LDAP is coming!

[Thatoo]

For what I understand from here, https://github.com/Chocobozzz/PeerTube/issues/371#issuecomment-463101468 , I guess LDAP will come pretty soon and that will increase the interest of peertube on Yunohost.

[gnouts]

That's cool ! Probably too soon to ask, but how the upgrade will/should handle existing (non-LDAP) peertube users ? Especially if user name are the same on peertube and yunohost...

[immae]

@gnouts the way I implemented it is as follow:

• When a user tries to log-in, we first try to find him in LDAP (using the provided search filter and replacing %username% with the given username). If we do (i.e. exactly one result), then we try to see if his DN is already existing in the database. If not, we (try to) create the user.
• If no LDAP user can be found, we may search for regular users, depending on the ldap.ldap_only value.

In your situation, when a user tries to login with a username that already exists in LDAP, the engine will try to create a user, fail, and then depending on your ldap.ldap_only value will try to login as the regular user, so it’s probably the best path. Migrating existing users to LDAP is as easy as filling their ldapDn column in the database.

[gnouts]

@immae thank you ! Can you explicit the "as easy as filling their ldapDn column in the database" please ? What should look like the sql query for dummy ? :smiley:

[immae]

@gnouts If you have access to a phpMyAdmin or other similar tool, then it should be easy to find the fields to fill for each user.

Otherwise, you will need to write a series of requests like this: update users set ldapDn = 'cn=foo,dc=example,dc=com' where username = 'foo';

Note that I assume here that the PR will be merged as is, which may not be the case, so don’t start preparing them immediately ;)

[Thatoo]

It seems that pleroma manage to implement LDAP, https://git.pleroma.social/pleroma/pleroma/issues/203, and yalh76, the maintainer of the yunohost pleroma package is working on it, https://github.com/YunoHost-Apps/pleroma_ynh/issues/28 . Maybe their work could help to make LDAP coming on more fediverse package [on Yunohost].

[tituspijean]

Looks like LDAP has come?

[immae]

It’s incoming indeed (it’s dependent on an unmerged branch yet though). Note that as far as I see this plugin is not compatible with my patched version. If you happened to use that one you’ll have some migration tasks to do...

[Thatoo]

"If you happened to use that one you’ll have some migration tasks to do..." I'm not sure to understand this part. Do you think it will become compatible in order to include it by default?

[immae]

@Thatoo: I implemented a LDAP auth in a PR of peertube. So "maybe" some people used it before it was released.

My point was that my implementation is absolutely not compatible with the one that @tituspijean point to and which will (probably) be the one that gets released, so if you used my version as a patch, the one that is incoming will not work

[gnouts]

For anyone interested, Peertube now uses plugin for LDAP auth. (in the admin interface, go to plugin tab and search/enable "auth-ldap").

I managed to get it working using this configuration :

(you maybe need to change "Bind DN" with your admin user if you're not using yunohost admin default)

Though, there is an edge case, if your user have multiple email addresses, Sequelize fail to parse the array. There is an issue open there : https://framagit.org/framasoft/peertube/official-plugins/-/issues/11 (bug was fixed with v6.0.0)

[tituspijean]

Great news :)

(you maybe need to change "Bind DN" with your admin user if you're not using yunohost admin default)

Out of curiosity, can you trying user-binding by emptying those two fields?

[kakounet]

@gnouts I've just made the same config as you did (with Bind DN admin also) but when I try to login it doesn't work (Invalid client: client is invalid . Have you made something else to make it work (I only have this plugin activated on my instance)

[gnouts]

@gnouts I've just made the same config as you did (with Bind DN admin also) but when I try to login it doesn't work (Invalid client: client is invalid . Have you made something else to make it work (I only have this plugin activated on my instance)

Hum... I changed some config on slapd to allow some apps not on localhost (like docker containers and another LAN server) to use LDAP. But that should be completely unrelated since peertube run on the same host. Anyhow, this is the change I've in my /etc/default/slapd :

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldap://192.168.0.21:389/ ldaps:/// ldapi:///"

(where 192.168.0.21 is the LAN ip of my yunohost server)

You can test your LDAP connection with : ldapsearch -LLL -D cn=admin,dc=yunohost,dc=org -W -b dc=yunohost,dc=org uid=nouts Maybe you miss something with your user/password. Or you can try to play with the searchFilter, which is the settings I understand the least, and I'm not completely sure why this one works ¯_(ツ)_/¯

[gnouts]

Great news :)

(you maybe need to change "Bind DN" with your admin user if you're not using yunohost admin default)

Out of curiosity, can you trying user-binding by emptying those two fields?

It's working, without user-binding. :ok_hand: @kakounet maybe you can try that. Since peertube run locally, LDAP does not require authentication. Leave Bind DN and Bind Password empty.

[kakounet]

Wow Thanks for your reactivity ! It works without user-binding 👍 , but only when I try to connect directly from a blank page (my mistake was that I only entered the login, not the complete mail address with @xxx.ynh.fr 🤓)

So when I try to connect by clicking on the "Peertube" button on the yunohost page I'm not directly connected and when I click on the Connect button I receive the message : "Invalid client: client is invalid"

When I also try to connect I have a "Token is invalid." error, maybe that can be a clue ?

Do you have an idea to solve that issue ? Thanks again !

[gnouts]

(my mistake was that I only entered the login, not the complete mail address with @xxx.ynh.fr nerd_face)

On my end, it only works with username. Go figure... :shrug:

So when I try to connect by clicking on the "Peertube" button on the yunohost page I'm not directly connected

This is the sso functionnality, which is different from ldap and not (yet) available with this package I think.

When I also try to connect I have a "Token is invalid." error

Same thing. Related to SSO. You could find some help here and there ( #161 , #119 , https://forum.yunohost.org/t/yunohost-peertube-et-yunohost-probleme-de-jetons-didentification/4571)

[kakounet]

Whouhouuu ! Solved by adding my domain to skipped url in /etc/ssowat/conf.json.persistent Thanks a lot !