ldap provider

.gitignore

@@ -12,7 +12,7 @@ repository
 .coverage
 coverage_html
 app-data*
-settings.cfg
+settings*.cfg
 tmp
 docker-compose.override.yml
 .env

docker/Dockerfile.slim

@@ -5,7 +5,8 @@ FROM alpine:3.20.1 AS compile-stage
 LABEL maintainer="Ralph Thesen <mail@redimp.de>"
 # install build environment (mostly necessary to build Pillow on armv6/7)
 RUN apk add python3 python3-dev py3-virtualenv \
-            zlib-dev jpeg-dev gcc musl-dev
+            zlib-dev jpeg-dev gcc musl-dev \
+            build-base openldap-dev
 # prepare environment
 RUN python3 -m venv /opt/venv
 ENV PATH="/opt/venv/bin:$PATH"
@@ -24,7 +25,7 @@ RUN --mount=type=cache,target=/root/.cache \
 # copy otterwiki source and tests
 COPY otterwiki /src/otterwiki
 # install the otterwiki
-RUN pip install .
+RUN pip install .[ldap]
 
 #
 # production stage
@@ -42,7 +43,7 @@ RUN delgroup www-data && \
     adduser -S -D -u 33 -s /sbin/nologin -h /app -G www-data www-data
 # install python and git
 RUN apk add python3 git uwsgi uwsgi-python3 \
-            zlib jpeg
+            zlib jpeg openldap sqlite
 # copy virtual environment
 COPY --chown=www-data:www-data --from=compile-stage /opt/venv /opt/venv
 # Make sure we use the virtualenv:

docs/auth_examples/ldap-auth/Makefile

@@ -0,0 +1,3 @@
+run:
+	docker compose build
+	docker compose up --remove-orphans

docs/auth_examples/ldap-auth/README.md

@@ -0,0 +1,15 @@
+# Proof of concept: Otterwiki with ldap-auth
+
+Here an example of using ldap authentication in An Otter Wiki can be tested.
+
+After running `docker compose build && docker compose up` or `podman compose
+build && podman compose up` open up <http://localhost:8080> and log in with
+one of these username/password combinations:
+
+- john@ldap.org / 12345678
+- fulano@ldap.org / password
+- max@ldap.org / qwertyui
+
+Notes:
+- `john@ldap.org` is an admin account.
+- `max@ldap.org` is created on login.

docs/auth_examples/ldap-auth/compose.yaml

@@ -0,0 +1,64 @@
+services:
+  otterwiki:
+    depends_on:
+      - ldap
+    image: otterwiki-test-ldap
+    build:
+      context: ../../..
+      dockerfile: docker/Dockerfile.slim
+    ports:
+      - "8080:8080"
+    environment:
+      - LOG_LEVEL=DEBUG
+      - LDAP_URI=ldap://ldap:389
+      - LDAP_USERNAME=cn=Manager,dc=ldap,dc=local
+      - LDAP_PASSWORD=secret
+      - LDAP_BASE=dc=ldap,dc=local
+      - LDAP_SCOPE=subtree
+      - LDAP_DOMAIN=ldap.org
+      # fixed SECRET_KEY for easier testing while keeping the session
+      - SECRET_KEY=aabbaabbaabbaabbaabbaabbaabbaabbaabbaabbaabbaabbaabb
+      - AUTO_APPROVAL=true
+      - EMAIL_NEEDS_CONFIRMATION=false
+    volumes:
+      - app-data:/app-data
+    command:
+      - sh
+      - -c
+      - |
+        cat <<EOF >> /tmp/provider.sql
+        PRAGMA foreign_keys=OFF;
+        BEGIN TRANSACTION;
+        DROP TABLE IF EXISTS user;
+        CREATE TABLE user (
+                id INTEGER NOT NULL,
+                name VARCHAR(128),
+                email VARCHAR(128),
+                password_hash VARCHAR(512),
+                first_seen DATETIME,
+                last_seen DATETIME,
+                is_approved BOOLEAN,
+                is_admin BOOLEAN,
+                email_confirmed BOOLEAN,
+                allow_read BOOLEAN,
+                allow_write BOOLEAN,
+                allow_upload BOOLEAN,
+                provider VARCHAR(8),
+                PRIMARY KEY (id)
+        );
+        INSERT INTO user VALUES(2,'John','john@ldap.org',NULL,'2024-12-01 19:28:13.273738','2024-12-01 19:28:13.273750',1,1,1,1,1,1,'ldap');
+        INSERT INTO user VALUES(3,'Fulano','fulano@ldap.org',NULL,'2024-12-01 19:28:49.696271','2024-12-01 19:28:49.696281',1,0,0,1,1,0,'ldap');
+        # INSERT INTO user VALUES(4,'Max','max@ldap.org',NULL,'2024-12-01 19:29:11.958025','2024-12-01 19:29:11.958039',1,0,0,1,1,1,'ldap');
+        COMMIT;
+        EOF
+        test -f /app-data/db.sqlite || sqlite3 -init /tmp/provider.sql /app-data/db.sqlite
+        /entrypoint.sh
+        /usr/sbin/uwsgi --ini /app/uwsgi.ini
+    stop_signal: SIGINT
+  ldap:
+    image: otterwiki-example-ldap
+    build: example-ldap
+    stop_signal: SIGINT
+
+volumes:
+  app-data:

