Support LDAP authentication for users #20

@kolaente commented on GitHub (Oct 17, 2021):

Hi!

I plan to release a plugin for this, once we have a plugin api.

@kolaente commented on GitHub (Oct 17, 2021): Hi! I plan to release a plugin for this, once we have a plugin api.

GiteaMirror commented

@Typhonragewind commented on GitHub (Dec 13, 2021):

Adding on the LDAP authentication, it would be awesome to have proxy authentication with it (as in once authorized by first service, such as Authelia, the authorization is passed via proxy headers)

@Typhonragewind commented on GitHub (Dec 13, 2021): Adding on the LDAP authentication, it would be awesome to have proxy authentication with it (as in once authorized by first service, such as Authelia, the authorization is passed via proxy headers)

GiteaMirror commented

@kolaente commented on GitHub (Dec 14, 2021):

it would be awesome to have proxy authentication with it

@Typhonragewind Like this PR started adding?

@kolaente commented on GitHub (Dec 14, 2021): > it would be awesome to have proxy authentication with it @Typhonragewind Like [this PR](https://kolaente.dev/vikunja/api/pulls/715) started adding?

GiteaMirror commented

@Typhonragewind commented on GitHub (Dec 14, 2021):

it would be awesome to have proxy authentication with it

@Typhonragewind Like this PR started adding?

Oh, I wasn't aware of it, that's awesome!

@Typhonragewind commented on GitHub (Dec 14, 2021): > > it would be awesome to have proxy authentication with it > > @Typhonragewind Like [this PR](https://kolaente.dev/vikunja/api/pulls/715) started adding? Oh, I wasn't aware of it, that's awesome!

GiteaMirror commented

@sunrez commented on GitHub (Jan 16, 2023):

Just wanted to (respectfully) ask if there's been any progress on LDAP support.

@sunrez commented on GitHub (Jan 16, 2023): Just wanted to (respectfully) ask if there's been any progress on LDAP support.

GiteaMirror commented

@kolaente commented on GitHub (Jan 16, 2023):

No progress yet.

@kolaente commented on GitHub (Jan 16, 2023): No progress yet.

GiteaMirror commented

@uweschmitt commented on GitHub (Feb 20, 2023):

Also would appreciate LDAP support.

@uweschmitt commented on GitHub (Feb 20, 2023): Also would appreciate LDAP support.

GiteaMirror commented

@sunrez commented on GitHub (Nov 11, 2023):

Hi, any feedback on this request? Would make this 100x more useful for any organization >1 person.

@sunrez commented on GitHub (Nov 11, 2023): Hi, any feedback on this request? Would make this 100x more useful for any organization >1 person.

GiteaMirror commented

@kolaente commented on GitHub (Nov 11, 2023):

Does openid work for you?

@kolaente commented on GitHub (Nov 11, 2023): Does openid work for you?

GiteaMirror commented

@sunrez commented on GitHub (Nov 18, 2023):

Hi @kolaente ,

Thanks for the reply. Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP, some MSFT ActiveDirectory.

@sunrez commented on GitHub (Nov 18, 2023): Hi @kolaente , Thanks for the reply. Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important. I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP, some MSFT ActiveDirectory.

GiteaMirror commented

@alexanderadam commented on GitHub (Nov 18, 2023):

If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

This doesn't make any sense, since LDAP and AD are literally external dependencies.
So would be a server component that speaks OpenID Connect.

And modern self hostable projects like KanIDM or Authentik even support both — for valid reasons like having single session authentication handling.

I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP

All the major players were moving away from OpenLDAP to other solutions in the last years. Most Linux distributors are using 389ds based solutions.
I'm not sure that safety is a concern of theirs if they continue using something that most people are moving away from and if they don't want to setup an OIDC app like Authelia.

@alexanderadam commented on GitHub (Nov 18, 2023): > If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important. This doesn't make any sense, since LDAP and AD are literally external dependencies. So would be a server component that speaks OpenID Connect. And modern self hostable projects like [KanIDM](https://kanidm.github.io/kanidm/stable/prepare_the_server.html) or [Authentik](https://goauthentik.io/) even support both — for valid reasons like having single session authentication handling. > I work with organizations that need to self-host applications due to safety / security and they've mostly implemented OpenLDAP All the major players were moving away from OpenLDAP to other solutions in the last years. Most Linux distributors are using [389ds based solutions](https://en.wikipedia.org/wiki/389_Directory_Server). I'm not sure that safety is a concern of theirs if they continue using something that most people are moving away from and if they don't want to setup an OIDC app like Authelia.

GiteaMirror commented

@sunrez commented on GitHub (Nov 18, 2023):

@alexanderadam :

OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external". I'm not sure why you believe 'most' Linux distributions are using 389DS also? I think 'FreeIPA' (from RHEL, which uses 389DS, dogtag, etc) is likely more popular but since FreeIPA has to own DNS, administering it can become complicated. Even if 389DS is 'more popular (that's debatable) it's still an LDAP provider, which means LDAP authentication would work with OpenLDAP/FreeIPA(389DS)/AD.

I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration.

@sunrez commented on GitHub (Nov 18, 2023): @alexanderadam : OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external". I'm not sure why you believe 'most' Linux distributions are using 389DS also? I think 'FreeIPA' (from RHEL, which uses 389DS, dogtag, etc) is likely more popular but since FreeIPA has to own DNS, administering it can become complicated. Even if 389DS is 'more popular (that's debatable) it's still an LDAP provider, which means LDAP authentication would work with OpenLDAP/FreeIPA(389DS)/AD. I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration.

GiteaMirror commented

@alexanderadam commented on GitHub (Nov 18, 2023):

OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external".

