Directus with LDAP or SSO auth
-
Hi there, are there any plans to add LDAP or other means of SSO authentication to the current package? It seems to be supported, but LDAP is not activated in the manifest
@msbt Great find! I wasn't aware it supported LDAP.
-
@girish I tried repacking it with LDAP earlier today and wasted quite some time, because of "Unexpected Errors". But there's an already merged PR that that will come with the next release, maybe that fixes the issue.
For reference, this is what I added to my env file, at least the LDAP tab shows up, but it wouldn't let me in:
export LOG_LEVEL="trace" export AUTH_PROVIDERS="ldap" # AUTH_DISABLE_DEFAULT="true" export AUTH_LDAP_DRIVER="ldap" export AUTH_LDAP_CLIENT_URL="ldap://172.18.0.1:3002" export AUTH_LDAP_BIND_DN="cn=...,ou=apps,dc=cloudron" export AUTH_LDAP_BIND_PASSWORD="superlongpwd" export AUTH_LDAP_USER_DN="ou=users,dc=cloudron" export AUTH_LDAP_GROUP_DN="ou=groups,dc=cloudron"Leaving AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD empty resulted in the same
[Error]: Invalid provider configfrom the PR, but maybe I'm missing something else. -
I was able to get login to work but users are created with no roles . There is a discussion here - https://github.com/directus/directus/discussions/9854
I used the following settings:
export AUTH_PROVIDERS="ldap" export AUTH_DISABLE_DEFAULT="true" export AUTH_LDAP_DRIVER="ldap" export AUTH_LDAP_CLIENT_URL="${CLOUDRON_LDAP_URL}" export AUTH_LDAP_BIND_DN="${CLOUDRON_LDAP_BIND_DN}" export AUTH_LDAP_BIND_PASSWORD="${CLOUDRON_LDAP_BIND_PASSWORD}" export AUTH_LDAP_USER_DN="${CLOUDRON_LDAP_USERS_BASE_DN}" export AUTH_LDAP_USER_ATTRIBUTE=usernameHad to patch our ldap server a bit with:
gServer.search('ou=apps,dc=cloudron', function(req, res /*, next */) { const obj = { dn: dn.toString(), }; finalSend([obj], req, res, next); }); -
I was able to get login to work but users are created with no roles . There is a discussion here - https://github.com/directus/directus/discussions/9854
I used the following settings:
export AUTH_PROVIDERS="ldap" export AUTH_DISABLE_DEFAULT="true" export AUTH_LDAP_DRIVER="ldap" export AUTH_LDAP_CLIENT_URL="${CLOUDRON_LDAP_URL}" export AUTH_LDAP_BIND_DN="${CLOUDRON_LDAP_BIND_DN}" export AUTH_LDAP_BIND_PASSWORD="${CLOUDRON_LDAP_BIND_PASSWORD}" export AUTH_LDAP_USER_DN="${CLOUDRON_LDAP_USERS_BASE_DN}" export AUTH_LDAP_USER_ATTRIBUTE=usernameHad to patch our ldap server a bit with:
gServer.search('ou=apps,dc=cloudron', function(req, res /*, next */) { const obj = { dn: dn.toString(), }; finalSend([obj], req, res, next); }); -
@girish nice one! I was about to say, I could swear I tried with
AUTH_LDAP_USER_ATTRIBUTE=usernameas well
-
I was able to get login to work but users are created with no roles . There is a discussion here - https://github.com/directus/directus/discussions/9854
I used the following settings:
export AUTH_PROVIDERS="ldap" export AUTH_DISABLE_DEFAULT="true" export AUTH_LDAP_DRIVER="ldap" export AUTH_LDAP_CLIENT_URL="${CLOUDRON_LDAP_URL}" export AUTH_LDAP_BIND_DN="${CLOUDRON_LDAP_BIND_DN}" export AUTH_LDAP_BIND_PASSWORD="${CLOUDRON_LDAP_BIND_PASSWORD}" export AUTH_LDAP_USER_DN="${CLOUDRON_LDAP_USERS_BASE_DN}" export AUTH_LDAP_USER_ATTRIBUTE=usernameHad to patch our ldap server a bit with:
gServer.search('ou=apps,dc=cloudron', function(req, res /*, next */) { const obj = { dn: dn.toString(), }; finalSend([obj], req, res, next); });@girish they just added SAML support in one of their last releases, any chance you could check again if LDAP works as well? Maybe with
DEFAULT_ROLE_IDorAUTH_LDAP_GROUP_DN? I don't remember seeing that the last time I checked this page.
-
@girish they just added SAML support in one of their last releases, any chance you could check again if LDAP works as well? Maybe with
DEFAULT_ROLE_IDorAUTH_LDAP_GROUP_DN? I don't remember seeing that the last time I checked this page.@msbt tried this again and it crashes.
21:41:35 - [20:41:34] ERROR (146 on 6278be82-2fa6-460d-bbbe-93a0b7594d5e): name (string) required 21:41:35 - err: { 21:41:35 - "type": "TypeError", 21:41:35 - "message": "name (string) required", 21:41:35 - "stack": 21:41:35 - TypeError: name (string) required 21:41:35 - at Object.parse (/app/code/node_modules/ldapjs/lib/dn.js:158:43) 21:41:35 - at ensureDN (/app/code/node_modules/ldapjs/lib/client/client.js:85:15) 21:41:35 - at Client.search (/app/code/node_modules/ldapjs/lib/client/client.js:596:18) 21:41:35 - at /app/code/node_modules/directus/dist/auth/drivers/ldap.js:71:29 21:41:35 - at new Promise (<anonymous>) 21:41:35 - at LDAPAuthDriver.validateBindClient (/app/code/node_modules/directus/dist/auth/drivers/ldap.js:69:16) 21:41:35 - at LDAPAuthDriver.getUserID (/app/code/node_modules/directus/dist/auth/drivers/ldap.js:185:20) 21:41:35 - at AuthenticationService.login (/app/code/node_modules/directus/dist/services/authentication.js:45:37) 21:41:35 - at /app/code/node_modules/directus/dist/auth/drivers/ldap.js:317:84 21:41:35 - at /app/code/node_modules/directus/dist/utils/async-handler.js:3:66 21:41:35 - }Have to debug.
-
@girish they just added SAML support in one of their last releases, any chance you could check again if LDAP works as well? Maybe with
DEFAULT_ROLE_IDorAUTH_LDAP_GROUP_DN? I don't remember seeing that the last time I checked this page.@msbt I pushed a new package with LDAP.
-
