Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Unsolved How to configure LDAP in Discourse?

    Discourse
    5
    25
    1486
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • yusf
      yusf last edited by

      This was previously posted in the Discourse App wishlist topic.

      I'm trying to add LDAP support myself. I've added the ldap addon to the package manifest, built and installed it. I've also installed the discourse-ldap-auth plugin. It sort of works! πŸŽ‰

      Here are the settings I could figure out myself:

      2d87620f-5010-4926-95ab-d45dd404be06-bild.png

      Remaining issues:

      • For invite-only forums that only want LDAP, that setting has to be turned off. Otherwise LDAP users can't authenticate. The feature can still be achieved by
        • disabling enable local logins
        • disablling enable local logins via email
        • reenable allow new registrations (Brings back the Sign up button, but luckily (!?) it leads to LDAP login too.
      • Accounts aren't automatically created. (Not possible currently)
      • I don't know what en_US.login.ldap.name is or how to map it/fix it.
      • I don't know how to map the suggested username to the Cloudron username upon Discourse account creation. I would also want to lock it. 92ecb980-7f80-4003-a4ff-03b0b6f7cac9-bild.png
      • I don't know any other LDAP settings, I just ripped them from the Wordpress LDAP integration settings πŸ˜†
      • LDAP sign-in UI looks off-brand and dodgy, possibly signalling phishing attempt for some users.

      Any help appreciated!

      1 Reply Last reply Reply Quote 2
      • jimcavoli
        jimcavoli App Dev last edited by

        This was the app that I had running via cloudron OAuth that got broken! I knew there was one...this has just become a bit of a problem for me too

        1 Reply Last reply Reply Quote 0
        • jimcavoli
          jimcavoli App Dev last edited by

          If the LDAP add-on is enabled for the app at least, it should be able to bind and authenticate even if it means manually copying credentials. I may have to steal them from another app (bad!) in the mean time though since I'm getting complaints from users

          1 Reply Last reply Reply Quote 0
          • jimcavoli
            jimcavoli App Dev last edited by

            It would also be pretty trivial for me to fork and update this plugin to work more automatically with limited configuration for cloudron specifically and cleaning up things like that en_US.login.ldap.name which is an i18n key

            1 Reply Last reply Reply Quote 0
            • yusf
              yusf last edited by yusf

              @jimcavoli said in How to configure LDAP in Discourse?:

              fork and update this plugin to work more automatically

              Do you mean that you would be able to address the non-automatic account creation?

              jimcavoli 1 Reply Last reply Reply Quote 0
              • jimcavoli
                jimcavoli App Dev @yusf last edited by

                @yusf I'm not gonna say yes at this point since syncing requires some sort of cron-like setup and I'm just not sure how involved that would be - I mostly meant reading those settings in from the LDAP add-on without having to copy them into the admin UI from the app's console.

                I wouldn't rule it out, but if we could get that to be the only outstanding "issue" it strikes me that would be substantial progress for a start

                1 Reply Last reply Reply Quote 1
                • yusf
                  yusf last edited by yusf

                  I see. I don't know where the plugin data is stored but I suppose the official package can be modified to include the LDAP addon, the plugin and its settings.

                  My personal incentive however, is to improve the experience for users (wrt the bullets above). Package automation can come later.

                  1 Reply Last reply Reply Quote 0
                  • jimcavoli
                    jimcavoli App Dev last edited by

                    Gets a little technical about ruby and how discourse manages the plugins, but that all sort of goes hand-in-hand. Depending how the next day or two go, I'll see about doing something that we can use in order to keep the conversation moving and have a base to tackle some of those features from. Appreciate the context of your goals; I'll bear that in mind when the code starts flying πŸ™‚

                    yusf 1 Reply Last reply Reply Quote 2
                    • yusf
                      yusf @jimcavoli last edited by

                      @jimcavoli Did any code start flying? πŸ˜‰

                      jimcavoli 1 Reply Last reply Reply Quote 1
                      • jimcavoli
                        jimcavoli App Dev @yusf last edited by

                        @yusf Not as of yet...last few weeks have been very long hours for me on a litany of other things. I'll hopefully be getting some time back in a week or two

                        1 Reply Last reply Reply Quote 2
                        • yusf
                          yusf last edited by

                          @girish Can we have the Discourse app updated with LDAP addon included in the Cloudron manifest? (MR here)

                          1 Reply Last reply Reply Quote 1
                          • girish
                            girish Staff last edited by

                            Were the issues related to account creation sorted out?

                            yusf 1 Reply Last reply Reply Quote 0
                            • yusf
                              yusf @girish last edited by

                              @girish It was not. As mentioned earlier I did some light digging into the issue but as you can see in this issue that is where it's at currently.

                              I figured there's no harm in enabling the Cloudron LDAP addon in the package but I realize that as maintainer you may have another view on that matter.

                              1 Reply Last reply Reply Quote 0
                              • girish
                                girish Staff last edited by

                                @yusf If I understand the current situation, if the LDAP plugin is enabled:

                                • User logs in.
                                • User sees a screen to 'create new account'. User has to just click through.

                                Is this the case? If so, that does not seem like a major issue.

