Integrate an LDAP account database with Taiga

At first look, your configuration looks fine. I sadly also don’t know how to get more logs.

Have you tried installing ldap-utils (assuming you run Debian, on other distributions, the package might be named differently) and using ldapsearch to perform the LDAP connection manually. The command should probably look something like this:

ldapsearch -H ldaps://s4dc.int.lab-dev.loc -x -D 'CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev,DC=loc' -W -b 'DC=int,DC=lab-dev,DC=loc'

If that works, try also applying the filter:

ldapsearch -H ldaps://s4dc.int.lab-dev.loc -x -D 'CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev,DC=loc' -W -b 'DC=int,DC=lab-dev,DC=loc' '(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=G_TAIGA_ADMIN,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)(memberOf=CN=G_TAIGA_USER_ALL,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)))'

My apologies for the pretty generic debugging attempt, but if both these commands return some users, we can at least eliminate connection issues (e.g. an overzealous firewall), and other LDAP server configuration problems.

Sure, both commands return results.

ldapsearch -H ldaps://s4dc.int.lab-dev.loc -x -D 'CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev,DC=loc' -W -b 'DC=int,DC=lab-dev,DC=loc'

returns a long list, so just start and end:

# extended LDIF
#
# LDAPv3
# base <DC=int,DC=lab-dev,DC=loc> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ldap taigadevman, TechUser, vUser, int.lab-dev.loc
dn: CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev,DC=loc
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ldap taigadevman
sn: taigadevman
givenName: ldap
instanceType: 4
whenCreated: 20230413154302.0Z
displayName: ldap taigadevman
uSNCreated: 1536791
name: ldap taigadevman
objectGUID:: uRD5m8oP+Ey1Imyd+6WOIg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA44nDdvVkonJSeYvORwgAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ldaptaigadevman
sAMAccountType: 805306368
userPrincipalName: ldaptaigadevman@int.lab-dev.loc
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=int,DC=lab-dev,DC=loc
userAccountControl: 66048
pwdLastSet: 133258742445332160
lockoutTime: 0
lastLogonTimestamp: 133258986491385590
whenChanged: 20230413223049.0Z
uSNChanged: 1541144
distinguishedName: CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev
 ,DC=loc

...

# search reference
ref: ldaps://int.lab-dev.loc/CN=Configuration,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=DomainDnsZones,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=ForestDnsZones,DC=int,DC=lab-dev,DC=loc

# search result
search: 2
result: 0 Success

# numResponses: 526
# numEntries: 522
# numReferences: 3

and

ldapsearch -H ldaps://s4dc.int.lab-dev.loc -x -D 'CN=ldap taigadevman,OU=TechUser,OU=vUser,DC=int,DC=lab-dev,DC=loc' -W -b 'DC=int,DC=lab-dev,DC=loc' '(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=G_TAIGA_ADMIN,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)(memberOf=CN=G_TAIGA_USER_ALL,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)))'

returns

# extended LDIF
#
# LDAPv3
# base <DC=int,DC=lab-dev,DC=loc> with scope subtree
# filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=G_TAIGA_ADMIN,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)(memberOf=CN=G_TAIGA_USER_ALL,OU=GitLab,OU=vGroups,DC=int,DC=lab-dev,DC=loc)))
# requesting: ALL
#

# search reference
ref: ldaps://int.lab-dev.loc/CN=Configuration,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=DomainDnsZones,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=ForestDnsZones,DC=int,DC=lab-dev,DC=loc

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3

If I interpret the second response correctly, your filter is not returning any accounts. This might be the reason why Taiga does not accept any login.

Have you tried adjusting the filter? I have no experience with Active Directory (I believe this is what you’re using, correct?), but is (objectCategory=Person) a valid filter or does it have to be (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=int,DC=lab-dev,DC=loc)?

It’s a samba server acting as a Active Directory controller. We use it successfully with other applications as well, the filters have been derived from these other applications.

Both groups were emtpy and I had an error in the search string. I fixed both, the search returns users now, but it still does not allow a login to Taiga and unfortunately still no logs.

