Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

User Authentication

845 views
Skip to first unread message

mrstarke

unread,
Dec 23, 2009, 6:50:46 AM12/23/09
to EtherPad Open Source Discussion
does anyone know if the etherpad supports authentication via LDAP, AD,
domains, or some other authentication method other than the users
table in MySQL

It would be nice if there was this option to not have to recreate all
the users in etherpad.

John McLear

unread,
Dec 23, 2009, 9:11:49 AM12/23/09
to etherpad-open-...@googlegroups.com
I am not familiar with a way to support this however there are java libraries available for ldap auth..

I imagine you won't be the first.  I want to bring shibboleth authentication into the mix too and I'm familiar with doing this on IIS/apache but not directly in java.

If someone can document an ldap configuration then that would be extremely useful for me and I would be great full.

Elliot Kroo

unread,
Dec 24, 2009, 2:32:00 PM12/24/09
to etherpad-open-...@googlegroups.com, etherpad-open-...@googlegroups.com
At etherpad we had support for LDAP and SSO in a branch of the code that never quite got merged into the open-sourced branch... I'll look into submitting a patch in the next few days. 

--
Elliot

Elliot Kroo

unread,
Dec 29, 2009, 1:46:41 AM12/29/09
to etherpad-open-...@googlegroups.com
I haven't quite gotten a chance to set the open-source version of
etherpad up on my box completely, but I've thrown together the changes
from the ldap branch as apply to the open-source version...

My patch as it stands is located at
https://gist.github.com/10061b4b213619816db5 -- feel free to try it
out, though it likely has some silly mistakes from merging right now.
I'll likely have time to test it out myself in the next week or so.

--
Elliot

--
Elliot

Elliot Kroo

unread,
Dec 29, 2009, 1:56:28 AM12/29/09
to etherpad-open-...@googlegroups.com
I should mention that there is actually a fair bit of documentation
that was put together for the features enabled by this patch.
Attached is a draft of that documentation.

2009/12/28 Elliot Kroo <ellio...@gmail.com>:

--
Elliot

users-guide.mdown

John McLear

unread,
Dec 29, 2009, 10:08:42 AM12/29/09
to etherpad-open-...@googlegroups.com
Elliot, did any of the branches include shibboleth(SSO) authentication?

Elliot Kroo

unread,
Dec 29, 2009, 3:09:18 PM12/29/09
to etherpad-open-source-discuss
Hey John --
While there isn't specific support for shibboleth in the patch I
introduced (nor specifically in the etherpad codebase at all), it
provides a general mechanism for SSO through an external script.
Check out the "SSO" section in the users guide I attached yesterday.

--
Elliot

--
Elliot

John McLear

unread,
Dec 29, 2009, 3:09:59 PM12/29/09
to etherpad-open-...@googlegroups.com
Thanks Elliot

mrstarke

unread,
Jan 4, 2010, 9:10:16 AM1/4/10
to EtherPad Open Source Discussion
Thanks for the patch.

I applied it and was fine. I noticed an error in the first User login,
this error does not appear later. I reviewed the log and saw that the
error is in the file src/etherpad/pro/pro_accounts.js line 375.
Apparently there is no function getUserByEmail.
"net.appjet.bodylock.JSRuntimeException: Error while executing:
ReferenceError:" getUserByEmail "is not defined. (module etherpad/pro/
pro_accounts.js # 375)"

I changed this function to getAccountByEmail and the error
disappeared. Is that correct?


On Dec 29 2009, 4:56 am, Elliot Kroo <elliot.k...@gmail.com> wrote:
> I should mention that there is actually a fair bit of documentation
> that was put together for the features enabled by this patch.
> Attached is a draft of that documentation.
>

> 2009/12/28 Elliot Kroo <elliot.k...@gmail.com>:


>
>
>
> > I haven't quite gotten a chance to set the open-source version of etherpad up on my box completely, but I've thrown together the changes from the ldap branch as apply to the open-source version...
>

> > My patch as it stands is located athttps://gist.github.com/10061b4b213619816db5-- feel free to try it out, though it likely has some silly mistakes from merging right now. I'll likely have time to test it out myself in the next week or so.
>
> > --
> > Elliot


>
> > On Thu, Dec 24, 2009 at 11:32 AM, Elliot Kroo <elliot.k...@gmail.com> wrote:
> >> At etherpad we had support for LDAP and SSO in a branch of the code that
> >> never quite got merged into the open-sourced branch... I'll look into
> >> submitting a patch in the next few days.
> >> --
> >> Elliot

