Enable LDAP(AD)authentication

Support
#1

My version of CodiMD is: 2.2

What I expected to happen: Authenticate with Active Directory accounts

Hello, first time user of CodiMD. I’m trying to set up a test instance and want to be able to authenticate with our AD service.

What actually happened:
Followed instructions on setting up environment variables in the docker-compose file. But am unable to login with my AD credentials. Running docker-compose logs -f and it’s not showing any errors.

I already tried:

  • CMD_DB_URL=postgres://codimd:@database/codimd
    - CMD_USECDN=false
    - CMD_DOMAIN=server.cosine.oregonstate.edu
    - CMD_PROTOCOL_USESSL=true
    - CMD_LDAP_URL=ldap://ad.server.edu
    - CMD_LDAP_BINDDN=cn=adproxy-user,OU=pid,DC=ad,DC=oregonstate,DC=edu
    - CMD_LDAP_BINDCREDENTIALS=
    - CMD_LDAP_SEARCHBASE=OU=pid,DC=ad,DC=oregonstate,DC=edu
    - CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{use
    rname}})(mail={{username}})))
    - CMD_LDAP_USERIDFIELD=sAMAccountName
    - CMD_LDAP_PROVIDERNAME=ONID Login Name

Looking to see if anyone else has gotten AD auth to work.
Thanks…
Docker version 19.03.12, build 48a66213fe
CentOS 8.2.2004

#2

Hey @cjkeist,

I guess you’re using not this community-developed CodiMD (soon to be known as HedgeDoc), but the hackmd version, because we have no version 2.2. If you want to know more about why there currently are two softwares called CodiMD you can read about it here and here.

Maybe someone over there can help you get your problem fixed or if you prefer you could switch to our version and we could help you if there are still problems with LDAP. (I’m not sure if you’re currently creating a new instance or just adding LDAP-Auth, in the latter case be warned we’re not sure if you can migrate from hackmd/codimd 2.2 to our latest release.)

A basic guide to use AD with this version can be found here.

#3

Thank you for the clarification between the two branches. Is it just a simple case to switch the image file in my docker-compose file to linuxserver/codimd:latest? I tried that and AD auth still fails with no errors in logs.

#4

Sorry, this image: quay.io/codimd/server

#5

If this helps here is my docker-compose file:

version: "3"
services:
  database:
    container_name: database
    image: postgres:11.6-alpine
    environment:
      - POSTGRES_USER=codimd
      - POSTGRES_PASSWORD=passwd
      - POSTGRES_DB=codimd
    volumes:
      - "database-data:/var/lib/postgresql/data"
    restart: always
  codimd:
    container_name: codimd
    #image: nabo.codimd.dev/hackmdio/hackmd:2.2.0
    image: quay.io/codimd/server
    environment:
      - DEBUG=true
      - NODE_ENV=production
      - CMD_ALLOW_ANONYMOUS=false
      - CMD_ALLOW_ANONYMOUS_EDITS=false
      - CMD_EMAIL=false
      - CMD_ALLOW_EMAIL_REGISTER=false
      - CMD_DB_URL=postgres://codimd:passwd@database:5432/codimd
      - CMD_DOMAIN=codimd.cosine.oregonstate.edu
      - CMD_PROTOCOL_USESSL=true
      - CMD_LDAP_URL=ldap://ad.oregonstate.edu
      - CMD_LDAP_BINDDN=cn=adproxy-user,OU=user,DC=uid,DC=oregonstate,DC=edu
      - CMD_LDAP_BINDCREDENTIALS=passwd
      - CMD_LDAP_SEARCHBASE=OU=user,DC=uid,DC=oregonstate,DC=edu
      - CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{use
rname}})(mail={{username}})))
      - CMD_LDAP_USERIDFIELD=sAMAccountName
      - CMD_LDAP_PROVIDERNAME=ONID Login Name
    ports:
      - 127.0.0.1:3000:3000
    depends_on:
      - database
    #volumes:
    # - upload-data:/home/hackmd/app/public/uploads
    restart: always
  apache:
    container_name: apache
    image: docker.io/bitnami/apache:2.4-debian-10
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - /srv/vhosts/codimd_vhost.conf:/vhosts/my_vhost.conf:ro
      - /srv/certs:/certs
volumes:
  database-data: {}
  upload-data: {}

With this the main login page is not displaying correctly. And authentication still is not working.

#6

Chan you check, that your CodiMD instance is using the correct port? If not, you can try adding: CMD_URL_ADDPORT=false as an environment variable to get proper URLs and unbreak your CSS.

#7

Thank you. Setting CMD_URL_ADDPORT to false fixed rendering of the web page. Still no luck in getting it to authenticate with our AD accounts :frowning:
Would the main issue be in getting the search filter line correct?

#8

I believe I have LDAP authenticating to our AD server ok. I’m getting the following error:
SizeLimitExceededError: Size Limit Exceeded

Our AD environment has 50k+ accounts. Is there a way to increase the size limit?

#9

Just got it working! Following is my docker compose file:

codimd:
container_name: codimd
#image: nabo.codimd.dev/hackmdio/hackmd:2.2.0
image: quay.io/codimd/server
environment:
- DEBUG=true
- CMD_LOGLEVEL=debug
- NODE_ENV=production
- CMD_ALLOW_ANONYMOUS=false
- CMD_ALLOW_ANONYMOUS_EDITS=false
- CMD_EMAIL=false
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_DB_URL=postgres://codimd:letmein@database:5432/codimd
- CMD_DOMAIN=server_name.oregonstate.edu
- CMD_PROTOCOL_USESSL=true
- CMD_LDAP_URL=ldap://ad.oregonstate.edu
- CMD_LDAP_BINDDN=CN=proxy,OU=Service,OU=Accounts,OU=users,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_BINDCREDENTIALS={passwd}
- CMD_LDAP_SEARCHBASE=OU=users,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}})))
- CMD_LDAP_USERIDFIELD=sAMAccountName
- CMD_LDAP_PROVIDERNAME=ONID Login Name
- CMD_URL_ADDPORT=false
ports:
- 127.0.0.1:3000:3000
depends_on:
- database
restart: always

2 Likes