LDAP login into Discourse


(Ariel Jannai) #5

Hi telmox, did you manage to integrate Discourse with the Active Directory? If so, is it working with SSO?
thanks


(José F Romaniello) #6

As an alternative, we have just published an Auth0 plugin for discourse here. You can hook this plugin to your discourse and configure your LDAP connection in auth0. You will see a gif in the readme explaining the steps.

Basically Auth0 is an authentication broker, with this setup;

Your discourse talks oauth with Auth0, Auth0 talks with a “connector” you have to install inside your company. The connector talks with LDAP.

If your LDAP is AD, please note that it is also possible to enable Kerberos authentication for a certain range of ip address (also shown in the README). This is transparent for you, when you are inside the ip range, it will automatically let you sign in and discourse will see your profile, if you are outside of the ip-range you will have to enter your AD credentials.

This also works for other type of enterprise directories like google apps and office365. Feel free to contact Auth0 if you need more information.

Disclaimer: I work for auth0 and this is my first post.


(Michael - DiscourseHosting.com) #7

Very nice. Will it be a lot of extra work to move the settings into SiteSettings, and will it be multisite-proof then?


(José F Romaniello) #8

@michaeld I think it will not require much work, just that I’m not familiar with this part of the Discourse plugin API and couldn’t find much information yet. Any links?

As you can see in the repository I already defined the settings but I was having an issue when using SiteSettings (sitesettings is not defined), maybe I was using it a little bit early?

I need also to use some of the settings in the javascript asset, not sure how to do this either.


(Michael - DiscourseHosting.com) #9

For some reason the server side is called SiteSetting and the client side is called SiteSettings.


(Sam Saffron) #10

We should clean this up.


(José F Romaniello) #11

@michaeld thanks for your interest and the great tips. I’ve updated the plugin and now is configurable through site_settings:


(Sam Saffron) #12

Do you mind posting a separate post with your plugin and information and flagging it, so I can move it to the plugin category


(José F Romaniello) #13

@sam I just did! thanks


A working ldap plugin for discourse
(Ravikiran Janardhana) #14

If anyone is looking to add SSO auth to Discourse via LDAP, take a look at discourse-sso-python-ldap. The README has instructions on how to get it working with your ldap server.


(Jon Bake) #15

I wrote a Discourse Plugin to make this a bit easier: GitHub - jonmbake/discourse-ldap-auth: Discourse plugin to enable LDAP/Active Directory authentication..


(Sam Saffron) #16

Would you like to post a plugin post here? I added you to plugin authors


(Jon Bake) #17

There is already this solid post on plugins: Beginner's Guide to Creating Discourse Plugins - Part 1. Not sure how much more I could add to the discussion.


(Erlend Sogge Heggen) #18

Heh, I’m pretty sure Sam was asking if you would like to create a dedicated topic to properly present your new plugin, so that it can be more easily found.


#19

Great stuff! Thanks.

Funny there are now two ldap auth plugins coming within last 48 hours.


(Andre Kosak) #20

thanks! your plugin worked for my Windows 2008 Active Directory perfectly


(Chanka Dod) #21

This works like a charm. Thanks


(Alagappan Vairavan) #22

I installed jonmbake/discourse-ldap-auth plugin. The ldap auth plugin shows up in the discourse login page. After successful ldap user auth, instead of logging in to the homepage it redirects to new user registration page. I already configured ‘auto’ for ldap_user_create_mode in plugin settings. Is there a way to sink all users from ldap? I also unchecked ‘Public registration disabled’ under login settings. Anything I am missing on plugin config?
I am on discourse 2.1.0
OpenLDAP: slapd 2.4.40

rails log sample :

Started GET "/auth/ldap" for 127.0.0.1 at 2018-06-12 23:44:07 +0000

(ldap) Setup endpoint detected, running now.

(ldap) Request phase initiated.

Started POST "/auth/ldap/callback" for 127.0.0.1 at 2018-06-12 23:44:15 +0000

(ldap) Setup endpoint detected, running now.

(ldap) Callback phase initiated.

Processing by Users::OmniauthCallbacksController#complete as HTML

Parameters: {"username"=>"andy", "password"=>"[FILTERED]", "provider"=>"ldap"}

Rendering users/omniauth_callbacks/complete.html.erb within layouts/no_ember

Rendered users/omniauth_callbacks/complete.html.erb within layouts/no_ember (1.6ms)

Rendered layouts/_head.html.erb (0.5ms)

Rendered common/_special_font_face.html.erb (0.3ms)

Rendered common/_discourse_stylesheet.html.erb (0.2ms)

Rendered application/_header.html.erb (0.2ms)

Completed 200 OK in 10ms (Views: 4.3ms | ActiveRecord: 0.6ms)

Started GET "/u/hp.json?_=1528847052831" for 127.0.0.1 at 2018-06-12 23:44:15 +0000

Processing by UsersController#get_honeypot_value as JSON

Parameters: {"_"=>"1528847052831"}

Completed 200 OK in 2ms (Views: 0.3ms | ActiveRecord: 0.0ms)

Thanks,
Al


(John Lock) #23

Hello, it seems I’m facing a similar issue, user can sign-up the first time and get logged-in, if I try to log out and log-in again, it gets to the registration page but can’t continue because user already exist.
If you found something to fix this, that’d be great.


(özgür Kaya) #24

We have same problem. Is there any solution for that.
rails log sample:

(ldap) Setup endpoint detected, running now.
(ldap) Callback phase initiated.
Processing by Users::OmniauthCallbacksController#complete as HTML
  Parameters: {"username"=>"adnan", "password"=>"[FILTERED]", "provider"=>"ldap"}
  Rendering users/omniauth_callbacks/complete.html.erb within layouts/no_ember
  Rendered users/omniauth_callbacks/complete.html.erb within layouts/no_ember (1.9ms)
  Rendered layouts/_head.html.erb (0.2ms)
  Rendered common/_discourse_stylesheet.html.erb (0.1ms)
  Rendered application/_header.html.erb (0.2ms)
Completed 200 OK in 10ms (Views: 6.3ms | ActiveRecord: 1.5ms)
Started GET "/u/hp.json?_=1552649417573" for 144.122.71.90 at 2019-03-15 11:30:37 +0000
Processing by UsersController#get_honeypot_value as JSON
  Parameters: {"_"=>"1552649417573"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)