EntraID / AzureAD LDAP wrapper

@JLX89 said in EntraID / AzureAD LDAP wrapper:

How about just using an Enterprise App with SCIM Provisioning?

That would be great

Oh yeah, I had an issue with Nextcloud as well after the upgrade. Forgot to mention that. Same thing, some table (I think it was oc_appinfo) could not be found. A restore of the backup right before the upgrade fixed that for me as well.
Same for Cal, Outline, Documenso, Linkwarden and Formbricks by the way. The app started but with a fresh database. A restore brought all back.
I am very happy with the great backup/restore concept and automated backups before an upgrade. Works so great.

Great! Must have been something on my server then - all good, I was able to restore from a previous backup and it was just test data anyways... Thanks for checking!

I configured access to the old backups and restored one before the upgrade to 8.3.0. All data is back now! Not sure what happened, but if it doesn't occur in your CI testing it might just have been something strange on my system.

@girish Thanks for testing. I only had data for one user using OIDC. Another reason might be that the OIDC mapping is not working as before?

Just a quick observation: after upgrading from Cloudron 8.2.x to 8.3.0, all data in Memos for my OIDC user has vanished. No problem for me as I was just starting to use it and only had some test data in Memos. Could this be related to the database upgrade of postgresql? Unfortunately, I cannot assist in debugging as I migrated Cloudron to a beefier server (always amazing how simple and elegant that ist!) in the meantime and do not have easy access to the old logs / backups / etc.

It would be awesome if openwebui could use the Cloudron Tika server.

You can also follow this great guide and set up an automated blocklist update:
https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update/41?_=1740739173375

Might mitigate some (few) of these annoying spam attacks.

@joseph said in glauth ldap backend:

@NCKNE were you able to run that command? trying to see if we can fix the code to simply auto-detect this and disable paging automatically (instead of adding an option) . my understanding is that paging is optional to ldap servers.

That's a great idea! I ran the command but got the following response:

root@ldap-wrapper-r90:~# ldapsearch -x -s base -b "" supportedControl -H ldap://localhost:13389
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
#

# domain.de
dn: dc=domain,dc=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Yes, although I am not using glauth for LDAP, the server does not support paging. There seem to be various configurations that do not support paging, so an option to disable it in the Cloudron LDAP sync config would be nice.

Update: Changing all occurrences of

paged: true

to

paged: false

in

/home/yellowtent/box/src/externalldap.js

Makes LDAP Sync work. Maybe adding a GUI option for paging in the LDAP sync configuration settings would be a good idea?

I am encountering the same error ("missing paged control") when connecting to a ldapjs server:

2025-02-25T07:37:57.542Z box:taskworker Starting task 10372. Logs are at /home/yellowtent/platformdata/logs/tasks/10372.log
2025-02-25T07:37:57.566Z box:taskworker Running task of type syncExternalLdap
2025-02-25T07:37:57.566Z box:tasks update 10372: {"percent":10,"message":"Starting ldap user sync"}
2025-02-25T07:37:59.860Z box:taskworker Task took 2.366 seconds
2025-02-25T07:37:59.860Z box:tasks setCompleted - 10372: {"result":null,"error":{"stack":"BoxError: missing paged control\n    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)\n    at SearchPager.emit (node:events:519:28)\n    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)","name":"BoxError","reason":"External Error","details":{},"message":"missing paged control","nestedError":{"stack":"PagedError: missing paged control\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:93:17)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)\n    at end (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:62:36)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:108:10)\n    at Socket.onData (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:875:22)","name":"PagedError","message":"missing paged control"}}}
2025-02-25T07:37:59.861Z box:tasks update 10372: {"percent":100,"result":null,"error":{"stack":"BoxError: missing paged control\n    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)\n    at SearchPager.emit (node:events:519:28)\n    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)","name":"BoxError","reason":"External Error","details":{},"message":"missing paged control","nestedError":{"stack":"PagedError: missing paged control\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:93:17)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)\n    at end (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:62:36)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:108:10)\n    at Socket.onData (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:875:22)","name":"PagedError","message":"missing paged control"}}}
BoxError: missing paged control
    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)
    at SearchPager.emit (node:events:519:28)
    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)
    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)
    at EventEmitter.emit (node:events:519:28)
    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)
    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)
    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)
    at Parser.emit (node:events:519:28)
    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)