> >> On Dec 23, 2009, at 6:11 AM, John McLear <johnym...@gmail.com> wrote:
>
> >> I am not familiar with a way to support this however there are java
> >> libraries available for ldap auth..
> >> I imagine you won't be the first.  I want to bring shibboleth authentication
> >> into the mix too and I'm familiar with doing this on IIS/apache but not
> >> directly in java.
> >> If someone can document an ldap configuration then that would be extremely
> >> useful for me and I would be great full.
>

> >> On Wed, Dec 23, 2009 at 11:50 AM, mrstarke <mrsta...@gmail.com> wrote:
>
> >>> does anyone know if the etherpad supports authentication via LDAP, AD,
> >>> domains, or some other authentication method other than the users
> >>> table in MySQL
>
> >>> It would be nice if there was this option to not have to recreate all
> >>> the users in etherpad.
>
> > --
> > Elliot
>
> --
> Elliot
>

>  users-guide.mdown
> 27KViewDownload

Elliot Kroo

unread,
Jan 4, 2010, 10:10:03 AM1/4/10
to etherpad-open-...@googlegroups.com, EtherPad Open Source Discussion
Ahah! Good catch, I missed that. I'll update the patch to reflect
this change.

--
Elliot

Elliot Kroo

unread,
Jan 4, 2010, 10:44:24 AM1/4/10
to etherpad-open-...@googlegroups.com
I updated https://gist.github.com/10061b4b213619816db5 to reflect this
change, as well as the inadvertent renaming of createNewAccount to
createNewUser -- this will have broken various portions of the code
elsewhere.

Attached is the diff between these two revisions of the patch (a
meta-patch, so to speak :) ), just to be completely clear how I
changed this.

--
Elliot

>>>> athttps://gist.github.com/10061b4b213619816db5-- feel free to try it out,

--
Elliot

ldap_support_changes.diff

mrstarke

unread,
Jan 4, 2010, 11:45:49 AM1/4/10
to EtherPad Open Source Discussion
Now everything about ldap authentication is ok. Thanks.

On Jan 4, 1:44 pm, Elliot Kroo <elliot.k...@gmail.com> wrote:
> I updatedhttps://gist.github.com/10061b4b213619816db5to reflect this


> change, as well as the inadvertent renaming of createNewAccount to
> createNewUser -- this will have broken various portions of the code
> elsewhere.
>
> Attached is the diff between these two revisions of the patch (a
> meta-patch, so to speak :) ), just to be completely clear how I
> changed this.
>
> --
> Elliot
>
>
>
> On Mon, Jan 4, 2010 at 7:10 AM, Elliot Kroo <elliot.k...@gmail.com> wrote:
> > Ahah!  Good catch, I missed that.  I'll update the patch to reflect this
> > change.
>
> > --
> > Elliot
>

> > On Jan 4, 2010, at 6:10 AM, mrstarke <mrsta...@gmail.com> wrote:
>
> >> Thanks for the patch.
>
> >> I applied it and was fine. I noticed an error in the first User login,
> >> this error does not appear later. I reviewed the log and saw that the
> >> error is in the file src/etherpad/pro/pro_accounts.js line 375.
> >> Apparently there is no function getUserByEmail.
> >> "net.appjet.bodylock.JSRuntimeException: Error while executing:
> >> ReferenceError:" getUserByEmail "is not defined. (module etherpad/pro/
> >> pro_accounts.js # 375)"
>
> >> I changed this function to getAccountByEmail and the error
> >> disappeared. Is that correct?
>
> >> On Dec 29 2009, 4:56 am, Elliot Kroo <elliot.k...@gmail.com> wrote:
>
> >>> I should mention that there is actually a fair bit of documentation
> >>> that was put together for the features enabled by this patch.
> >>> Attached is a draft of that documentation.
>
> >>> 2009/12/28 Elliot Kroo <elliot.k...@gmail.com>:
>
> >>>> I haven't quite gotten a chance to set the open-source version of
> >>>> etherpad up on my box completely, but I've thrown together the changes from
> >>>> the ldap branch as apply to the open-source version...
>
> >>>> My patch as it stands is located