Well, OpenID services can be completely self-hosted too. So if you're not considering self-hosted services external, then I don't understand what you meant by this

Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important.

OpenID servers and LDAP servers can both be self-hosted.
So either you consider both to be external dependencies or not.

If self-hosting another server is an option then you can already use an OpenID Connect server right now. If your customers use LDAP infrastructure, just spin up an Authelia instance and let it point to your LDAP server.

I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration.

Well, OIDC servers also give the benefit of central administration. The projects KanIDM and Authentik, that I mentioned before, even have less fraction in doing so, since they're single simple projects.

Therefore I'm really not sure why you can't simply spin up a simple OpenID Connect server if self-hosting is an option any way.

@alexanderadam commented on GitHub (Nov 18, 2023): > OpenLDAP and ActiveDirectory can be completely self-hosted, even if you consider them "external". Well, OpenID services can be completely self-hosted too. So if you're not considering self-hosted services external, then I don't understand what you meant by this > Unfortunately, OpenID does not work. If one is self-hosting the application with the goal of not having any third-party or external dependencies, LDAP (OpenLDAP or ActiveDirectory) is really important. OpenID servers and LDAP servers can both be self-hosted. So either you consider both to be external dependencies or not. If self-hosting another server is an option then you can already use an OpenID Connect server right now. If your customers use LDAP infrastructure, just [spin up an Authelia instance and let it point to your LDAP server](https://www.authelia.com/configuration/first-factor/ldap/). > I work with a mix of small to huge companies and while many use providers like Okta for SASS or VPN, LDAP/AD is still there since UNIX group permissions, UIDs, NFS, Samba, etc all benefit from central administration. Well, OIDC servers also give the benefit of central administration. The projects [KanIDM](https://kanidm.github.io/kanidm/stable/prepare_the_server.html) and [Authentik](https://goauthentik.io/), that I [mentioned before](https://github.com/go-vikunja/api/issues/9#issuecomment-1817584543), even have less fraction in doing so, since they're single simple projects. Therefore I'm really not sure why you can't simply spin up a simple OpenID Connect server if self-hosting is an option any way.

GiteaMirror commented

@bfd69 commented on GitHub (Feb 13, 2024):

Hello
i think openldap/Ad Support would be greet. from my point of you it would be for populating vikunja.
let me explain : i created a dockered service Vikunja. so far so well everything worked with openid and authelia, and then i created some project we had in our teams with tasks. After that a invited everyone to connect, 30% of them tried. but when they connected they did'nt see their project and abandoned.
if i could propulate vikunja with AD users at least (maybe groups too) i could have assigned beforehand the users to projects.
for example nextcloud works like that.
by the way Vikunja is really great and beautiful, a bit tricky in docker and traefik but great :)

@bfd69 commented on GitHub (Feb 13, 2024): Hello i think openldap/Ad Support would be greet. from my point of you it would be for populating vikunja. let me explain : i created a dockered service Vikunja. so far so well everything worked with openid and authelia, and then i created some project we had in our teams with tasks. After that a invited everyone to connect, 30% of them tried. but when they connected they did'nt see their project and abandoned. if i could propulate vikunja with AD users at least (maybe groups too) i could have assigned beforehand the users to projects. for example nextcloud works like that. by the way Vikunja is really great and beautiful, a bit tricky in docker and traefik but great :)

GiteaMirror commented

2025-11-01 20:44:31 -05:00

@kolaente commented on GitHub (Feb 13, 2024):

There is a PR to add automatic provisioning of teams based on openid claims to Vikunja. Maybe that would help your use case?

@kolaente commented on GitHub (Feb 13, 2024): There is [a PR](https://kolaente.dev/vikunja/vikunja/pulls/1393) to add automatic provisioning of teams based on openid claims to Vikunja. Maybe that would help your use case?

GiteaMirror commented

@bfd69 commented on GitHub (Feb 13, 2024):

i think it will !

@bfd69 commented on GitHub (Feb 13, 2024): i think it will !

GiteaMirror commented

2025-11-01 20:44:31 -05:00

@kolaente commented on GitHub (Jan 28, 2025):

This is now available in unstable: https://vikunja.io/docs/ldap/

@kolaente commented on GitHub (Jan 28, 2025): This is now available in unstable: https://vikunja.io/docs/ldap/

GiteaMirror commented

2025-11-01 20:44:31 -05:00

@ValentinKolb commented on GitHub (Jul 15, 2025):

Is there a planned timeline for when this feature will be included in the official stable release?

@ValentinKolb commented on GitHub (Jul 15, 2025): Is there a planned timeline for when this feature will be included in the official stable release?

GiteaMirror commented

@kolaente commented on GitHub (Jul 15, 2025):

@ValentinKolb there are currently a few things left to do for the stable release. It's done when it's done.

@kolaente commented on GitHub (Jul 15, 2025): @ValentinKolb there are currently a few things left to do for the stable release. It's done when it's done.

GiteaMirror commented

@ValentinKolb commented on GitHub (Jul 15, 2025):

Thanks for the response!

Just to confirm: will LDAP support be included in the next stable release? It's an essential feature for us, and we're really looking forward to using it.

@ValentinKolb commented on GitHub (Jul 15, 2025): Thanks for the response! Just to confirm: will LDAP support be included in the next stable release? It's an essential feature for us, and we're really looking forward to using it.

GiteaMirror commented

@kolaente commented on GitHub (Jul 15, 2025):

Yes, everything that's in the current unstable builds will be included in the next stable release.

@kolaente commented on GitHub (Jul 15, 2025): Yes, everything that's in the current unstable builds will be included in the next stable release.

GiteaMirror commented