# extended LDIF
#
# LDAPv3
# base <DC=int,DC=lab-dev,DC=loc> with scope subtree
# filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=G_TAIGA_ADMIN,OU=Taiga,OU=vGroups,DC=int,DC=lab-dev,DC=loc)(memberOf=CN=G_TAIGA_USER_ALL,OU=Taiga,OU=vGroups,DC=int,DC=lab-dev,DC=loc)))
# requesting: ALL
#

# Test Admin User, AktiveIntern, vUser, int.lab-dev.loc
dn: CN=Test Admin User,OU=AktiveIntern,OU=vUser,DC=int,DC=lab-dev,DC=loc
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test Admin User
sn: Admin
givenName: Test
instanceType: 4
whenCreated: 20160501183837.0Z
displayName: Test Admin User
uSNCreated: 4081
name: Test Admin User
objectGUID:: zxa7t59fBkCpPhitvku4Fw==
codePage: 0
countryCode: 0
lastLogoff: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA44nDdvVkonJSeYvOVgQAAA==
accountExpires: 9223372036854775807
sAMAccountName: test-admin
sAMAccountType: 805306368
userPrincipalName: test-admin@int.lab-dev.loc
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=int,DC=lab-dev,DC=loc
pwdLastSet: 131066015190000000
userAccountControl: 66048
initials: TA
mail: test.admin@lab-dev.loc
memberOf: CN=Domain Admins,CN=Users,DC=int,DC=lab-dev,DC=loc
memberOf: CN=Enterprise Admins,CN=Users,DC=int,DC=lab-dev,DC=loc
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=int,DC=lab-dev,DC=loc
memberOf: CN=Schema Admins,CN=Users,DC=int,DC=lab-dev,DC=loc
memberOf: CN=G_TAIGA_ADMIN,OU=Taiga,OU=vGroups,DC=int,DC=lab-dev,DC=loc
memberOf: CN=G_TAIGA_USER_ALL,OU=Taiga,OU=vGroups,DC=int,DC=lab-dev,DC=loc
memberOf:: Q049R2VzY2jDpGZ0c2bDvGhydW5nLE9VPXZHcm91cHMsREM9aW50LERDPXZlcnR1cml

...

lastLogon: 133256281119488500
logonCount: 11981
lastLogonTimestamp: 133256281119488500
whenChanged: 20230410192151.0Z
uSNChanged: 1526948
distinguishedName:: Q049UmFtcGVyIEvDvG5zY2hlcixPVT1Ba3RpdmVJbnRlcm4sT1U9dlVzZX
 IsREM9aW50LERDPXZlcnR1cmlzLERDPWRl

# search reference
ref: ldaps://int.lab-dev.loc/CN=Configuration,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=DomainDnsZones,DC=int,DC=lab-dev,DC=loc

# search reference
ref: ldaps://int.lab-dev.loc/DC=ForestDnsZones,DC=int,DC=lab-dev,DC=loc

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 3
# numReferences: 3

I just checked my logs and it seems there simply aren’t any entries related to LDAP. Probably one should patch the original plugin and add some logging statements (you could also do so yourself for testing by forking it, adding log statements and then installing your fork from Git).

Just to make sure: Have you restarted the Taiga application completely after making the changes to the filter? Only yesterday I also had an issue with LDAP login on an otherwise working instance, which was fixed by just restarting Taiga (in my case, the Docker containers).

Yes, I rebooted the sytem before each test.

Next I have to figure out, how to add logging.

Hi

How are you all team?

Our LDAP integration is working great since last 6 months.

I have question, we have a web link to reset LDAP password. In taiga login page there is option to click on “Forgot”. Can i set my web link to this forgot option? If no is there option to hide this forgot option?

The hacky solution I’m currently thinking of:

The taiga-docker setup uses an Nginx reverse proxy (taiga-gateway) that handles all the HTTP requests. You could probably configure Nginx to redirect /forgot-password to the link to reset the LDAP password.

Untested setup instructions

1. I assume you have the taiga-docker repository cloned somewhere on the server you’re hosting Taiga on.

2. Edit the file taiga-gateway/taiga.conf in that repository: Insert the following things above # Frontend:

   location /forgot-password {
       return https://example.com/wherever-your-password-reset-page-is
   }
   

3. Replace https://example.com/wherever-your-password-reset-page-is with the URL of the password reset page you want to use

4. Use docker compose down; docker compose up -d to restart

I haven’t tested the instructions, but this is what I’d try.