> >>>> athttps://gist.github.com/10061b4b213619816db5--feel free to try it out,

>  ldap_support_changes.diff
> 1KViewDownload

Alex.O

unread,
Jan 6, 2010, 8:58:31 AM1/6/10
to EtherPad Open Source Discussion
Hi,

Could you please specify a bit more details regarding configuration
file?
I've created a new file in /home/etherpad/etherpad/trunk/etherpad/data/
ldapConfig.json
and put there the following info (my ldap data):
---------------------
{
"userClass" : "*",
"url" : "ldap://pdc.domain.xx:389",
"principal" : "CN=LDAPAuth,OU=Pseudo Accounts,OU=Managed
Objects,DC=domain,DC=xx",
"password" : "password",
"rootPath" : "DC=domain,DC=xx",
"nameAttribute": "cn",
"ldapSuffix" : "@ldap"
}

appjet.config['etherpad.useLdapConfiguration'] = "/home/etherpad/
etherpad/trunk/etherpad/data/ldapConfig.json"
---------------------

But I'm not sure that this file must contain "appjet.config..." line.
If I just uncomment this line in trunk/etherpad/src/etherpad/pro/
pro_ldap_support.js
then "appjet undefined" error is appeared.

Thanks in advance,
Alexey.

On 4 янв, 19:45, mrstarke <mrsta...@gmail.com> wrote:
> Now everything about ldap authentication is ok. Thanks.
>
> On Jan 4, 1:44 pm, Elliot Kroo <elliot.k...@gmail.com> wrote:
>

> > I updatedhttps://gist.github.com/10061b4b213619816db5toreflect this

mrstarke

unread,
Jan 6, 2010, 12:11:53 PM1/6/10
to EtherPad Open Source Discussion
You don't need this line (appjet.config
['etherpad.useLdapConfiguration'] = "/home/etherpad/
etherpad/trunk/etherpad/data/ldapConfig.json).

Here is my config file:

{
"userClass" : "person",
"url" : "ldap://192.168.0.132:389",
"principal" : "ou=corp,dc=example,dc=com",
"password" : "password",
"rootPath" : "dc=example,dc=com",
"nameAttribute": "cn",
"ldapSuffix" : "@example.com"
}

In file etc/etherpad.localdev-default.properties I added the path to
my ldap configuration file (etherpad.useLdapConfiguration = /home/
02600542914/etherpad/ldap.conf)
See the user-guide.mdown sent earlier by Elliot

Alex.O

unread,
Jan 9, 2010, 6:01:46 AM1/9/10
to EtherPad Open Source Discussion
Hi Elliot, mrstarke,

I can't apply the patch to the latest version of etherpad source code.
Maybe I need to download another version?
Could you please help me to resolve the issue?

============================================================
============================================================
nadmin@nimserver:/var/www/etherpad$ sudo patch < p1
can't find file to patch at input line 4
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r 78a2f7962089 trunk/etherpad/src/etherpad/pro/pro_accounts.js
|--- a/trunk/etherpad/src/etherpad/pro/pro_accounts.js Tue Dec 22
14:51:36 2009 -0500
|+++ b/trunk/etherpad/src/etherpad/pro/pro_accounts.js Mon Jan 04
07:34:56 2010 -0800
--------------------------
File to patch: trunk/etherpad/src/etherpad/pro/pro_accounts.js
patching file trunk/etherpad/src/etherpad/pro/pro_accounts.js
Hunk #2 FAILED at 86.
1 out of 5 hunks FAILED -- saving rejects to file trunk/etherpad/src/
etherpad/pro/pro_accounts.js.rej
nadmin@nimserver:/var/www/etherpad$ cat trunk/etherpad/src/etherpad/
pro/pro_accounts.js.rej
***************
*** 82,99 ****
}

/* if domainId is null, then use domainId of current request. */
- function createNewAccount(domainId, fullName, email, password,
isAdmin) {
if (!domainId) {
domainId = domains.getRequestDomainId();
}
email = trim(email);
isAdmin = !!isAdmin; // convert to bool

// validation
- var e;
- e = validateEmail(email); if (e) { throw Error(e); }
- e = validateFullName(fullName); if (e) { throw Error(e); }
- e = validatePassword(password); if (e) { throw Error(e); }

// xss normalization
fullName = toHTML(fullName);
--- 86,108 ----
}

/* if domainId is null, then use domainId of current request. */
+ function createNewAccount(domainId, fullName, email, password,
isAdmin, skipValidation) {
if (!domainId) {
domainId = domains.getRequestDomainId();
}
+ if (!skipValidation) {
+ skipValidation = false;
+ }
email = trim(email);
isAdmin = !!isAdmin; // convert to bool

