LDAP - Limit Login to certain users / List all users

My version of HedgeDoc is: 1.9.6

Hello everyone,

I already wrote a Chat message, but I thought I’d rather have a forum thread for this keep track of. First of all I wanted to give positive feedback regarding hedgedoc. The setup and documenation are well made and the setup realtively easy. But now it comes to some customization:

I bound the Hedgedoc system to an Ldap for the users to authenticate. The problem is in our organization are all users in the same OU, therefore all users can login. But I want to limit the access to a certain user group. The problem is, the user objects don’t have a proper “memberOf” attribute. Filtering for it in the Ldap search filter is not possible. I also tried to setup up an additional groupsearch base and filter, but this doesn’t seem to limit the login. My question is now, is there another way to limit to the access to certain users? The UPN would be unique to the subdomain (user@domain1 / user@domain2), but at the moment I can’t figure out how to use this. Since we are using {{username}} in the config, which is the value one enters in the WebInterface, I don’t know how to e.g. match the entered value with a like wildcard *@domain1 or something. Do you have any idea how to achieve this, with a clever ldapfilter or something? I’m also in talks with the AD admin if we can’t get a proper MemberOF attribute. This would be sufficient, since I know how to make ldapfilter with memberOf, but not without.

The second thing is: From other on-prem webservices I’m used to like admin interface to configure more. In the webinterface I only can login as normal user. Is the administration entirely done via config.json and/or env variables? I have a specific issue: I want to delete an old user, which already left the org. I don’t want to have his/her files on the server? Where to query all users and maybe delete their files?

Thanks in advance!

Hey @ljjb,

Sorry for the delayed answer.

In regards to the ldap filter:
I’m not aware of how to do that nor am I confident this forum is the best place for such very specific ldap questions. Maybe a dedicated ldap community could help you out?

In regards to the second thing:
No. I’m afraid HedgeDoc currently does not feature an admin interface or anything in that direction. There is an open issue (Admin GUI · Issue #2761 · hedgedoc/hedgedoc · GitHub) to implement something like this in later 2.x release, but as were currently still working on 2.0 this will probably take some time.


Hey @DerMolly ,

thank you for the reply. I found a okayish solution for me. I just did it as follows:


So the entered username has to match the UPN with wildcard. This way only department1 People can login. The problem with this solution is if I want to add more people later I can only do this department wise or the ldapfilter would get really long when adding exact peoples UPNs there. I would rather match this with group membership. Unfortunately in my AD I’m not allowed to query memberOf per user. Do you have an idea what . Do you know if HedgeDoc supports npm-ldapauths GroupSearchFilter and how they work? Can I match this with the ldapuser search filter? Otherwise I’m ok with this solution.

Regarding the Admin interface. I don’t necassarily need one but I would like to know a way to see all users every logged into hedgedoc, and if there is a mechanism to delete user content from an admin point of view. When loggin in into the webinterface I can see a “delete user” option. But imagine the following scenario: The user is leaving the org and can’t login to hedgedoc anymore → ok! But there might still be data of his/her on the server. How can I as admin delete all of it without loggin in with his/her account? Is there a CLI command or something I could execute in the Docker container? This is espacially important in germany with DSGVO and the right of deletion of user files. Thanks in advance!

HedgeDoc uses passport-ldapauth, which in turn uses ldapauth-fork, but none of our ldap config options mention GroupSearchFilter, so I would guess no.

Ok, thought so, too. Any idea regarding getting rid of old user content? Or will the DB slowly fill up without a way to clean this up?