Cloudron Forum

@joseph said in EntraID / AzureAD LDAP wrapper: @NCKNE said in EntraID / AzureAD LDAP wrapper: Entra ID / Azure AD is not LDAP TIL Had no clue, ignore my previous comment then. Just read about it a little more and it seems you need something called Azure AD DS per https://www.reddit.com/r/sysadmin/comments/120e71z/ldaps_with_azure_ad_tenant_bundled_with_office_365/ Yeah, but the Azure AD DS you mentioned is very complex and expensive (licensing costs). I just thought since the topic had come up a few time, native support of Entra ID / Azure AD might be something to consider for the future.

Thanks for the information

@corevoid I guess this is dup of https://forum.cloudron.io/topic/12327/ldap-not-starting-after-8-0-3-upgrade ?

@adisonverlice2 ah, I see, thanks. So, intent of Cloudron's Directory Server is not to replace/compete with AD. It's just a way for apps to authenticate. It's not meant to replace a full blown LDAP like manage user profiles (pictures), groups, organization trees etc.

@nebulon It took a while to look into it - on my external facing URL it was my proxy & firewall that was blocking it. I switch to using the local IP & changed the Base DN as you mentioned & it is now pulling in users. Thanks for your help!

I think some products expect LDAP data to be structured in a certain way ("schemas"). Not sure what pfsense expects to exist in LDAP. Maybe they are supporting OpenLDAP or something?

@necrevistonnezr said in LDAP failing: (I ️ block user on NodeBB) Not sure why I need to know that... but: amen!

@fbartels thank you very much for this important point. In my answer I completely forgot to point out the potential pitfalls of already existing external apps. So @pbischoff in your requirements concept you should take a closer look at the needs of the external apps. The moment they need something specific like office printers, pictures, phone numbers .... you are lost with the built in LDAP directory server.

@girish Yeah, unfortunately won't work yet. https://forum.cloudron.io/topic/8940/apps-with-openid-connect-provider-beta/13

@girish silly me sir I had my.domain proxy enabled when I turned off it works

@TomsFreitas an idea is to then check cloudron server logs. LDAP logs are suppressed by default. For this: Edit /etc/systemd/system/box.service Find the Environment= line. Change "DEBUG=box:*,connect-lastmile,-box:ldap" to "DEBUG=box:*,connect-lastmile" systemctl daemon-reload systemctl restart box Now, maybe something appears in /home/yellowtent/platformdata/logs/box.log .

@sufian-mughal Currently, this is not possible. This is because LDAP has no standard way of passing through LDAP information. That said, usually apps are able to enable 2FA independently of LDAP. This means that users manage 2FA inside the app instead of Cloudron - it works this way for GitLab/Gitea etc for example. For matrix, upstream is still working on it - https://github.com/matrix-org/matrix-spec-proposals/pull/1998

@girish That works great! Many many thanks for you prompt support!

@girish

Without being able to debug this further, for a start, the filter seems wrong. The Cloudron provided user records would have the following objectClass attribute: objectclass: [ 'user', 'inetorgperson', 'person' ] so use one of those three entries there. Also Cloudron has no attribute uidNumber maybe using entryuuid works there though.

That's great! Thank you very much.

@nebulon I'm totally sure that I have enabled the directory server in Cloudron, not sure where it's stuck... Maybe I will try and give it a go to package Authelia as an app in Cloudron. Only thing is i have zero experience with that, so it's going to be a learning curve.... Maybe @Jan-Macenka can help/assist me with that?

@nebulon Issues solved it was my issues by doing wrong LDAP Filter.

@nebulon can you maybe have a look into the other thread, I am a bit stuck but it would be important to get this right for a porject of mine.

@girish wait ... true [image: 1654545805187-6a136902-e13f-47d9-b8be-68193a8688b4-image.png]