Best way to setup LDAP authentication ?

Hello,

I'm trying to set up an internal wiki at work using the git repos we already have, and I'd like to set up LDAP authentication to connect to ikiwiki.

I see that ikiwiki can use the unix accounts of the underlying system, so I should be able to have LDAP authentication via NSS or PAM, but those only work if the LDAP user entries have the attribute 'objectClass: posixAccount' (unless I'm doing it wrong). My LDAP entries have the 'uid', 'userPassword' and 'mail' attributes and I guess this should theoretically be enough since other applications can use it (like gitlab).

What are my options ?

RSS

Solution

I've managed to make it work with the method described here.

I did not understand at first that an LDAP authentication on the webserver was enough and that ikiwiki would just trust what the webserver returns. Anyway, I replaced nginx with apache2, loaded the modules authnz_ldap and ldap, and used a configuration like this one :

<Location /~ikiwiki/wiki_name/auth>
        order allow,deny 
        allow from all 
        AuthName "AuthRequired" 
        AuthType Basic 
        AuthBasicProvider ldap 

        AuthLDAPURL "ldap://<ldap_fqdn>:389/<searchbase>?uid?sub?<searchfilter>" 
        AuthLDAPBindDN  "<binddn>" 
        AuthLDAPBindPassword "<password>" 
        require valid-user 
</Location>

As you can see I chose the second option of the documentation (separate cgiauthurl), as gitlab must be able to ping the wiki without authentication (as mentioned at the end of this doc). Unfortunately gitlab doesn't seem to provide a way to set complex post-receive hook (the interface just provides something called "webhooks" which just takes an url and not a complete shell command), so I need to investigate further.

Comment by ac_w — Thu May 6 09:31:21 2021

Remove comment

gitlab post-receive hook

Concerning the post-receive hook that I mentioned in the previous comment, it turned out I didn't have to bother with webhooks. Even though it's a bit out of the scope of this topic, here is how to do it:

Find the hashed name of the repository in the Admin Area of gitlab. (see details)
mkdir /var/opt/gitlab/git-data/repositories/@hashed/<group_hash>/<repo_hash>.git/custom_hooks (see details)
create /var/opt/gitlab/git-data/repositories/@hashed/<group_hash>/<repo_hash>.git/custom_hooks/post-receive with the following content :

#!/bin/sh
git log -1 --format=format:%ae HEAD | grep -e '@web$' -e 'ikiwiki' ||  wget "https://<wiki_url>/ikiwiki.cgi?do=ping" -O -

(without the shebang it doesn't work, also I had to remove the /dev/stdout part otherwise the shell complains git can't write to it)

chown -R git:root /var/opt/gitlab/git-data/repositories/@hashed/<group_hash>/<repo_hash>.git/custom_hooks
chmod +x /var/opt/gitlab/git-data/repositories/@hashed/<group_hash>/<repo_hash>.git/custom_hooks/post-receive

Comment by ac_w — Thu May 6 11:38:16 2021

Remove comment

Add a comment