mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-05-19 12:50:11 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea6524fb3cf14bc3ee13dd1a387d0149252ffa6b
TimeTracker/docs/admin/configuration/LDAP_SETUP.md
T
Dries Peeters e34a668ddc feat(auth): add LDAP directory authentication 
Introduce AUTH_METHOD values ldap and all, with LDAP_* environment settings, ldap3-based LDAPService (search, optional groupOfNames checks, user bind, DB sync), and users.auth_provider (local|oidc|ldap) via migration 153_add_user_auth_provider.

Login supports LDAP-only and combined all (local then LDAP where appropriate); OIDC callback sets auth_provider. Forgot/reset/change password flows skip LDAP-managed accounts. Admin System Settings gains a read-only LDAP summary and POST /admin/ldap/test. Production env validation requires core LDAP variables when LDAP is enabled; OIDC registration and docs recognize all.

Documentation: new docs/admin/configuration/LDAP_SETUP.md; updates to OIDC_SETUP, GETTING_STARTED, Docker guides, Render deploy notes, docs README, and CHANGELOG. Tests: tests/test_ldap_auth.py; test_oidc_logout allows auth_method all.
2026-04-27 19:08:08 +02:00

2.3 KiB
Raw Blame History

LDAP authentication

TimeTracker can authenticate users against an LDAP directory (OpenLDAP-style groupOfNames / member checks). LDAP is optional and is controlled with AUTH_METHOD and environment variables (see root env.example for a commented template).

When to use which AUTH_METHOD

Value Meaning
ldap Directory login only (same username/password form; users are provisioned or synced in the local DB on success).
all Local passwords, OIDC SSO, and LDAP are all available (see OIDC Setup for SSO). Login tries local first for users whose auth_provider is not ldap, then LDAP.

For LDAP only or combined mode, set the variables documented in env.example under LDAP Authentication. In production, if LDAP is enabled, LDAP_HOST, LDAP_BASE_DN, LDAP_BIND_DN, and LDAP_BIND_PASSWORD are required (startup validation).

Behaviour summary

  • Service account: Binds with LDAP_BIND_DN / LDAP_BIND_PASSWORD, searches for the user under LDAP_USER_DN + LDAP_BASE_DN, optionally verifies membership in LDAP_REQUIRED_GROUP (by cn under LDAP_GROUP_DN), then verifies the password with a second bind as the user.
  • Provisioning: Users are matched primarily by email from LDAP_USER_EMAIL_ATTR. Without an email, login cannot create or link an account.
  • Profile sync: On each successful LDAP login, full_name (from givenName + sn) and admin flag (via LDAP_ADMIN_GROUP and legacy role field) are updated from the directory.
  • Local passwords: LDAP-managed accounts have auth_provider=ldap and cannot use forgot-password, reset-password, or in-app password change flows.
  • Admin UI: Admin → System Settings includes a read-only LDAP summary and Test LDAP Connection (POST /admin/ldap/test) for a non-destructive bind and user count under the configured user subtree.

Kiosk mode

Kiosk login continues to use local passwords only (same requires_password rules as local / both / all for the form). LDAP-only users must have a usable local password for kiosk, or use standard web login.

Further reading

Reference in New Issue View Git Blame Copy Permalink