Support LDAP authentication for users

[sunrez]

Hi,

I wanted to request LDAP capability be added to your roadmap to link with the Vikunja user database.

This ideal for an organization with >5 people to share / collaborate on tasks which is an awesome capability of Vikunja. Duplicating users/passwords or keeping this in sync with a central database always becomes problematic, LDAP / ActiveDirectory is very mature and works well for this.

[kolaente]

Hi!

I plan to release a plugin for this, once we have a plugin api.

[Typhonragewind]

Adding on the LDAP authentication, it would be awesome to have proxy authentication with it (as in once authorized by first service, such as Authelia, the authorization is passed via proxy headers)

[kolaente]

it would be awesome to have proxy authentication with it

@Typhonragewind Like this PR started adding?

[Typhonragewind]

it would be awesome to have proxy authentication with it

@Typhonragewind Like this PR started adding?

Oh, I wasn't aware of it, that's awesome!

[sunrez]

Just wanted to (respectfully) ask if there's been any progress on LDAP support.

[kolaente]

No progress yet.

[uweschmitt]

Also would appreciate LDAP support.

[sunrez]

Hi, any feedback on this request? Would make this 100x more useful for any organization >1 person.

[kolaente]

Does openid work for you?

[sunrez]

Hi @kolaente ,

Thanks for the reply. Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP, some MSFT ActiveDirectory.

[alexanderadam]

If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

This doesn't make any sense, since LDAP and AD are literally external dependencies. So would be a server component that speaks OpenID Connect.

And modern self hostable projects like KanIDM or Authentik even support both — for valid reasons like having single session authentication handling.

I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP

All the major players were moving away from OpenLDAP to other solutions in the last years. Most Linux distributors are using 389ds based solutions. I'm not sure that safety is a concern of theirs if they continue using something that most people are moving away from and if they don't want to setup an OIDC app like Authelia.

[sunrez]

@alexanderadam :

OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external". I'm not sure why you believe 'most' Linux distributions are using 389DS also? I think 'FreeIPA' (from RHEL, which uses 389DS, dogtag, etc) is likely more popular but since FreeIPA has to own DNS, administering it can become complicated. Even if 389DS is 'more popular (that's debatable) it's still an LDAP provider, which means LDAP authentication would work with OpenLDAP/FreeIPA(389DS)/AD.

I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration.

[alexanderadam]

OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external".

Well, OpenID services can be completely self-hosted too. So if you're not considering self-hosted services external, then I don't understand what you meant by this

Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

OpenID servers and LDAP servers can both be self-hosted. So either you consider both to be external dependencies or not.

If self-hosting another server is an option then you can already use an OpenID Connect server right now. If your customers use LDAP infrastructure, just spin up an Authelia instance and let it point to your LDAP server.

I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration.

Well, OIDC servers also give the benefit of central administration. The projects KanIDM and Authentik, that I mentioned before, even have less fraction in doing so, since they're single simple projects.

Therefore I'm really not sure why you can't simply spin up a simple OpenID Connect server if self-hosting is an option any way.

[bfd69]

Hello i think openldap/Ad Support would be greet. from my point of you it would be for populating vikunja. let me explain : i created a dockered service Vikunja. so far so well everything worked with openid and authelia, and then i created some project we had in our teams with tasks. After that a invited everyone to connect, 30% of them tried. but when they connected they did'nt see their project and abandoned. if i could propulate vikunja with AD users at least (maybe groups too) i could have assigned beforehand the users to projects. for example nextcloud works like that. by the way Vikunja is really great and beautiful, a bit tricky in docker and traefik but great :)

[kolaente]

There is a PR to add automatic provisioning of teams based on openid claims to Vikunja. Maybe that would help your use case?

[bfd69]

i think it will !