I have just started after ages with Kirby 3 and was working for an intranet for tenants of a dormitory. Currently, we are quite advanced and have our own LDAP server with some other services - so everyone is just using one login credential pair and can login everywhere in every service. By not going that much into details - is it possible to let Kirby also handle users via LDAP? So just accepting basically the entered credentials by calling the LDAP server which then verifies or denies the access?
Does someone has experiences with LDAP and Kirby?
I don’t, but since release 3.2, you can create your own login view and logic: https://getkirby.com/docs/reference/plugins/extensions/panel-login
@texnixe Thanks for your answer. I will try it out and will see if I can even make a plugin out of it I am quite new in writing a Kirby plugin but I guess the guides at the Kirby page will help.
I think a LDAP plugin would be wonderful @creichel! Would be nice if you share it. I don’t have a need for it right now but LDAP is so common that there will be a need by someone else any time.
hey @creichel, did you manage the problem?
Also: If the Kirby-side is the problem, I will be happy to help creating the plugin. I just have no clue about LDAP and what would be needed to send how to where to authenticate XD
I have built some crappy LDAP login code for Kirby 1 or 2, but that was long ago.
Here’s an example that actually doesn’t look too bad: https://samjlevy.com/php-ldap-login/
Thx @lukasbestle, this seems to be a good start, @distantnative?
Would you have a LDAP server to test against?
@demlak I have started to write the plugin but got utterly confused about how and when to connect to the LDAP server. It’s not that easy like REST
Thus I replicating the necessary accounts now by hand. These aren’t so many but it would be more convenient to make just a button press to do so…
I would be interested to contribute to this plugin. Is there a Github repo or the like?
I have written similar programs in the past using Perl and have some experience with LDAP.
The main question for me is how the design should look like: Should it be possible to just connect and read the directory for authentication and/or authorization of users or should it be possible to manage users in the directory, which means: write back to it?
Thx for your answers.
i started a private conversation with @distantnative and your contributions should go a long. Its amazing to see this community wants to hop on!
since i’m not a coder and LDAP is also new for me, i think, it would be best to discuss in here instead of a private chat.
starting a github repo sounds cool =)
@Adspectus My personal opinion: I think writing back would be too complex of a task for now. I imagine a plugin that uses LDAP for authentication. Pure login.
Second thought then would be to:
- either create Kirby users on the fly the first time a new LDAP user logs in
- try out if LDAP could work as a source for virtual user models
But as I mentioned to @demlak: I have no clue about LDAP - I only think that a solid auhtentication plugin would be cool to have and am willing to throw in my Kirby expertise.
We would certainly need a test LDAP server for developing such a plugin.
Yes, I agree, writing back would raise complexity. Authentication (and maybe authorization by reading group memberships) should not be a problem. However, I do not know if user groups or roles are used by Kirby - that’s your part
I could set up a Directory Server for this purpose, but probably not in the next days.
Kirby has the concept of user roles, not user groups.
after I read this Post I started to write a Plugin on my own.
Have you already started?
I’m new to Kirby and LDAP, but I like the idea so I just went for it.
It can already login with the LDAP-Server, if a user with that email-address exists in Kirby.
Has anyone an idea how to overwrite the method where it gets checked, if a user exists?
I’m working at it to publish my code to you
In the meantime I have setup a LDAP server and feed in some data. I would provide access to this to a group of persons who are willing to contribute. I would suggest @distantnative to create a repo and inviting (?) users to contribute and I will share the LDAP info there. Would that be a reasonable way to start?
I’m done, everything works now! Just need to talk to my boss so I can publish it.
Here you go! have fun, test it, feel free to tell me if sth does not work.
I’m not sure how to get it into the kirby-plugin list, can someone help me here?