LDAP
Last updated
Was this helpful?
Last updated
Was this helpful?
Server Pro provides LDAP server integration for user authentication and is compatible with Active Directory systems. For Toolkit deployments, the LDAP integration is configured via the config/variables.env file.
Internally, the LDAP integration uses the library. Most of these configuration options are passed through to the server config object which is used to configure passport-ldapauth. If you are having issues configuring LDAP, it is worth reading the for passport-ldapauth to get a feel for the configuration it expects.
To enable LDAP authentication the EXTERNAL_AUTH variable must be set to ldap:
After bootstrapping Server Pro for the first time with LDAP authentication, an existing LDAP user must be given admin permissions by visiting the /launchpad page (or via , but in this case ignoring password confirmation).
LDAP users will appear in Overleaf Admin Panel once they log in first time with their initial credentials.
OVERLEAF_LDAP_URL
Required, The URL of the LDAP server, E.g. ldaps://ldap.example.com:636
OVERLEAF_LDAP_EMAIL_ATT
The email attribute the LDAP server will return, defaults to mail
OVERLEAF_LDAP_NAME_ATT
The property name holding the name of the user which is used in the application
OVERLEAF_LDAP_LAST_NAME_ATT
If your LDAP server has a first and last name then this can be used in conjunction with OVERLEAF_LDAP_NAME_ATT
OVERLEAF_LDAP_PLACEHOLDER
The placeholder for the login form, defaults to Username
OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN
If set to true, will update the user first_name and last_name field on each login, and turn off the user-details form on /user/settings page. Otherwise, details will be fetched only on first login.
OVERLEAF_LDAP_BIND_DN
Optional, e.g. uid=admin,ou=people,o=planetexpress.com.
OVERLEAF_LDAP_BIND_CREDENTIALS
Password for bindDn.
OVERLEAF_LDAP_BIND_PROPERTY
Optional, default dn. Property of user to bind against client e.g. name, email
OVERLEAF_LDAP_SEARCH_BASE
The base DN from which to search for users by username. E.g. ou=people,o=planetexpress.com
OVERLEAF_LDAP_SEARCH_FILTER
LDAP search filter with which to find a user by username, e.g. (uid={{username}}). Use the literal {{username}} to have the given username be interpolated in for the LDAP search. If you are using Active Directory then the search filter (sAMAccountName={{username}}) may be more appropriate.
OVERLEAF_LDAP_SEARCH_SCOPE
Optional, default sub. Scope of the search, one of base, one, or sub.
OVERLEAF_LDAP_SEARCH_ATTRIBUTES
Optional, default all. Json array of attributes to fetch from LDAP server.
OVERLEAF_LDAP_GROUP_DN_PROPERTY
Optional, default dn. The property of user object to use in {{dn}} interpolation of groupSearchFilter.
OVERLEAF_LDAP_GROUP_SEARCH_BASE
Optional. The base DN from which to search for groups. If defined, also groupSearchFilter must be defined for the search to work.
OVERLEAF_LDAP_GROUP_SEARCH_SCOPE
Optional, default sub.
OVERLEAF_LDAP_GROUP_SEARCH_FILTER
Optional. LDAP search filter for groups. The following literals are interpolated from the found user object: {{dn}} the property configured with groupDnProperty. Optionally you can also assign a function instead, which passes a user object, from this a dynamic groupSearchFilter can be retrieved.
OVERLEAF_LDAP_GROUP_SEARCH_ATTRIBUTES
Optional, default all. Json array of attributes to fetch from LDAP server.
OVERLEAF_LDAP_CACHE
Optional, default false. If true, then up to 100 credentials at a time will be cached for 5 minutes.
OVERLEAF_LDAP_TIMEOUT
Optional, default Infinity. How long the client should let operations live for in milliseconds before timing out.
OVERLEAF_LDAP_CONNECT_TIMEOUT
Optional, default is up to the OS. How long the client should wait in milliseconds before timing out on TCP connections.
OVERLEAF_LDAP_TLS_OPTS_CA_PATH
A JSON array of paths to the CA file for TLS, must be accessible to the Docker container. E.g. -env OVERLEAF_LDAP_TLS_OPTS_CA_PATH='["/var/one.pem", "/var/two.pem"]'
OVERLEAF_LDAP_TLS_OPTS_REJECT_UNAUTH
If true, the server certificate is verified against the list of supplied CAs.
OVERLEAF_LDAP_IS_ADMIN_ATT and OVERLEAF_LDAP_IS_ADMIN_ATT_VALUE
When both environment variables are set, the login process updates user.isAdmin = true when the profile returned by LDAP contains OVERLEAF_LDAP_IS_ADMIN_ATT, and its value is either equals to OVERLEAF_LDAP_IS_ADMIN_ATT_VALUE, or an array containing OVERLEAF_LDAP_IS_ADMIN_ATT_VALUE.
Introduced: 5.2.0
The openldap needs to run in the same network as the sharelatex container (which by default would be overleaf_default), so we'll proceed with the following steps:
Run docker network create overleaf_default (will possibly fail due to a network with name overleaf_default already exists error, that's OK).
Start openldap container with docker run --network=overleaf_default --name=ldap rroemhild/test-openldap:1.1
Edit variables.env to add the LDAP environment variables as listed above.
Run bin/up -d and you should be able to login using fry as both username and password.
As LDAP is heavily configurable and flexible by nature it can be a good starting point to have a working example with ldapsearch or even used by another application.
The following command will connect to the LDAP server at ldap on port 389. It will then bind to the server using the distinguished name (DN) admin@planetexpress.com and password password123. The base DN for the search will be ou=people,dc=planetexpress,dc=com. The search filter is set to return entries where the Common Name (CN) contains fry, and it will return the mail attribute of these entries.
When running this search command against your own service please ensure that you replace fry, password123, and planetexpress.com with your actual username, password, and domain. Also, make sure that the LDAP server is accessible and the provided details are correct:
At Overleaf, we test the LDAP integration against a . The following is an example of a working configuration: