Adding ldap add-on to Cloudron manifest

tomw

Hello,

I noticed that adding the ldap add-on to my Cloudron manifest did not have any effect until I uninstalled and reinstalled the app (i.e. after doing a cloudron update, even with a new version number in the manifest, the ldap environment variables remained unset and the Cloudron UI also still stated that the app still did its own user management).

I'm not sure if this is the intended behaviour but thought maybe it would be good to note it in the documentation (apologies if it is already there, but I couldn't see it).

This is a bit of a 'My First App' so nothing that is worthy of consideration for the App Store at the moment, but I will let you know if that changes!

Tom

Lonkle

@tomw I feel like this same thing happened to me with my app, I had to do a re-installation when adding that add-on IIRC. Threw me for a loop for awhile.

girish

@tomw Right, if you add or remove an addon, then it will get reflected immediately on cloudron update. However, the LDAP addon alone is a bit special.

At install time, Cloudron keeps track of whether an app was installed with or without "sso" i.e cloudron user management. This flag cannot be changed later. It's this way because we just wanted to keep it simple when we started. It was unclear back then what's supposed to happen if an app was installed with sso initially and then later the user removed it. ie. What happens to existing users? In some apps, admin user might need to be created explicitly because they don't support LDAP and local db login simultaneously etc. There is no mechanism at the moment for an app package to adapt dynamically to LDAP addition and removal. Currently, it detects if LDAP is enabled or not using the CLOUDRON_LDAP_* env vars existence.

Anyway, that was the long reason for the behavior you saw Because the app had no ldap at install time, we set sso to false for the app. Any later update has no effect since this flag will always be false for the life time of the app. Thus those variables never appear.

robi

@girish sounds like it would be useful to be able to clone a live app changing some of these parameters w/o having to reinstall from scratch.

mehdi

@robi Defining the behaviour to have in this case is non-trivial. When you don't have SSO and enable it, it could just keep both non-LDAP users, and LDAP users, but what if there is a conflict on the username ? And when you do have SSO and disable it, you probably won't have any valid user left.

In any case, I think having this single parameter impossible to change after app install is quite acceptable, in order to avoid dealing with this kind of headache ^^ Especially with the support overhead it will create.

However, it most definitely does deserve a note in the LDAP addon doc

robi

@mehdi point taken.. but each failure case can be handled by making sure there's a documented admin user left to continue with access & config.

Lonkle

@mehdi said in Adding ldap add-on to Cloudron manifest:

However, it most definitely does deserve a note in the LDAP addon doc

This! I'm totally fine with it only allowed to be set during install, but if what @girish just explained had been in the Cloudron docs I was using to build my Cloudron OpenVPN Client, it would have saved me an hour or two of debugging why it wasn't working.

girish

I put a note here - https://docs.cloudron.io/custom-apps/addons/#ldap

Lonkle

Was going through my Open VPN development log (since I'm prepping to make this all a reality in 6.1) being all nostalgic and found out when I ran into this issue, what a funny coincidence: https://forum.cloudron.io/post/16266