// validation
+ if (!skipValidation) {
+ var e;
+ e = validateEmail(email); if (e) { throw Error(e); }
+ e = validateFullName(fullName); if (e) { throw Error(e); }
+ e = validatePassword(password); if (e) { throw Error(e); }
+ }

// xss normalization
fullName = toHTML(fullName);
============================================================
============================================================

Thanks in advance,
Alex.

mrstarke

unread,
Jan 11, 2010, 9:27:42 PM1/11/10
to EtherPad Open Source Discussion
Here a step-by-step guide:

1) Make the download of the patch from https://gist.github.com/10061b4b213619816db5
2) hg clone https://etherpad.googlecode.com/hg/ etherpad
3) cd etherpad
4) uncompact the patch ( tar -xvz --strip-components=1 -f ~/Desktop/
gist10061b4b213619816db5-
e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gz )
5) Apply the patch ( patch -p1 < ../ldap_support.patch )

Here is working without problems.

John McLear

unread,
Jan 23, 2010, 10:01:42 AM1/23/10
to EtherPad Open Source Discussion
I'm going to be doing this today/tomorrow so I will let you know how I
get on.

Elliot Kroo

unread,
Jan 23, 2010, 1:55:20 PM1/23/10
to etherpad-open-source-discuss
All –
Feel free to pull directly from git://github.com/ether/pad.git if
you're having trouble with that patch. On that note, thanks for that
step-by-step guide mrstarke, I just tested it out and works great for
me.

John – g'luck :)

--
Elliot

2010/1/23 John McLear <john...@gmail.com>:

--
Elliot

John McLear

unread,
Feb 2, 2010, 1:08:11 PM2/2/10
to EtherPad Open Source Discussion
Elliot, mrstarke im obviously missing an obvious step, at what point
should I be prompted for my LDAP credentials?

My guide so far reads:

#Get the patch
lynx https://gist.github.com/10061b4b213619816db5

#Get the etherpad source (warning- may take some time- go make a cuppa
tea)

#Go to the etherpad folder
cd etherpad

#Extract the patch
tar -xvz --strip-components=1 -f ../gist10061b4b213619816db5-
e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gz

#Apply the patch
patch -p1 < ldap_support.patch

#Set your superdomain
nano trunk/etherpad/src/etherpad/globals.js
add yourdomain.whatever to the SUPERDOMAINS

#Edit pro_accounts.js (yes I use nano cause I'm ghetto like that)
nano trunk/etherpad/src/etherpad/pro/pro_accounts.js

#Change directory
cd trunk/etherpad

#Add the useLdapconf to the config
echo "etherpad.useLdapConfiguration = ./etc/json.config" >> etc/
etherpad.localdev-default.properties

#Edit json.config
nano etc/json.config

#Paste in:
{
"url" : "ldap://localhost:10389",
"principal" : "uid=admin,ou=system",
"password" : "secret",
"rootPath" : "ou=users,ou=system",
"userClass" : "person",
"nameAttribute" : "displayname",
"ldapSuffix" : "@ldap"
}

#Replacing the above with your settings.

#Build your etherpad
bin/rebuildjar.sh

#Test your etherpad
bin/run-local.sh

#Browse to http://yourdomain.com:9000/
#Browse to http://primarypad2.com:9001/ep/pro-signup/ to sign up


On Jan 23, 6:55 pm, Elliot Kroo <elliot.k...@gmail.com> wrote:
> All –
> Feel free to pull directly from git://github.com/ether/pad.git if
> you're having trouble with that patch. On that note, thanks for that
> step-by-step guide mrstarke, I just tested it out and works great for
> me.
>
> John – g'luck :)
>
> --
> Elliot
>

> 2010/1/23 John McLear <johnym...@gmail.com>:

Elliot Kroo

unread,
Feb 2, 2010, 5:14:31 PM2/2/10
to etherpad-open-source-discuss
Hey John,
Authentication happens the normal etherpad PNE route, just with
special 'ldap' email addresses -- as controlled by the ldapSuffix
variable in the config. Try logging in as [LDAPUsername]@ldap, and
with your ldap password. Note that you'll not need to sign up if
you're in the LDAP system already (and signing up will not modify the
LDAP database right now). If you have a user in the LDAP database
already, you should be able to sign in.

