A working ldap plugin for discourse

(Punit kumar jain) #1


I looked at Discourse and loved the UI and features. I naively assumed ldap support a given (really even if it not there, how much will it take).

I looked at various topics and various discourse ldap plugins on github. Alas none worked. Hence I made a try of my own (dont know anything about ruby, forget about rails).
Finally I got a working plugin. Most people should be able to use it with any code change (by just modiying the plgin settings).


LDAP login into Discourse

Damn. Just went throw hell of setting up oauth to get ldap backend working.
Anyways thanks a thousand! \o/ I will give it a try right away.

edit: As much as I like the SSO idea (specially if you host few applications), I don’t have sufficient understanding and confidence to put it in production yet, and since I had a deadline to have LDAP auth for discourse, your plugin is a blessing until I figure all ins and outs of oauth.

Thanks a thousand for your contribution! \o/ I will give it a try right away.

(Punit kumar jain) #3

thanks… I will push another change in a day or two which will make it even more generic. if your AD has a “nickname” (my ad has) attribute for an entity and simple auth enabled , this should work like a charm.


Works great so far, but:
If using more authentication methods you can easily impersonate other people if you have ldap account with the same name. The plugin does not check credentials. Not sure what it should check for, but I checked with github and it is impossible to impersonate someone as you will be redirected to account creation page and get 1 as an alternative. @sam do you have an idea how should one aproach this problem, or if you want to use ldap auth you need to switch off normal user registration and other auth methods.


I noticed when testing stealing identity, that the email hasn’t change (the original user email was still there rather then email on ldap).
Maybe the idea would be to check against users email, and only when it matches allow authentication.

(Jared Needell) #6

2 questions

1 - Anyway if that if we go straight to /auth/ldap page to redirect to discourse after authentication rather than telling us to close out of the window? This will help if we decide to use Okta for authenticating into Discourse

2 - Can the script import the user if they have never logged in before?


Answer to question 2 - If there is no registered user in Discourse the plugin will import / create a user based on ldap information.
I have tried this plugin LDAP login into Discourse GitHub - jonmbake/discourse-ldap-auth: Discourse plugin to enable LDAP/Active Directory authentication. andf I have to say it works flawless (there is no problems I mentioned above).

(Jared Needell) #8

Yeah worked on a different user I tried that didn’t have an account. Pretty cool!

Anything on the first question?

(Punit kumar jain) #9

So modified the plugin to use email for verification.
In real world companies/organisation using ldap stick with only one method of authentication.Hence what I have done is that I disabled local logins in my installations. Users whose email is in “DEVELOPER_EMAILS” in app.yml are anyways automatically admins.

I did not want user to go through account creation. If he is a valid ldap user, then he can access the application. If you want to restrict the usage , u can use ldap filter for that.


(hua) #10

I added the pulgin to my discourse, but it always print “(ldap) Authentication failure! invalid_credentials encountered”. However, the same parameters set in perl script or ldap client JXplorer, I can bind and search successfuly.would you tell me the means of settings about the ldap plugin?

Many thanks!