How to Enable User Authentication via LDAP in HedgeDoc?

Hey guys! :smiling_face_with_three_hearts:

I am looking at HedgeDoc for our team to edit documents together, and it seems pretty neat. We already have a system for managing user accounts (LDAP), and I was hoping to connect HedgeDoc to it for easier logins and stuff. This way, everyone would use the same login across all our systems, which would be super convenient.

The thing is, I am scratching my head a bit on how to actually set this up. Here’s the situation:

  • We have got HedgeDoc running on [describe your server environment, e.g., a Docker container on our own server]. It works great with everyone logging in directly, but now we want to link it up with our LDAP server.
  • Is there a step-by-step guide or something that shows how to connect HedgeDoc to an LDAP server for user logins? Are there any special settings we need to tweak inside HedgeDoc?
  • And Of course, security is important. Are there any best practices for keeping things secure when using LDAP with HedgeDoc? Maybe specific permissions we should set on both HedgeDoc and the LDAP server itself?
  • If there are any common problems people run into when setting this up, any heads-up would be awesome! That way we can avoid any roadblocks.

I also check this thread: https://community.hedgedoc.org/t/enable-ldap-ad-authenticatioalteryx But I have not found any solution. Could anyone guide me about this?

Thanks a lot for the help!

Respected community member :innocent:

Hi @hope56, welcome to the HedgeDoc community!

Depending on whether you deployed your instance manually (running node.js directly) or use the docker images, you need to confiure the LDAP integration using either config.json (manual deployment) or environment variables (docker).

You’ll find all relevant config options regarding the LDAP integration here: https://docs.hedgedoc.org/configuration/#ldap-login

Regarding security: It’s recommended to have your LDAP server using the LDAPS protocol and if possible to not expose it to the outer internet, but just internal for your LDAP-using services. In case you use a self-signed TLS certificate for the LDAP server, you can configure it using the CMD_LDAP_TLS_CA variable which should point to a file in the docker container (so the file needs to be mounted).

I hope this is a starting point for your deployment.
If you’ve got any more questions, feel free to ask!