                                yusf 1 Reply Last reply Reply Quote 0
                                • yusf
                                  yusf @girish last edited by

                                  @girish That's correct. There are more oddities around depending on what default use case you would go with for the package. (walled garden, open registration+ldap etc)

                                  1 Reply Last reply Reply Quote 0
                                  • girish
                                    girish Staff last edited by

                                    @yusf To keep you updated, I looked into this a bit further. The issue is that when we add ldap as addon, Cloudron UI selects this as the default. For an app like discourse, using LDAP is uncommon since it's mostly a publicly forum use case.

                                    I think before we add LDAP support to nodebb/discourse etc, we need to fix Cloudron to support "dynamic addons". This way one can toggle LDAP support on/off whenever they want. That's the best way to fix this. Otherwise, I suspect, people will blindly install Discourse with LDAP, then disable LDAP inside Discourse and this will only lead to problems (since in Cloudron packages currently we assume that LDAP support is never removed like that inside an app).

                                    yusf jdaviescoates 3 Replies Last reply Reply Quote 3
                                    • yusf
                                      yusf @girish last edited by

                                      @girish Seems like an apt solution to the problem. Thanks for looking into it.

                                      For what it’s worth I’m often faced with the opposite use-case: some group need internal forum software, apart from other Cloudron services. So I’m interested in doing the same thing with NodeBB.

                                      1 Reply Last reply Reply Quote 2
                                      • jdaviescoates
                                        jdaviescoates @girish last edited by

                                        @girish said in How to configure LDAP in Discourse?:

                                        For an app like discourse, using LDAP is uncommon since it's mostly a publicly forum use case.

                                        Even in those cases it'd still be nice to have LDAP, like we can in Rocket.Chat right now, i.e. Cloudron uses can use LDAP to login to Rocket.Chat using their Clourdon credentials, and non-Cloudron users can just register and login as normal too.

                                        I'd like the same UX for Discourse too, best of both worlds! πŸ™‚

                                        I use Cloudron with Gandi & Hetzner

                                        1 Reply Last reply Reply Quote 1
                                        • yusf
                                          yusf @girish last edited by

                                          @girish And meanwhile if I want to go venture off with a forked Discourse app with the only difference being that the LDAP addon is added, I should be able to stay compatible with the official one within foreseeable future, right?

                                          1 Reply Last reply Reply Quote 1
                                          • girish
                                            girish Staff last edited by

                                            @yusf Yes, it should remain compatible. I haven't gotten time to updating the Dockerfile to have the LDAP plugin pre-installed and pre-configured. If you have the code for that, I can look into merging it.

                                            jdaviescoates 1 Reply Last reply Reply Quote 2
                                            • jdaviescoates
                                              jdaviescoates @girish last edited by jdaviescoates

                                              @girish yet another reason for having the LDAP plugin for Discourse pre-installed and pre-configured on Cloudron would be so that we can start to try and reverse engineer the new Discourse Teams as much as possible (sadly it's not all open source, although as I understand it lots of the features are just using open source plugins)

                                              More info about the difference between Discourse and Discourse Teams:

                                              https://support.teams.discourse.com/docs?topic=85
                                              https://meta.discourse.org/t/comparing-discourse-for-teams-with-discourse/168423/7

                                              Edit: and following my prompts they've now added the list of open source plugins they use in Teams to that support link, i.e.

                                              Ships with the following official plugins: akismet, assign, cakeday, calendar, chat-integration, checklist, code-review, docs, encrypt, footnote, github, graphviz, math, openid-connect, policy, rss-polling, solved, spoiler-alert

                                              I use Cloudron with Gandi & Hetzner

                                              1 Reply Last reply Reply Quote 1
                                              • luckow
                                                luckow translator last edited by

                                                Sorry. Got to the party too late. Today I installed the LDAP plugin from here https://github.com/jonmbake/discourse-ldap-auth and took some ldap creds from my wekan app.
                                                Short info: both user managements lives together in harmony
                                                e488d690-4e2e-49dd-8655-7cd486cc0155-image.png
                                                In my understanding the sign-up process goes to discourse user management. LDAP is only for the sign-in process (makes sense).
                                                The only glitch at the moment:
                                                c2e7abd3-cd4a-45d5-8fde-23c0200d48d1-image.png
                                                Disabling LDAP in the Plugin settings doesn't change anything.

                                                My 2 cents for the moment: please add the LDAP addon to this app, because of the plugin and some use cases, where LDAP makes sense.

                                                Pronouns: he/him | Primary language: German

                                                girish jdaviescoates 2 Replies Last reply Reply Quote 2
                                                • girish
                                                  girish Staff @luckow last edited by

                                                  @luckow said in How to configure LDAP in Discourse?:

                                                  Disabling LDAP in the Plugin settings doesn't change anything.

                                                  Probably have to restart discourse?

                                                  luckow 1 Reply Last reply Reply Quote 0
                                                  • luckow
                                                    luckow translator @girish last edited by

                                                    @girish nope. same, same.

                                                    Pronouns: he/him | Primary language: German

                                                    1 Reply Last reply Reply Quote 0
                                                    • jdaviescoates
                                                      jdaviescoates @luckow last edited by

                                                      @luckow said in How to configure LDAP in Discourse?:

                                                      My 2 cents for the moment: please add the LDAP addon to this app, because of the plugin and some use cases, where LDAP makes sense.

                                                      +1000000

                                                      I use Cloudron with Gandi & Hetzner

                                                      1 Reply Last reply Reply Quote 1
                                                      • First post
                                                        Last post
                                                      Powered by NodeBB