LDAP Support

[PapaTutuWawa]

I have an openLDAP instance on my server running against which most of my services authenticate. EteSync doesn't support this. As such, I patched the EteSync server to also authenticate against an LDAP server.

With this issue I wanted to ask whether there is demand for such a feature. If there is, I would create a PR with my changes.

[tasn]

Hey, thanks for opening this ticket! First of all, let me start by saying: very cool! I'd happily accept such a PR! Though not for the master branch (etesync v1), but rather etesync v2 (etebase branch). The thing is though, is that some things changed, for example, password authentication is disabled for v2. Instead the login is done using a zero-knowledge-proof. This means that LDAP should probably only be used to enable/disable accounts (is_active on the user), and allowing registration to specific accounts (essentially just creating the users for users you want to allow signup to). I'd be happy to walk you through the internals if you need help, just come to https://www.etesync.com/community-chat/ though probably better after v2 is officially out (beta should be fully out, iOS included, in a few days) when we'll have more time.

[PapaTutuWawa]

I totally forgot that I read about the (soon) release of 2.0. In that case I'll wait until the release and then try to implement something of those sorts. Thanks for the heads up :smile:

[532910]

I use dav server and would like to have LDAP interface to it. I thought about a dav backend plugin for openldap as a possible solution. It could solve this issue too.

[tasn]

@532910, I'm not sure what you mean, but EteSync is not a DAV server, it's a different protocol. Not sure what you mean by a dav backend for openldap.

[PapaTutuWawa]

Since I would like to update my EteSync server, but want LDAP support, I might start working on it soon. It doesn't look to be too difficult.

[tasn]

Great, keep me posted!

[532910]

EteSync is not a DAV server

I know, but there is a DAV adapter.

[tasn]

You don't want the LDAP the be hooked there, but to the server directly (which is what this ticket is about).

[PapaTutuWawa]

@tasn I played around with the code a little and now have an optional check in place that checks whether the username exists in the LDAP registry, given a configurable filter, during login. Theoretically, I have also code written that does the same check for account creation but I have not tested it (Is this check in the user_create function even correctly placed? I have never really worked with Django).

I will probably create a WIP PR some time today.

[tasn]

So cool, gj! How did you hook into the login mechanism? One thing you need to keep in mind is: what happens when a user is logged in using the app and then loses LDAP access? I think this is more important than just login/signup. I guess there are two options here:

1. Polling - have a permission that checks whether the account is valid on LDAP on every login, signup, and e.g. API call every X minutes/hours (configurable?).
2. Hooks - have the LDAP server notify the etesync server about changes and have the etesync server update the is_active accordingly.

For signup you can just use the user_create function to check it's a valid LDAP account like you suggested.

WIP PR: great, let's continue the discussion there!

[poVoq]

Cool would be also to have auto-registration via Oauth2 / OpenID Connect.

[tasn]

I mentioned it in this comment: https://github.com/etesync/server/pull/64#issuecomment-724958274 though I'll mention it again. Maybe it's worth it to integrate with keyclock or something like that.

[meskio]

@Polynomdivision thank you for working on it. I'm very interested on LDAP support.

So cool, gj! How did you hook into the login mechanism? One thing you need to keep in mind is: what happens when a user is logged in using the app and then loses LDAP access? I think this is more important than just login/signup. I guess there are two options here:

I agree we not only need to use LDAP to register the account, but also to check if the account is still valid. At least in my use case is not uncommon to delete accounts or to use filters to be able to mark them as disabled.

1. Polling - have a permission that checks whether the account is valid on LDAP on every login, signup, and e.g. API call every X minutes/hours (configurable?).

2. Hooks - have the LDAP server notify the etesync server about changes and have the etesync server update the `is_active` accordingly.

To me the option 1 sounds the easiest (without knowing much about the etebase code). AFAIK most LDAP implementations don't have any mechanism to notify other services. We are used to depend on LDAP for every login, so LDAP is usually hosted in a way that querying will be fast, so it should not slow down the login. And I think is fine to the API call every few hours as default option, I think for most use cases we don't expect the propagation of a disabled account to happen faster than in 12 hours.

[bgstack15]

Please don't give up on ldap support! I'm a new self-hosted user and I would love to hook this up to my ldap users.