Closed torlasz closed 5 years ago
Can you give us an example of a filter expression (or a link to any documentation on how other applications allow you to configure such a filter).
Hi Fred,
Sure. Usually it is a standard LDAP filter like member of a specific group: (memberOf=cn=GreenlightUser,ou=Groups,dc=example,dc=com) or a bit more complicated like either faculty or staff members: (|(eduPersonPrimaryAffiliation=faculty)(eduPersonPrimaryAffiliation=staff))
e.g. in Guacamole LDAP settings: https://guacamole.apache.org/doc/gug/ldap-auth.html see ldap-user-search-filter
Another example is Nextcloud where the filter also contains a the %uid placeholder. See "Edit LDAP Query" in the "Login Attributes Tab" section: https://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html
One of their example is: ((&(objectClass=inetOrgPerson)(memberOf=cn=nextcloudusers,ou=groups, dc=example,dc=com)(|(uid=%uid)(mail=%uid))) So a user can login either by giving the uid or the mail attrib, but only if member of a specific group and has a specific objectclass. This is really flexible.
Well, that is one way. But it will result in something very specific to LDAP. What about users authenticated with OAuth or SAML? We'll check it out and try to find a solution that works for everybody not only LDAP. Thanks for sharing the use case though.
I have the exact same 'issue' with LDAP and similarly make use of filters in Nextcloud and ownCloud. I am not currently authenticating with LDAP on my freeNAS box, but I believe that too works with filters. I see no problem with making it an LDAP only capability. In most cases it will only really be relevant for places which are using centralised authentication for multiple services and is probably not so relevant for users signing on other ways. If it is it could be handled through LDAP via SSO I suspect.
LDAP filter is essential feature for LDAP auth, it should be available in Greenlight.
Greenlight currently does support filtering of LDAP users through the LDAP_BASE environment variable. This variable specifies the root for where to search for users on your LDAP system. Therefore, only users under the LDAP_BASE can sign in to Greenlight.
For example, if you set LDAP_BASE=cn=GreenlightUser,ou=Groups,dc=example,dc=com
only users under cn=GreenlightUser will be allowed to sign in to Greenlight.
An LDAP base DN is not a replacement for a proper LDAP filter. Placement of user accounts in LDAP often have nothing to do with the question whether or not they're allowed to do a certain thing; groups are used for the latter.
For example, the LDAP tree structure often reflects the organizational structure (which employee belongs to which department?) or maybe the geographic layout (different containers for employees from France, Germany and the UK). In all of those cases you often have employees from each sub-tree who should be allowed to use a certain application (e.g. all managers or all development people). You simply cannot represent such very common structures with a simple base DN. You must use groups for that.
Please reconsider & reopen the issue. Thanks.
Please reopen the Issue. It is important for many use cases. This could be easily fixed by just changing two lines of code. I am not a ruby coder, but I am able to read and understand the code. I am unable to rebuild the whole environment (ruby, docker, red5) myself, but I suggest the following simple changes: In https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/sessions_controller.rb Line 141 add:
ldap_config[:filter] = if ENV['LDAP_FILTER'] == ''
'objectclass=*'
else
ENV['LDAP_FILTER']
end
I am assuming you use LDAP-Authentication from https://github.com/blindsidenetworks/bn-ldap-authentication/blob/master/lib/bn-ldap-authentication.rb There change line 27 to
filter: "(&(#{provider_info[:uid]}=#{user_params[:username]})(#{provider_info[:filter]}))",
And add for the documentation in
https://docs.bigbluebutton.org/greenlight/gl-config.html#ldap-auth LDAP_FILTER=your_ldap_filter defaults to objectclass=*
This would be helpful for a lot of people. Thanks a lot for BBB and Greenlight!
