smhaller
commented
3 years ago Hi, from what i see it should be possible: The guys from inria have a CAS solution (using a CSRF token). see https://gitlab.inria.fr/sed-rennes/sharelatex/python-sharelatex/-/blob/master/sharelatex/__init__.py (Lines: 229-258) . - but i do not know what they changed on the sharelatex side.
Maybe you have an idea what is going wrong (i assume with Traefik) when i use a loadbalancer and start multiple sharelatex (version 2.5.2) instances. I think the CSRF Token / HTTP Headers are not handled correctly in the traefik settings (see issue #10 last part and docker-compose.traefik.yml).
Thank you in advance!
tinkerdudeno1
Let me say: You guys rock. Getting LDAP authentication in the community edition of Overleaf is implementing THE key feature of the pro version. Since you seem to have dug really deep into Overleaf, I have a question that you might be able to answer: At our institution, we are aiming to take as much (security related) overhead from the web devs as possible. To this end, we have a Keycloak running (which has an LDAP/Kerberos connection) and for every web app, we deploy an authentication proxy in front of the actual app (additionally to Traefik that we use to handle SSL stuff). This auth proxy does the dance with Keycloak and then sets certain http header fields which the web app can then use to know who's logged in. This way, none of our devs has to implement authentication in their web app. Instead, we configure the auth proxy so that only certain groups, ... whatever have access to the individual app. Actually all of our off-the-shelf-web-appliances have an option for "other authentication method" or "http header authentication" or whatever. I had contacted the Overleaf support to see if this would be possible but got no reply. Didn't find and option for it in the docs either. With your knowledge of the code, could you estimate how much work it would be to log people in via http request header fields? Thanks in advance!