The ldapjs server that is being queried logs the following in debug mode:

DEBUG: 2025-02-25T07:37:59.816Z:  %s: sending: %j 1.2.3.4:54938 { status: 0, matchedDN: '', diagnosticMessage: '', referrals: [] }
TRACE: 2025-02-25T07:37:59.883Z:  %s shutdown 1.2.3.4:54938
TRACE: 2025-02-25T07:37:59.884Z:  %s close; had_err=%j 1.2.3.4:54938 false

Could this be related to paging? Can paging be disabled in Cloudron to test if that is the cause?

@joseph said in EntraID / AzureAD LDAP wrapper:

@NCKNE said in EntraID / AzureAD LDAP wrapper:

Entra ID / Azure AD is not LDAP

TIL Had no clue, ignore my previous comment then. Just read about it a little more and it seems you need something called Azure AD DS per https://www.reddit.com/r/sysadmin/comments/120e71z/ldaps_with_azure_ad_tenant_bundled_with_office_365/

Yeah, but the Azure AD DS you mentioned is very complex and expensive (licensing costs). I just thought since the topic had come up a few time, native support of Entra ID / Azure AD might be something to consider for the future.

@joseph said in EntraID / AzureAD LDAP wrapper:

AD support seems to be something we should add directly to Cloudron's existing LDAP server, if this is deemed useful. Incidentally, Cloudron's ldap server is also based on ldapjs.

Entra ID / Azure AD is not LDAP… that’s why either a wrapper like above is needed or Cloudron could natively implement Entra ID support (as many other apps do) and connect it to the Cloudron internal directory.

The topic has come up several times in the forum in the past: Is there an easy way to connect the Cloudron user directory to Microsoft Entra ID (formerly Azure AD) for a same signin scenario? Microsoft offers the Entra ID Domain Services with LDAP, but it involves a very complex and cost intensive setup.

I have been using the "Azure AD LDAP Wrapper" in the past which uses the Microsoft Graph API and provides an LDAP endpoint for Entra ID:
https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/run-ldap-wrapper/

The project is quite simple and easy to install using docker or nodejs directly. I am currently running it on a seperate server with firewall rules to allow only specific ip addresses to access the LDAP port. Now, wouldn't be great if this could run as a Cloudron app itself? If it was published on the app store, one would only need to provide the Azure App registration data in an env-file and could bind the Cloudron directory to a local (private) LDAP port on the same server.

Well, I am new to packaging apps for Cloudron and have no idea how to package an app without a web interface. Heath checks would need to check the LDAP port and not HTTP, etc. Is this even a scenario wanted by the @staff?

If so, I could give packaging a try and do some testing, but would need some pointers if this can/should be realized as an app within Cloudron as it would need to expose a custom LDAP port to the internal docker stack.

If SRS is not an option (or not obeyed by Gmail) you can look into some advanced sieve stuff:

https://doc.dovecot.org/2.3/configuration_manual/sieve/configuring_auto_forward_sender_address/

@marcusquinn You‘re welcome. We are using openwebui with RAG (our own documents aka knowledge) for the IT support team. We are using it on cloudron together with the private IONOS AI Hub. Great service if you are serving EU customers.

I am pretty happy with this in openwebui:

But I will take a look at librechat, just had no desire to look for something else so far.

I am also confused about how this is different from openwebui where you can create a custom model that is enriched with your own knowledge (aka you own documents) and share that model with other to chat with. I am no expert here though and have just used openwebui so far. Works great.

@avatar1024 said in Email delivery issues with double forwarding to external addresses:

Does it work fine with your set-up?

Yes, using an external SMTP relay it works for me. And Google finally accepts incoming mails right away instead of delaying them for hours or even days...