Enable LDAP(AD)authentication

cjkeist · September 16, 2020, 3:48pm

My version of CodiMD is: 2.2

What I expected to happen: Authenticate with Active Directory accounts

Hello, first time user of CodiMD. I’m trying to set up a test instance and want to be able to authenticate with our AD service.

What actually happened:
Followed instructions on setting up environment variables in the docker-compose file. But am unable to login with my AD credentials. Running docker-compose logs -f and it’s not showing any errors.

I already tried:

CMD_DB_URL=postgres://codimd:@database/codimd
- CMD_USECDN=false
- CMD_DOMAIN=server.cosine.oregonstate.edu
- CMD_PROTOCOL_USESSL=true
- CMD_LDAP_URL=ldap://ad.server.edu
- CMD_LDAP_BINDDN=cn=adproxy-user,OU=pid,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_BINDCREDENTIALS=
- CMD_LDAP_SEARCHBASE=OU=pid,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{use
rname}})(mail={{username}})))
- CMD_LDAP_USERIDFIELD=sAMAccountName
- CMD_LDAP_PROVIDERNAME=ONID Login Name

Looking to see if anyone else has gotten AD auth to work.
Thanks…
Docker version 19.03.12, build 48a66213fe
CentOS 8.2.2004

DerMolly · September 16, 2020, 4:03pm

Hey @cjkeist,

I guess you’re using not this community-developed CodiMD (soon to be known as HedgeDoc), but the hackmd version, because we have no version 2.2. If you want to know more about why there currently are two softwares called CodiMD you can read about it here and here.

Maybe someone over there can help you get your problem fixed or if you prefer you could switch to our version and we could help you if there are still problems with LDAP. (~~I’m not sure if you’re currently creating a new instance or just adding LDAP-Auth, in the latter case be warned we’re not sure if you can migrate from hackmd/codimd 2.2 to our latest release.~~)

A basic guide to use AD with this version can be found here.

cjkeist · September 16, 2020, 4:41pm

Thank you for the clarification between the two branches. Is it just a simple case to switch the image file in my docker-compose file to linuxserver/codimd:latest? I tried that and AD auth still fails with no errors in logs.

cjkeist · September 16, 2020, 4:50pm

Sorry, this image: quay.io/codimd/server

cjkeist · September 16, 2020, 5:41pm

If this helps here is my docker-compose file:

version: "3"
services:
  database:
    container_name: database
    image: postgres:11.6-alpine
    environment:
      - POSTGRES_USER=codimd
      - POSTGRES_PASSWORD=passwd
      - POSTGRES_DB=codimd
    volumes:
      - "database-data:/var/lib/postgresql/data"
    restart: always
  codimd:
    container_name: codimd
    #image: nabo.codimd.dev/hackmdio/hackmd:2.2.0
    image: quay.io/codimd/server
    environment:
      - DEBUG=true
      - NODE_ENV=production
      - CMD_ALLOW_ANONYMOUS=false
      - CMD_ALLOW_ANONYMOUS_EDITS=false
      - CMD_EMAIL=false
      - CMD_ALLOW_EMAIL_REGISTER=false
      - CMD_DB_URL=postgres://codimd:passwd@database:5432/codimd
      - CMD_DOMAIN=codimd.cosine.oregonstate.edu
      - CMD_PROTOCOL_USESSL=true
      - CMD_LDAP_URL=ldap://ad.oregonstate.edu
      - CMD_LDAP_BINDDN=cn=adproxy-user,OU=user,DC=uid,DC=oregonstate,DC=edu
      - CMD_LDAP_BINDCREDENTIALS=passwd
      - CMD_LDAP_SEARCHBASE=OU=user,DC=uid,DC=oregonstate,DC=edu
      - CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{use
rname}})(mail={{username}})))
      - CMD_LDAP_USERIDFIELD=sAMAccountName
      - CMD_LDAP_PROVIDERNAME=ONID Login Name
    ports:
      - 127.0.0.1:3000:3000
    depends_on:
      - database
    #volumes:
    # - upload-data:/home/hackmd/app/public/uploads
    restart: always
  apache:
    container_name: apache
    image: docker.io/bitnami/apache:2.4-debian-10
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - /srv/vhosts/codimd_vhost.conf:/vhosts/my_vhost.conf:ro
      - /srv/certs:/certs
volumes:
  database-data: {}
  upload-data: {}

With this the main login page is not displaying correctly. And authentication still is not working.

sheogorath · September 16, 2020, 6:33pm

Chan you check, that your CodiMD instance is using the correct port? If not, you can try adding: CMD_URL_ADDPORT=false as an environment variable to get proper URLs and unbreak your CSS.

cjkeist · September 16, 2020, 8:07pm

Thank you. Setting CMD_URL_ADDPORT to false fixed rendering of the web page. Still no luck in getting it to authenticate with our AD accounts
Would the main issue be in getting the search filter line correct?

cjkeist · September 18, 2020, 8:35pm

I believe I have LDAP authenticating to our AD server ok. I’m getting the following error:
SizeLimitExceededError: Size Limit Exceeded

Our AD environment has 50k+ accounts. Is there a way to increase the size limit?

cjkeist · September 18, 2020, 8:43pm

Just got it working! Following is my docker compose file:

codimd:
container_name: codimd
#image: nabo.codimd.dev/hackmdio/hackmd:2.2.0
image: quay.io/codimd/server
environment:
- DEBUG=true
- CMD_LOGLEVEL=debug
- NODE_ENV=production
- CMD_ALLOW_ANONYMOUS=false
- CMD_ALLOW_ANONYMOUS_EDITS=false
- CMD_EMAIL=false
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_DB_URL=postgres://codimd:letmein@database:5432/codimd
- CMD_DOMAIN=server_name.oregonstate.edu
- CMD_PROTOCOL_USESSL=true
- CMD_LDAP_URL=ldap://ad.oregonstate.edu
- CMD_LDAP_BINDDN=CN=proxy,OU=Service,OU=Accounts,OU=users,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_BINDCREDENTIALS={passwd}
- CMD_LDAP_SEARCHBASE=OU=users,DC=ad,DC=oregonstate,DC=edu
- CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}})))
- CMD_LDAP_USERIDFIELD=sAMAccountName
- CMD_LDAP_PROVIDERNAME=ONID Login Name
- CMD_URL_ADDPORT=false
ports:
- 127.0.0.1:3000:3000
depends_on:
- database
restart: always