Hi Fred,
Sure. Usually it is a standard LDAP filter like member of a specific group: (memberOf=cn=GreenlightUser,ou=Groups,dc=example,dc=com) or a bit more complicated like either faculty or staff members: (|(eduPersonPrimaryAffiliation=faculty)(eduPersonPrimaryAffiliation=staff))
e.g. in Guacamole LDAP settings: https://guacamole.apache.org/doc/gug/ldap-auth.html see ldap-user-search-filter
Another example is Nextcloud where the filter also contains a the %uid placeholder. See "Edit LDAP Query" in the "Login Attributes Tab" section: https://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html
One of their example is: ((&(objectClass=inetOrgPerson)(memberOf=cn=nextcloudusers,ou=groups, dc=example,dc=com)(|(uid=%uid)(mail=%uid))) So a user can login either by giving the uid or the mail attrib, but only if member of a specific group and has a specific objectclass. This is really flexible.
Even more, greenlight should automatically create users (at the first login, or at intervals) selected by ldap filters so that ldap users do not have to register in greenlight. They already exist in the corporate user directory. This is implemented in owncloud, nextcloud, redmine, rhodecode, zimbra (via it's own autoprov solution)
I had a shot at allowing "Register mode Approve/decline" enabled together with LDAP, but I was asked to change my pull request #1015 to exclude that change.
We went and disabled local "greenlight" accounts (see .env file) completely because our users were confused by the login form and started to register local accounts with their "company"-email address instead of just logging in with their LDAP credentials. Afterwards we just changed "Registration" to "Open" and we were good to go. But of course that only works when you only allow LDAP accounts.
LDAP filter are very important in the LDAP structure (filter != basedn) . Please reopen this issue and fix this problem.
actually, #1306 was merged just yesterday evening (CEST anyway) and you can use the fixed version according to "Customize"-Instructions in the BBB-Greenlight-Docs.
Hi, Would it be possible to create LDAP filter and based on that filter to assign a role to a user? For example all students can login, but can't create rooms (they are set with limited role), all teachers can login and create rooms (normal user role)? Can this be achieved somehow?
That was the previous behavior - there's a Config option LDAP_ROLE_FIELD which should do what you want. I'm currently experimenting with that to see whether it (still?) works as expected.
That was the previous behavior - there's a Config option LDAP_ROLE_FIELD which should do what you want. I'm currently experimenting with that to see whether it (still?) works as expected.
Great, but how can I use that? Documentation about it is quite scarce. Let's say I created two roles in GreenLight: student and teacher. Now, in our LDAP schema we have an attribute called PersonAffiliation which denotes whether a person is student, teacher, employee or something else. When a person makes first login, I want to set a role for that person that matches affiliation in LDAP. Any suggestion how to do that?
Just add (in your case)
LDAP_ROLE_FIELD=PersonAffiliation
to your .env-File for Greenlight.
I just fiddled around with that a bit. We have a similar field, but it seems that Greenlight uses only the first value returned. Confirmed that in the code: https://github.com/blindsidenetworks/bn-ldap-authentication/blob/79907370bb9efd0729841005d6534b1699f50081/lib/bn-ldap-authentication.rb#L66
And, it seems that roles that were added once are never removed, even if they disappear from LDAP - there's an Issue about that #1261
Thank you very much! Works like a charm!
Can you please elaborate on how to use LDAP_ROLE_FIELD? We do have some information about the user role (student / teacher / employee) in our LDAP, but certainly not in a greenlight-readable form. And, tbh, I don't want to expand the LDAP schema just for having a compatible, but redundant information OR (preferred): Is there a way to define the role with an LDAP Filter for group membership e.g.:
(| (admin:(memberOf(ITManagers))) (user:(memberOf(Teacher))) )
ok - I've just invented that syntax, but I think you'll get the idea :)
many thanks!
I am using LDAP auth, it works fine. However I want to provide greenlight service only to some of my users, rather than all of them. In most applications with LDAP auth one can set a filter expression for this purpose. Could you add a filter expression to LDAP setup? That should not be too difficult I guess.