How to configure LDAP in Discourse?
-
This was previously posted in the Discourse App wishlist topic.
I'm trying to add LDAP support myself. I've added the ldap addon to the package manifest, built and installed it. I've also installed the discourse-ldap-auth plugin. It sort of works!
Here are the settings I could figure out myself:
Remaining issues:
- For
invite-onlyforums that only want LDAP, that setting has to be turned off. Otherwise LDAP users can't authenticate. The feature can still be achieved by- disabling
enable local logins - disablling
enable local logins via email - reenable
allow new registrations(Brings back the Sign up button, but luckily (!?) it leads to LDAP login too.
- disabling
- Accounts aren't automatically created. (Not possible currently)
- I don't know what
en_US.login.ldap.nameis or how to map it/fix it. - I don't know how to map the suggested username to the Cloudron username upon Discourse account creation. I would also want to lock it.
- I don't know any other LDAP settings, I just ripped them from the Wordpress LDAP integration settings
- LDAP sign-in UI looks off-brand and dodgy, possibly signalling phishing attempt for some users.
Any help appreciated!
- For
-
This was the app that I had running via cloudron OAuth that got broken! I knew there was one...this has just become a bit of a problem for me too
-
If the LDAP add-on is enabled for the app at least, it should be able to bind and authenticate even if it means manually copying credentials. I may have to steal them from another app (bad!) in the mean time though since I'm getting complaints from users
-
It would also be pretty trivial for me to fork and update this plugin to work more automatically with limited configuration for cloudron specifically and cleaning up things like that
en_US.login.ldap.namewhich is an i18n key
-
@jimcavoli said in How to configure LDAP in Discourse?:
fork and update this plugin to work more automatically
Do you mean that you would be able to address the non-automatic account creation?
-
@yusf I'm not gonna say yes at this point since syncing requires some sort of cron-like setup and I'm just not sure how involved that would be - I mostly meant reading those settings in from the LDAP add-on without having to copy them into the admin UI from the app's console.
I wouldn't rule it out, but if we could get that to be the only outstanding "issue" it strikes me that would be substantial progress for a start
-
I see. I don't know where the plugin data is stored but I suppose the official package can be modified to include the LDAP addon, the plugin and its settings.
My personal incentive however, is to improve the experience for users (wrt the bullets above). Package automation can come later.
-
Gets a little technical about ruby and how discourse manages the plugins, but that all sort of goes hand-in-hand. Depending how the next day or two go, I'll see about doing something that we can use in order to keep the conversation moving and have a base to tackle some of those features from. Appreciate the context of your goals; I'll bear that in mind when the code starts flying
-
@jimcavoli Did any code start flying?
-
@yusf Not as of yet...last few weeks have been very long hours for me on a litany of other things. I'll hopefully be getting some time back in a week or two