--
Elliot

--
Elliot

mrstarke

unread,
Feb 3, 2010, 11:09:06 AM2/3/10
to EtherPad Open Source Discussion
Here I changed the ldapSuffix to match with my domain. Now the user
can use his e-mail to login.
I changed the attribute used for login in etherpad/src/etherpad/pro/
pro_ldap_support.js line 217. I use the field "description", because
we have a weird ldap structure, but it is specific to my ldap.

On 2 fev, 20:14, Elliot Kroo <elliot.k...@gmail.com> wrote:
> Hey John,
> Authentication happens the normal etherpad PNE route, just with
> special 'ldap' email addresses -- as controlled by the ldapSuffix
> variable in the config.  Try logging in as [LDAPUsername]@ldap, and
> with your ldap password.  Note that you'll not need to sign up if
> you're in the LDAP system already (and signing up will not modify the
> LDAP database right now).  If you have a user in the LDAP database
> already, you should be able to sign in.
>
> --
> Elliot
>
>
>
> On Tue, Feb 2, 2010 at 10:08 AM, John McLear <johnym...@gmail.com> wrote:
> > Elliot, mrstarke im obviously missing an obvious step, at what point
> > should I be prompted for my LDAP credentials?
>
> > My guide so far reads:
>
> > #Get the patch

> > lynxhttps://gist.github.com/10061b4b213619816db5

> > #Browse tohttp://primarypad2.com:9001/ep/pro-signup/to sign up

John McLear

unread,
Feb 3, 2010, 12:20:41 PM2/3/10
to EtherPad Open Source Discussion
Quick one, how does the Site address work? Are users prompted to
create their own site address when they log in?

Cheers :)

J

> > > #Browse tohttp://primarypad2.com:9001/ep/pro-signup/tosign up

mrstarke

unread,
Feb 4, 2010, 6:51:46 AM2/4/10
to EtherPad Open Source Discussion
What do you mean by "own site address"? I really did not understand.

John McLear

unread,
Feb 4, 2010, 9:17:03 AM2/4/10
to etherpad-open-...@googlegroups.com
Usually when an account is registered the user has XX.YY.ZZ where XX is the first part of the domain IE mysite.etherpad.com (in this case it's mysite)

How is XX assigned when a user is logging in with their ldap auth?  This is usually part of the registration process and as there is no registration, XX hasn't been assigned.  Is it the case that under this auth model there is no XX ?

Sorry if my initial request was a tad confusing!

mrstarke

unread,
Feb 5, 2010, 7:10:41 AM2/5/10
to EtherPad Open Source Discussion
In fact, there is a registration. See your pro_accounts table and you
can verify that users were created the same way as the etherpad admin
page.
The user created from a ldap has a blank password in pro_accounts, so
he can login only with his ldap password. The user's domainID field is
set as null, so it use domainId of current request.
See createNewAccount function in pro_accounts.js and
getRequestDomainRecord in domains.js for more information.

On 4 fev, 12:17, John McLear <johnym...@gmail.com> wrote:
> Usually when an account is registered the user has XX.YY.ZZ where XX is the
> first part of the domain IE mysite.etherpad.com (in this case it's mysite)
>
> How is XX assigned when a user is logging in with their ldap auth?  This is
> usually part of the registration process and as there is no registration, XX
> hasn't been assigned.  Is it the case that under this auth model there is no
> XX ?
>
> Sorry if my initial request was a tad confusing!
>

JuDu

unread,
Mar 3, 2010, 1:50:59 PM3/3/10
to etherpad-open-...@googlegroups.com
Ok, I have a problem. (Strange, ain't it ?) I can't connect with a LDAP account.

In the pro_ldap_support.js file, in the buildLDAPQuery function, there is a regex that matches /[\w_-]+/. As far as I understand js regex, it means "I match one or more alphanumerics-character, underscore, and hyphen."

So it bothers me because my email address contains a dot ".", and because \w should already match the "_". Is there a reason for not matching the dot ?

I will try to add the . matching, but if there was a reason, I would appreciate to know :)

--
Julien Durillon

2010/2/5 mrstarke <mrst...@gmail.com>

JuDu

unread,
Mar 3, 2010, 2:02:52 PM3/3/10
to etherpad-open-...@googlegroups.com
Ok, my bad. I read the code a little more, and I undestand know how it works. I was misled by the nameattribute thing…

I will try again.

--
Judu

2010/3/3 JuDu <jd....@gmail.com>
Reply all
Reply to author
Forward
0 new messages