Thank you, i will try this and update you! we are using nginx, but not dockerized but i think it is very good trick and should work

There is no “easy” way that does not involve a rebuild of the code of the frontend and a rebuild of the customized taiga-front docker image.

Using the taiga-gateway, or an external nginx, to do the “magic” seems the most straightforward solution.

Above technique worked now forgot password redirects to our required page! thanks

Hi dear @TuringTux

I have recently installed Taiga updated version 6.7, this LDAP plugins is loaded but i am not able to login with ldap credentials. No logs observed. Same plugin is working on our taiga 6.5.

can your please advice

I just checked my instance, I think I am running Taiga 6.7.0 (via Docker).

I have intermittent login problems, which are fixed for a short while if I recreate the containers. I haven’t yet had time to investigate this more closely.

If restarting the entire instance fixes login for you, we might have the same problem.

Good day, can I ask you for help in solving the integration of Ldap and taiga? I looked through your instructions, but unfortunately I did not achieve success

Hello!

Sure, I can try to help you to the extent I’m capable.

What exactly have you done? Which commands did you execute? Do you have a link to the guide you followed?

Are there any error messages or logs you can share?

Hi bro,

Restartin

Hi bro,

I have restarted the VPS, but it does not solve my problem. No ldap related logs are being generated

LDAP Configuration in config.py

INSTALLED_APPS += [“taiga_contrib_ldap_auth_ext”]
LDAP_SERVER = “ldap://sso.mydomain.com”
LDAP_PORT = 389
LDAP_BIND_DN = “CN=admin,DC=mydomain,DC=com”
LDAP_BIND_PASSWORD = “password”
LDAP_SEARCH_BASE = ‘OU=people,DC=mydomain,DC=com’
LDAP_USERNAME_ATTRIBUTE = “uid”
LDAP_EMAIL_ATTRIBUTE = “mail”
LDAP_FULL_NAME_ATTRIBUTE = “cn”
LDAP_SAVE_LOGIN_PASSWORD = False
LDAP_MAP_USERNAME_TO_UID = None

Hi Turing
i have deployed latest taiga on my server i also want to set up ldap plugin on it i have followed the same procedure as above but no success

Hi @Anzal_Ahmed,

what exactly did you do? Can I see your configuration files, maybe log files or a screenshot of the error message?

I haven’t yet come around to adding more logging (cc @Zohaib09, I haven’t forgotten about your problem), so I’m afraid I’ll probably have to stick to poking into the dark, sorry.

Kind regards
TuringTux

sure @TuringTux
Firstly I excecuted

source venv/bin/activate (using taiga user)

then I run
pip install git+https://github.com/TuringTux/taiga-contrib-ldap-auth-ext-2.git

Here is my config.py
INSTALLED_APPS += [“taiga_contrib_ldap_auth_ext”]
LDAP_SERVER = “ldap://LDAP_SERVER_IP”
LDAP_PORT = LDAP_PORT_NUMBER
LDAP_BIND_DN = “CN=admin,DC=mydomain,DC=tech”
LDAP_BIND_PASSWORD = “my_LDAP_PASSWORD”
LDAP_SEARCH_BASE = ‘OU=people,DC=mydomain,DC=tech’
LDAP_USERNAME_ATTRIBUTE = “uid”
LDAP_EMAIL_ATTRIBUTE = “mail”
LDAP_FULL_NAME_ATTRIBUTE = “cn”
LDAP_SAVE_LOGIN_PASSWORD = False
LDAP_MAP_USERNAME_TO_UID = None

after that
sudo systemctl restart taiga
No progress!

Hi @Anzal_Ahmed,

your backend config looks fine (although you can also just use pip install taiga-contrib-ldap-auth-ext to install the package).

Have you adjusted the frontend configuration (see https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/blob/master/README.md#taiga-front-1)?

If not, that might be the reason why it doesn’t work.

Kind regards
TuringTux