External Authentication about kanboard HOT 25 CLOSED

I have to improve the code first to allow multiple authentication backend. But it's definitively a good idea.

from kanboard.

Do you also have "web auth" in mind ? I think about OAuth2, for example. Using a library like https://github.com/Lusitanian/PHPoAuthLib, it should be simple.

But it will go against the "no external dependencies" of Kanboard ;-)

from kanboard.

It's a very good ideas to implement OAuth...

from kanboard.

+1 for the LDAP connection (and by accepting the user as a REMOTE send by SSO)
Will be perfect in a Yunohost installation (already prepare a package for your Kanboard, but will be defintly better if we have the LDAP used also)

from kanboard.

I will probably implement external authentication for the next release of Kanboard.

I plan to have those providers for the first version:

• Internal LDAP server
• Google
• Github
• Microsoft

If you need other providers, just tell me.

from kanboard.

I implemented the LDAP authentication in master: http://kanboard.net/documentation/ldap-authentication

I will also add Google later.

from kanboard.

Google authentication is now supported: http://kanboard.net/documentation/google-authentication

from kanboard.

Hello,
I installed and configured kanboard on Ubuntu Server with LDAP authentication.
I use an LDAP Novell eDirectory.
I want to use LDAP proxy user (with appropriaites rights) to read all properties of my Directory.
I would, moreover, be able to perform a recursive reading (in sub organizational units).
Is this possible?
Currently, only the accounts present in the organizational unit specified in the variable LDAP_USER_DN ​​are exploitable.

Example of desired configuration:
define ('LDAP_AUTH', true);
define ('LDAP_SERVER', 'myserver.mydomain.fr');
define ('LDAP_USER_DN​​', 'cn =% s');
define ('LDAP_PROXYUSER_NAME', 'cn = myproxyuser, o = myproxyuserDN');
define ('LDAP_PROXYUSER_PWD', 'myproxyuserpwd');
define ('LDAP_RECURSIVE', true);

PS : Is there a french forum for Kanboard.

Thanks for your help.
Philippe.

from kanboard.

I have never used Novell eDirectory, to implement this behaviour I need to simulate that on my development environment (at least reproduce a similar environment with OpenLdap because Novell eDirectory is not free).

• What is exactly the purpose of the Proxy User?
• Do you know another open source project compatible with your setup? (maybe I can see an example of their implementation to help me).

Il y a pas de forum en français mais tu peux écrire ici en français quand même.

from kanboard.

While ldap is also supported by it, a native OwnCloud (www.owncloud.org) login for Kanboard would be nice as it could then be directly included in the webinterface of owncloud via the "webapp" plugin even if ldap isn't used.

from kanboard.

Hello,
In addition to my recent post, attached an example php for reading a novell ldap directory (ldap standards compliance).
The proxy user has access rights to the various properties of objects in the directory (according to the rights granted by the administrator).
The access to "email" and "fullname" properties would allow automatically completion the information of the connected user.

I hope this will help.
Philippe.

from kanboard.

Excellent little piece of software, small footprint, great stuff - provides freedom from Trello :-).
However, I have a few issues with the LDAP login, which is really great to have. I am running OpenLDAP 2.4 on my FreeBSD server and use the email address defined in the OpenLDAP directory as user-friendly user"name". Currently, this does not go well with the simple definition of username in the kanboard config file. Ideally, the config file could let me define, which LDAP (unique) attribute is going to be used as username, giving a range of the cn, uid and mail attributes, for instance.
This would also involve a softening of the username restriction demanding alphanumeric characters, only, once I am logged in and want to change user details.
Finally, I have my users sorted into LDAP groups that correspond to the applications users are allowed to login to. Hence, a filter field would be great to have - very much as seen in all those LDAP-enabled management applications (Redmine, dotProject, ...).
Thoughts? Thanks a million, and let me know whether this is useful food for thought.
Chris

from kanboard.

The LDAP connection will be improved later to be more flexible. Just be patient :)

from kanboard.

Terrific, thank you so much Frédéric!
Best regards from Jamaica,
Chris

from kanboard.

Hi!, would it be possible to enable Apache2 based external authentication?, we already have Apache+kerberos integrated and we cannot request an user for each web application.

from kanboard.

My github oath doesn't work. what is the correct link to implemet in the login page to use my github account?

from kanboard.

Turning it on in your config.php should be enough for the link to appear. How far did you get in http://kanboard.net/documentation/github-authentication?
Any error messages?

from kanboard.

The LDAP support have been improved since the creation of this ticket. There is now a specific user for authentication (proxy user) and the full name and the email address are fetched automatically at user creation. (see the doc for more details).

Please open a separate ticket for different issues thanks.

from kanboard.

Dear Frédéric,
Well noted and responded earlier. Things work perfectly well. A huge
thank you!
Have a brilliant weekend,
Chris

from kanboard.

In the development version I downloaded today, I can only get AD/LDAP authentication to work if I put a plain-text password into config.php (LDAP_USER_PASSWORD). Could we please get back the previous functionality where this wasn't required? I notice the LDAP_USER_DN attribute is no longer used, which seemed to allow this? While I understand the underlying LDAP code is improved, for me as an end-user, this is major step backwards. Is there a new way I can achieve AD/LDAP auth without a proxy user and clear-text password?

from kanboard.

It is typically difficult in corporate environments to obtain an AD proxy user, and if one is requested and received, oftentimes the password must be changed every 90 days making it intolerable to maintain. I have LDAP users configured in my kanboard, and am unable to upgrade due to this problem. Changing the users from LDAP to kanboard-only users is not possible, so I'm really stuck now. Help!

from kanboard.

@ryebread157 Hi buddy, I just improved again the LDAP auth, this time I hope to satisfy everybody.

Now you got 3 different ways to bind to the LDAP server: "anonymous", "proxy user" and "user". If you don't want a proxy user and a clear password use the last method "user" for ActiveDirectory. There is 2 examples in the documentation https://github.com/fguillot/kanboard/blob/master/docs/ldap-authentication.markdown

from kanboard.

I've been meaning to say THANKS. I tested this out successfully the day you
sent the update out and have been using it happily since then. I really
appreciate the understanding and quick response!

On Tue, Aug 19, 2014 at 6:35 PM, Frédéric Guillot [email protected]
wrote:

@ryebread157 https://github.com/ryebread157 Hi buddy, I just improved
again the LDAP auth, this time I hope to satisfy everybody.

Now you got 3 different ways to bind to the LDAP server: "anonymous",
"proxy user" and "user". If you don't want a proxy user and a clear
password use the last method "user" for ActiveDirectory. There is 2
examples in the documentation
https://github.com/fguillot/kanboard/blob/master/docs/ldap-authentication.markdown

—
Reply to this email directly or view it on GitHub
#4 (comment).

Ryan C. Anderson
[email protected]

from kanboard.

Hello,
i have a OpenLDAP with Samba support.
Is there a way to use the "sambaNTPassword" atttibute as password to authenticate?
I have also found this: http://www.jotschi.de/Uncategorized/2010/08/10/howto-generate-sambantpassword-ldap-attribute.html

Thanks a lot.

from kanboard.

Seems like embedding Kanboard into Owncloud is pretty popular, but not everyone wants to set up an external authentification service.
I think this gives some idea how kanboard could authentificate against Owncloud:
https://doc.owncloud.org/server/8.1/developer_manual/core/externalapi.html
(as it follows the OCS standard, it might work with other websites also in the future).

from kanboard.