit') {{ldapSignInLabel}}
       if isCas
         .at-form
           button#cas(class='at-btn submit' type='submit') {{casSignInLabel}}
diff --git client/components/main/layouts.js client/components/main/layouts.js
index 6d6e616..0bfbc03 100644
--- client/components/main/layouts.js
+++ client/components/main/layouts.js
@@ -40,12 +40,18 @@ Template.userFormsLayout.helpers({
     return t9nTag === curLang;
   },
 
+  isLdap() {
+     return Meteor.settings.public.ldap;
+  },
   isCas() {
     return Meteor.settings.public &&
       Meteor.settings.public.cas &&
       Meteor.settings.public.cas.loginUrl;
   },
 
+  ldapSignInLabel() {
+     return TAPi18n.__('ldapSignIn', {}, T9n.getLanguage() || 'en');
+  },
   casSignInLabel() {
     return TAPi18n.__('casSignIn', {}, T9n.getLanguage() || 'en');
   },
@@ -64,6 +70,21 @@ Template.userFormsLayout.events({
       }
     });
   },
+  'click button#ldap'() {
+     const username = $('#at-field-username_and_email').val() ||
+           $('#at-field-username').val() ||
+           $('#at-field-email').val();
+     const password = $('#at-field-password').val();
+     const options = {};
+     Meteor.loginWithLDAP(username, password, options, function(err) {
+       if (err){
+         console.log(err);
+       }
+       if (FlowRouter.getRouteName() === 'atSignIn') {
+         FlowRouter.go('/');
+       }
+     });
+   },
 });
 
 Template.defaultLayout.events({
EOT

# Then go-on with compilation
meteor add standard-minifier-js
meteor npm install
meteor build --directory "$DST_BUILD"
cp "$SRC_BASE/fix-download-unicode/cfs_access-point.txt" "$DST_BUILD/programs/server/packages/cfs_access-point.js"
cd "$DST_BUILD/bundle/programs/server"
npm install

# Then deloy and run
cp -r "$DST_BUILD/bundle" "$DST_RUN"
ln -s "$DST_RUN" "$MYPATH/wekan-current"

# Export usual vars, and the settings for ldap
export ROOT_URL="..."
# use settings.json from the snippet given by @maximest-pierre a few comments before.
export METOR_SETTINGS="$(cat $DST_RUN/settings.json)"
node main.js >>"$DST_RUN/wekan.out" 2>>"$DST_RUN/wekan.err" &

@xet7 may I suggest to update the "latest release" tag from github ? That would enable automatic downloads such as https://github.com/wekan/wekan/releases/latest or their API https://api.github.com/repos/wekan/wekan/releases/latest ? Current "latest" is 1.07
Automation seems possible too from https://developer.github.com/v3/repos/releases/#create-a-release

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Sep 8, 2018

Member

@Saruspete

I added newest Wekan release to latest tag.

I will try adding LDAP to Wekan according to your script at your comment above.

Member

xet7 commented Sep 8, 2018

@Saruspete

I added newest Wekan release to latest tag.

I will try adding LDAP to Wekan according to your script at your comment above.

@xet7

This comment has been minimized.

Show comment
Hide comment
@xet7

xet7 Sep 8, 2018

Member

It seems that I do not yet have time to make changes.

I added wekan/wekan-ldap#3 about what is required before integrating LDAP to Wekan.

Member

xet7 commented Sep 8, 2018

It seems that I do not yet have time to make changes.

I added wekan/wekan-ldap#3 about what is required before integrating LDAP to Wekan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment