Directus with LDAP or SSO auth

msbt

Hi there, are there any plans to add LDAP or other means of SSO authentication to the current package? It seems to be supported, but LDAP is not activated in the manifest

girish

@msbt Great find! I wasn't aware it supported LDAP.

msbt

@girish I tried repacking it with LDAP earlier today and wasted quite some time, because of "Unexpected Errors". But there's an already merged PR that that will come with the next release, maybe that fixes the issue.

For reference, this is what I added to my env file, at least the LDAP tab shows up, but it wouldn't let me in:

export LOG_LEVEL="trace"

export AUTH_PROVIDERS="ldap"
# AUTH_DISABLE_DEFAULT="true"

export AUTH_LDAP_DRIVER="ldap"
export AUTH_LDAP_CLIENT_URL="ldap://172.18.0.1:3002"
export AUTH_LDAP_BIND_DN="cn=...,ou=apps,dc=cloudron"
export AUTH_LDAP_BIND_PASSWORD="superlongpwd"
export AUTH_LDAP_USER_DN="ou=users,dc=cloudron"
export AUTH_LDAP_GROUP_DN="ou=groups,dc=cloudron"

Leaving AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD empty resulted in the same [Error]: Invalid provider config from the PR, but maybe I'm missing something else.

girish

I was able to get login to work but users are created with no roles . There is a discussion here - https://github.com/directus/directus/discussions/9854

I used the following settings:

export AUTH_PROVIDERS="ldap"
export AUTH_DISABLE_DEFAULT="true"

export AUTH_LDAP_DRIVER="ldap"
export AUTH_LDAP_CLIENT_URL="${CLOUDRON_LDAP_URL}"
export AUTH_LDAP_BIND_DN="${CLOUDRON_LDAP_BIND_DN}"
export AUTH_LDAP_BIND_PASSWORD="${CLOUDRON_LDAP_BIND_PASSWORD}"
export AUTH_LDAP_USER_DN="${CLOUDRON_LDAP_USERS_BASE_DN}"
export AUTH_LDAP_USER_ATTRIBUTE=username

Had to patch our ldap server a bit with:

    gServer.search('ou=apps,dc=cloudron', function(req, res /*, next */) {
        const obj = {
            dn: dn.toString(),
        };
            finalSend([obj], req, res, next);
    });

msbt

@girish nice one! I was about to say, I could swear I tried with AUTH_LDAP_USER_ATTRIBUTE=username as well

msbt

@girish what's the status on this, won't it work properly even with the patched LDAP server?

msbt

@girish they just added SAML support in one of their last releases, any chance you could check again if LDAP works as well? Maybe with DEFAULT_ROLE_ID or AUTH_LDAP_GROUP_DN? I don't remember seeing that the last time I checked this page.

girish

@msbt tried this again and it crashes.

21:41:35 - [20:41:34] ERROR (146 on 6278be82-2fa6-460d-bbbe-93a0b7594d5e): name (string) required
21:41:35 - err: {
21:41:35 - "type": "TypeError",
21:41:35 - "message": "name (string) required",
21:41:35 - "stack":
21:41:35 - TypeError: name (string) required
21:41:35 - at Object.parse (/app/code/node_modules/ldapjs/lib/dn.js:158:43)
21:41:35 - at ensureDN (/app/code/node_modules/ldapjs/lib/client/client.js:85:15)
21:41:35 - at Client.search (/app/code/node_modules/ldapjs/lib/client/client.js:596:18)
21:41:35 - at /app/code/node_modules/directus/dist/auth/drivers/ldap.js:71:29
21:41:35 - at new Promise (<anonymous>)
21:41:35 - at LDAPAuthDriver.validateBindClient (/app/code/node_modules/directus/dist/auth/drivers/ldap.js:69:16)
21:41:35 - at LDAPAuthDriver.getUserID (/app/code/node_modules/directus/dist/auth/drivers/ldap.js:185:20)
21:41:35 - at AuthenticationService.login (/app/code/node_modules/directus/dist/services/authentication.js:45:37)
21:41:35 - at /app/code/node_modules/directus/dist/auth/drivers/ldap.js:317:84
21:41:35 - at /app/code/node_modules/directus/dist/utils/async-handler.js:3:66
21:41:35 - }

Have to debug.

girish

@msbt I pushed a new package with LDAP.

msbt

@girish ohhh very nice! appreciate the effort, going to check it out asap

girish

@msbt See https://docs.cloudron.io/apps/directus/#cloudron-directory as well

msbt

@girish happy to report that this is working like a charm, thanks a lot!