Adding ldap add-on to Cloudron manifest
-
Hello,
I noticed that adding the ldap add-on to my Cloudron manifest did not have any effect until I uninstalled and reinstalled the app (i.e. after doing a
cloudron update
, even with a new version number in the manifest, the ldap environment variables remained unset and the Cloudron UI also still stated that the app still did its own user management).I'm not sure if this is the intended behaviour but thought maybe it would be good to note it in the documentation (apologies if it is already there, but I couldn't see it).
This is a bit of a 'My First App' so nothing that is worthy of consideration for the App Store at the moment, but I will let you know if that changes!
Tom
-
@tomw Right, if you add or remove an addon, then it will get reflected immediately on
cloudron update
. However, the LDAP addon alone is a bit special.At install time, Cloudron keeps track of whether an app was installed with or without "sso" i.e cloudron user management. This flag cannot be changed later. It's this way because we just wanted to keep it simple when we started. It was unclear back then what's supposed to happen if an app was installed with sso initially and then later the user removed it. ie. What happens to existing users? In some apps, admin user might need to be created explicitly because they don't support LDAP and local db login simultaneously etc. There is no mechanism at the moment for an app package to adapt dynamically to LDAP addition and removal. Currently, it detects if LDAP is enabled or not using the
CLOUDRON_LDAP_*
env vars existence.Anyway, that was the long reason for the behavior you saw Because the app had no ldap at install time, we set sso to false for the app. Any later update has no effect since this flag will always be false for the life time of the app. Thus those variables never appear.
-
@robi Defining the behaviour to have in this case is non-trivial. When you don't have SSO and enable it, it could just keep both non-LDAP users, and LDAP users, but what if there is a conflict on the username ? And when you do have SSO and disable it, you probably won't have any valid user left.
In any case, I think having this single parameter impossible to change after app install is quite acceptable, in order to avoid dealing with this kind of headache ^^ Especially with the support overhead it will create.
However, it most definitely does deserve a note in the LDAP addon doc
-
@mehdi said in Adding ldap add-on to Cloudron manifest:
However, it most definitely does deserve a note in the LDAP addon doc
This! I'm totally fine with it only allowed to be set during install, but if what @girish just explained had been in the Cloudron docs I was using to build my Cloudron OpenVPN Client, it would have saved me an hour or two of debugging why it wasn't working.
-
Was going through my Open VPN development log (since I'm prepping to make this all a reality in 6.1) being all nostalgic and found out when I ran into this issue, what a funny coincidence: https://forum.cloudron.io/post/16266