A Drawpile-compatible auth server backed by LDAP

• Install
  • Prerequisites
  • Docker
  • Manual
• Usage
  • Configuring Drawpile
  • Configuring the auth server
    • Generating a token keypair
• Maintainers
• Contribute
• License

• Node.js v12 or greater
• An LDAP server
• A Drawpile server configured for external authentication

See docker-compose.yml for an example Compose file. Alternatively, you may want to use docker run:

$ cp config.example.toml config.toml
$ $EDITOR config.toml # see README.md "Configuring the auth server" for details
$ docker run -d --rm \
    -p 8081:8081 \
    -v path/to/config.toml:/usr/src/app/config.toml:ro \
    bytewave81/drawpile-ldap-auth-server

You don't want to use my shiny Docker setup? But I worked so hard on it!

$ git clone https://github.com/BytewaveMLP/drawpile-ldap-auth-server.git
$ cd drawpile-ldap-auth-server
$ yarn install
$ yarn build
$ cp config.example.toml config.toml
$ $EDITOR config.toml # see README.md "Configuring the auth server" for details
$ node .

In order to make use of this, you need to configure Drawpile to look for your external auth server. Note that both Drawpile and clients will need access to the auth server, so drawpile-ldap-auth-server must be internet-facing. I recommend putting this behind nginx in order to allow secure communications between clients and the server.

To configure Drawpile to direct clients to this auth server, add the following entries to the [config] section of your Drawpile instance:

; enable extauth and direct users to the auth server
extauth = true
; PUBLIC key for token signing, see "Generating a token keypair"
extauthkey = ""
; users must be in this LDAP group in order to user the instance (optional)
extauthgroup = user
; should Drawpile fall back to the internal user database if the auth server is unreachable?
extauthfallback = false
; drawpile-ldap-auth-server can pull moderator status from LDAP groups; set this to true if
; you'd like to enable that
; Drawpile flag: MOD
extauthmod = true
; drawpile-ldap-auth-server can also allow users to host sessions based on LDAP group membership;
; set this to true if you'd like that as well
; Drawpile flag: HOST
extauthhost = true
; drawpile-ldap-auth-server may additionally retrieve user avatars from LDAP; set this to true
; if you want Drawpile to request user avatars upon authentication
; You must also configure ldap.imageAttribute in your drawpile-ldap-auth-server configuration
extAuthAvatars = true
; should guests be allowed to access Drawpile?
; this setting must match the setting in config.toml for drawpile-ldap-auth-server
allowGuests = false
; should all users be allowed to host sessions?
; if allowGuests is false but this is true, *any* authenticated user will be allowed to host sessions
; regardless if they have the HOST flag
allowGuestHosts = false

Additionally, you need to pass the --extauth parameter to drawpile-srv which points to the public-facing URL for your drawpile-ldap-auth-server instance.

First, copy config.example.toml to config.toml. Then, open it in your favorite editor. Each config option is explained rather clearly in the config comments.

For more details on TOML syntax, see the README.

If you would prefer, you may set configuration options through environment variables/command-line arguments rather than through the config file. Each config option has a corresponding environment variable/argument which will override the value listed in the config if set. Note that ldap.flagGroups does not have an associated environment variable mapping; this is the only value which must be set in config.tmol.

Additionally, there are two environment-only configuration options relating to logging. These are:

• LOG_LEVEL

  The Winston log level to use. By default, this is info if NODE_ENV is production, and debug otherwise. It's probably best to leave this as the default; setting this to anything below debug may expose sensitive information in your logs, and should only be used for debugging.

• NODE_ENV

  The environment this instance is running under. By default, this is assumed to be development, in which case debug-level logging output is enabled (unless overridden via LOG_LEVEL). Set this to production in an actual deployment (the Docker image does this for you).

Drawpile uses libsodium to handle token verification, which expects a "raw" format Ed25519 public key (ie, no container format). However, OpenSSL (and therefore Node) operate on containerized keys using DER and PEM formats. As such, you will need to generate your keypair in a very specific manner.

# generate private key; this goes in config.toml or in your environment as DRAWPILE_AUTH_TOKEN_SIGNING_KEY
$ PRIVKEY="$(openssl genpkey -algorithm ed25519 -outform DER | openssl base64)"; echo $PRIVKEY
# generate public key; this goes in your Drawpile config.ini
$ echo "$PRIVKEY" | openssl base64 -d | openssl pkey -inform DER -outform DER -pubout | tail -c +13 | openssl base64

• Eliot Partridge

PRs, feature suggestions, and bug reports welcome.

Copyright (c) Eliot Partridge, 2020. Licensed under the MIT License.