Ldap support?


(Carlo Kok) #1

are there any plans for LDAP support?


(Stephen Paul Weber) #2

LDAP support for what? Logins?


(Peter Stoinov) #3

Enterprise authentication. If they target big companies I’m sure this is in the roadmap.


(Sam Saffron) #4

We are built on omniauth now, and it has

Not implemented at Discourse, but can happen, undecided if this should be included in core or be a plugin.


(Dave Pooser) #5

At $DAYJOB we’re using a web forum with a mix of staff and freelancers, so I’m looking for the ability to authenticate against multiple LDAP directories. It’s possible to do basically what I’m looking for with vBulletin and some ugly hacking on an unsupported plugin, but I’m hoping Discourse will offer that capability in a less painful process. And yes, that’s the kind of thing that would be worth at least a few hundred dollars to my company…


(Callan Bryant) #6

I think core, as it’s just another authentication mechanism just like the Facebook, Twitter and *oauth logins; which I assume are also in core.


(DannoHung) #7

Echoing this request. LDAP would make Discourse something we’d try to use today.

Unfortunately, it looks like about 30 places in the app need to be changed to add a new authentication method (if a search for “persona” is an accurate representation of the pervasiveness of login methodologies).


(tethra) #8

Likewise with deploying - I’ll be doing a test deploy at work today to see if discourse can replace our existing forum, LDAP would make life considerably easier. I’ll be trying other ways too, but whatever I end up using (occasional imports of new users, witchcraft, other) I’d like to move to LDAP eventually…


(Troy Telford) #9

I’ll add my request to also have LDAP; that way new users need only be configured in LDAP.


(Gareth) #10

As a large not-for-profit looking for awesome tools to foster communication I’d love to encourage OpenLDAP support for authentication :smiley:


(tethra) #13

Any thoughts on this actually happening? I’ve seen talk in other threads about the idea of simplifying adding new auth methods, since I understand having poked around a bit that this involves touching code in quite a few files at the moment and may not be considered a trivial endeavour for most. Not nagging, just asking :slight_smile:


(Drew Hamlett) #14

Any news on this? This is a must have feature for us at my company. I can’t find anything on Github newer then 7 months.


(José F Romaniello) #15

As an alternative, we’ve just published an Auth0 plugin for discourse https://github.com/auth0/discourse-plugin.

You can hook this plugin to your discourse and configure your LDAP connection in Auth0 as shown in the GIFs

How it works?

Basically Auth0 is an authentication broker;

Your discourse speaks OAuth with Auth0, Auth0 speaks with a “connector” you have to install in any machine that see the LDAP. Only outbound 443 connection is needed, no inbound (meaning discourse could be hosted anywhere)

It also supports Kerberos (if LDAP is AD). Based on the IP of the user connecting it will fallback to user/password if it’s not in the domain. And you can have multiple LDAP/AD connections and the Login Widget will handle which one to talk to depending on the email domain.

More info about Identity Providers supported: Identity Providers Supported by Auth0


(Carlo Kok) #16

auth0 is a cloud only thing?


(José F Romaniello) #17

@carlokok glad you asked this! I forgot to mention in the description.
No, we also offer the solution as an appliance or to install in your own cloud services.
From the point of view of the discourse config it is an small change, just the client_id, secret and domain, so you can test it with the cloud version and then move to a private deployment. If you have more question about our plans please contact us at support at auth0.com.


(Sam Saffron) #18

This should be fairly trivial as a plugin, I assume it would take an hour or so to build but probably multiple days to test.

If anyone wants to commission us to build the plugin, let us know. Would need at least 2-5 days dev work to be fully tested / documented.

PM me if interested and I will see when we can slot this in (post discourse v1)


(Austin Hamilton) #19

I’d love to echo something people said above. LDAP Support would be great for us; I’m setting up a Discourse Install for internal company use, so support for it would be phenomenal.


(Sam Saffron) #20

This is a question of money, if you have the budget we can help make it happen.


(Steve K) #21

@sam what would it take? For us, OAuth/Ldap is a must, happy to talk about helping $ (email me), for features:

Separate Authenticate from Authorise, ie,

Authenticate using Oauth/OpenID/Federated/LDAP
Authorise into groups/streams/etc, using OAuth, LDAP Groups, Some other API

If you could create containers with the two of them in it, that’d be great!

Most authentication containers filter ‘access’ on their side, but that would only stop/grant access on the platform, to set roles/groups you need to source that from someplace.

In fairness, you could probably pre-populate that, buy Syncing is ugly.

Steve.


(Clay Heaton) #22

Did this ever go anywhere? Is there now an LDAP authentication plugin that doesn’t rely on auth0? I’ve searched around but had a hard time determining if it ever happened.