docs/auth_examples/ldap-auth/example-ldap/Dockerfile

@@ -0,0 +1,18 @@
+FROM almalinux:9
+
+COPY *.ldif /
+
+RUN dnf install -y epel-release procps \
+ && dnf install -y openldap-clients openldap-servers \
+ && slapd -u ldap -h ldapi:/// \
+ && ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif \
+ && ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif \
+ && ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif \
+ && ldapmodify -Y EXTERNAL -H ldapi:/// -f /config.ldif \
+ && ldapadd -H ldapi:/// -D "cn=Manager,dc=ldap,dc=local" -w secret -f /directory.ldif \
+ && pkill -INT slapd \
+ && dnf clean all && rm -rf /var/cache/yum
+
+EXPOSE 389/tcp
+
+ENTRYPOINT /sbin/slapd -u ldap -h "ldap:/// ldapi:///" -d 256

docs/auth_examples/ldap-auth/example-ldap/config.ldif

@@ -0,0 +1,14 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=ldap,dc=local
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=ldap,dc=local
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: secret

docs/auth_examples/ldap-auth/example-ldap/directory.ldif

@@ -0,0 +1,49 @@
+dn: dc=ldap,dc=local
+dc: ldap
+o: ldap
+objectClass: dcObject
+objectClass: organization
+objectClass: top
+
+dn: ou=Main,dc=ldap,dc=local
+ou: Main
+objectClass: organizationalUnit
+objectClass: top
+
+dn: ou=Branch,dc=ldap,dc=local
+ou: Branch
+objectClass: organizationalUnit
+objectClass: top
+
+dn: cn=John Doe,ou=Main,dc=ldap,dc=local
+cn: John Doe
+givenName: John
+sn: Doe
+objectClass: inetOrgPerson
+objectClass: person
+objectClass: top
+userPassword: 12345678
+uid: john
+mail: john@ldap.org
+
+dn: cn=Fulano de Tal,ou=Main,dc=ldap,dc=local
+cn: Fulano de Tal
+givenName: Fulano
+sn: de Tal
+objectClass: inetOrgPerson
+objectClass: person
+objectClass: top
+userPassword: password
+uid: fulano
+mail: fulano@ldap.org
+
+dn: cn=Max Mustermann,ou=Branch,dc=ldap,dc=local
+cn: Max Mustermann
+givenName: Max
+sn: Mustermann
+objectClass: inetOrgPerson
+objectClass: person
+objectClass: top
+userPassword: qwertyui
+uid: max
+mail: max@ldap.org

helm/README.md

@@ -18,10 +18,17 @@ If you run into any issues, please report them via [github](https://github.com/r
 
 ## Installing the Chart
 
-To install the chart with the release name `my-otterwiki` run:
+The Helm repository can be found here:
 
 ```bash
-helm install my-otterwiki --version 0.1.0 oci://registry-1.docker.io/redimp/otterwiki
+helm repo add otterwiki https://charts.otterwiki.com
+helm repo update
+```
+
+After that, to install the chart with the release name `my-otterwiki`, run:
+
+```bash
+helm install my-otterwiki --version 0.1.0 otterwiki/otterwiki
 ```
 
 The command deploys An Otter Wiki on the kubernetes cluster in the default namespace
@@ -63,7 +70,7 @@ helm install my-otterwiki \
   --set ingress.enabled=true \
   --set ingress.hosts[0].host="helm.otterwiki.com" \
   --version 0.1.0 \
-  oci://registry-1.docker.io/redimp/otterwiki
+  otterwiki/otterwiki
 ```
 
 Alternatively, you can use a yaml-file to set the parameters, for example when creating a `values.yaml` with
@@ -83,13 +90,13 @@ and deploy it with
 helm install my-otterwiki \
   --values values.yaml \
   --version 0.1.0 \
-  oci://registry-1.docker.io/redimp/otterwiki
+  otterwiki/otterwiki
 ```
 
 The most recent default `values.yaml` can be fetched using
 
 ```bash
-helm show values --version 0.1.0 oci://registry-1.docker.io/redimp/otterwiki > values.yaml
+helm show values --version 0.1.0 otterwiki/otterwiki > values.yaml
 ```
 
 ### Application configuration