feat: LDAP improvements (#1487)

* Use Base DN for LDAP and fetch user attrs Requires that a Base DN be set for LDAP Set `full_name` and `email` based on LDAP attributes when creating user * Add support for secure LDAP Allow insecure LDAP connection (disabled by default) Use CA when connecting to secure LDAP server * Added missing quotes to example * Update security.py * Update security.py formatting * Update security.py Switched to f-String formatting * formatting * Update test_security.py Added at attributes for testing * Update test_security.py Modified tests for base DN * Update test_security.py Set proper base DN for testing * Update test_security.py Corrected testing for LDAP * Update test_security.py Defined base_dn * Authenticated user not in base DN Add check for when user can authenticate but is not in base DN * Update test_security.py LDAP user cannot exist as it is searched before it is created and the list returns False Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
2025-07-24 15:49:42 +02:00 · 2022-09-16 12:33:36 +09:00 · 2022-09-16 12:33:36 +09:00 · 11eeab1b51
commit 11eeab1b51
parent 21161321e4
5 changed files with 54 additions and 26 deletions
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@ -61,9 +61,12 @@ Changing the webworker settings may cause unforeseen memory leak issues with Mea

 ### LDAP

-| Variables          | Default | Description                                                                                                        |
-| ------------------ | :-----: | ------------------------------------------------------------------------------------------------------------------ |
-| LDAP_AUTH_ENABLED  |  False  | Authenticate via an external LDAP server in addidion to built-in Mealie auth                                       |
-| LDAP_SERVER_URL    |  None   | LDAP server URL (e.g. ldap://ldap.example.com)                                                                     |
-| LDAP_BIND_TEMPLATE |  None   | Templated DN for users, `{}` will be replaced with the username (e.g. `cn={},dc=example,dc=com`)                   |
-| LDAP_ADMIN_FILTER  |  None   | Optional LDAP filter, which tells Mealie the LDAP user is an admin (e.g. `(memberOf=cn=admins,dc=example,dc=com)`) |
+| Variables           | Default | Description                                                                                                        |
+| ------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------ |
+| LDAP_AUTH_ENABLED   |  False  | Authenticate via an external LDAP server in addidion to built-in Mealie auth                                       |
+| LDAP_SERVER_URL     |  None   | LDAP server URL (e.g. ldap://ldap.example.com)                                                                     |
+| LDAP_TLS_INSECURE   |  False  | Do not verify server certificate when using secure LDAP                                                            |
+| LDAP_TLS_CACERTFILE |  None   | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`)                      |
+| LDAP_BIND_TEMPLATE  |  None   | Templated DN for users, `{}` will be replaced with the username (e.g. `cn={},dc=example,dc=com`, `{}@example.com`) |
+| LDAP_BASE_DN        |  None   | Starting point when searching for users authentication (e.g. `CN=Users,DC=xx,DC=yy,DC=de`)                         | 
+| LDAP_ADMIN_FILTER   |  None   | Optional LDAP filter, which tells Mealie the LDAP user is an admin (e.g. `(memberOf=cn=admins,dc=example,dc=com)`) |