overleaf-toolkit/doc/ldap.md

# LDAP

Available in Overleaf Server Pro is the ability to use a LDAP server to manage users. It is also possible to use with Active Directory systems. 

LDAP is configured in the Toolkit via [`variables.env`](./configuration.md).

The `EXTERNAL_AUTH` variable must be set to `ldap`, to enable the LDAP module:

```
EXTERNAL_AUTH=ldap
```

(To preserve backward compatibility with older configuration files, if
`EXTERNAL_AUTH` is not set, but `OVERLEAF_LDAP_URL` is set (`SHARELATEX_LDAP_URL` for versions `4.x` and older), then the LDAP
module will be activated. We still recommend setting `EXTERNAL_AUTH` explicitely)

After bootstrapping Server Pro for the first time with LDAP authentication, an existing LDAP user must be given admin permissions visiting `/launchpad` page (or [via CLI](https://github.com/overleaf/overleaf/wiki/Creating-and-managing-users#creating-the-first-admin-user), but in this case ignoring password confirmation). 

LDAP users will appear in Overleaf Admin Panel once they log in first time with their initial credentials.

The [Developer wiki](https://github.com/overleaf/overleaf/wiki/Server-Pro:-LDAP-Config) contains further documentation on the available Environment Variables and other configuration elements. 

## Example

At Overleaf, we test the LDAP integration against a [test openldap server](https://github.com/rroemhild/docker-test-openldap). The following is an example of a working configuration:

```
# added to variables.env
# For versions of Overleaf CE/Server Pro `4.x` and older use the 'SHARELATEX_' prefix instead of 'OVERLEAF_'

EXTERNAL_AUTH=ldap
OVERLEAF_LDAP_URL=ldap://ldap:389
OVERLEAF_LDAP_SEARCH_BASE=ou=people,dc=planetexpress,dc=com
OVERLEAF_LDAP_SEARCH_FILTER=(uid={{username}})
OVERLEAF_LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com
OVERLEAF_LDAP_BIND_CREDENTIALS=GoodNewsEveryone
OVERLEAF_LDAP_EMAIL_ATT=mail
OVERLEAF_LDAP_NAME_ATT=cn
OVERLEAF_LDAP_LAST_NAME_ATT=sn
OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN=true
```

The `openldap` needs to run in the same network as the `sharelatex` container (which by default would be `overleaf_default`), so we'll proceed with the following steps:

- Run `docker network create overleaf_default` (will possibly fail due to a `network with name overleaf_default already exists` error, that's ok).
- Start `openldap` container with `docker run --network=overleaf_default --name=ldap rroemhild/test-openldap:1.1`
- Edit `variables.env` to add the LDAP Environment Variables as listed above.
- Restart Server Pro

You should be able to login using `fry` as both username and password.
Added LDAP and SAML instructions and example instructions (#30) 2021-01-05 12:18:12 +01:00			`# LDAP`

			`Available in Overleaf Server Pro is the ability to use a LDAP server to manage users. It is also possible to use with Active Directory systems.`

			LDAP is configured in the Toolkit via [`variables.env`](./configuration.md).

wip: Add new EXTERNAL_AUTH variable 2021-08-05 13:10:33 +01:00			The `EXTERNAL_AUTH` variable must be set to `ldap`, to enable the LDAP module:

			```
			`EXTERNAL_AUTH=ldap`
			```

			`(To preserve backward compatibility with older configuration files, if`
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			`EXTERNAL_AUTH` is not set, but `OVERLEAF_LDAP_URL` is set (`SHARELATEX_LDAP_URL` for versions `4.x` and older), then the LDAP
wip: Add new EXTERNAL_AUTH variable 2021-08-05 13:10:33 +01:00			module will be activated. We still recommend setting `EXTERNAL_AUTH` explicitely)

Added a note on `/launchpad` 2021-07-21 17:32:34 +02:00			After bootstrapping Server Pro for the first time with LDAP authentication, an existing LDAP user must be given admin permissions visiting `/launchpad` page (or [via CLI](https://github.com/overleaf/overleaf/wiki/Creating-and-managing-users#creating-the-first-admin-user), but in this case ignoring password confirmation).

			`LDAP users will appear in Overleaf Admin Panel once they log in first time with their initial credentials.`

Added LDAP and SAML instructions and example instructions (#30) 2021-01-05 12:18:12 +01:00			`The [Developer wiki](https://github.com/overleaf/overleaf/wiki/Server-Pro:-LDAP-Config) contains further documentation on the available Environment Variables and other configuration elements.`

			`## Example`

			`At Overleaf, we test the LDAP integration against a [test openldap server](https://github.com/rroemhild/docker-test-openldap). The following is an example of a working configuration:`

			```
			`# added to variables.env`
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			# For versions of Overleaf CE/Server Pro `4.x` and older use the 'SHARELATEX_' prefix instead of 'OVERLEAF_'
Added LDAP and SAML instructions and example instructions (#30) 2021-01-05 12:18:12 +01:00
wip: Add new EXTERNAL_AUTH variable 2021-08-05 13:10:33 +01:00			`EXTERNAL_AUTH=ldap`
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			`OVERLEAF_LDAP_URL=ldap://ldap:389`
			`OVERLEAF_LDAP_SEARCH_BASE=ou=people,dc=planetexpress,dc=com`
			`OVERLEAF_LDAP_SEARCH_FILTER=(uid={{username}})`
			`OVERLEAF_LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com`
			`OVERLEAF_LDAP_BIND_CREDENTIALS=GoodNewsEveryone`
			`OVERLEAF_LDAP_EMAIL_ATT=mail`
			`OVERLEAF_LDAP_NAME_ATT=cn`
			`OVERLEAF_LDAP_LAST_NAME_ATT=sn`
			`OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN=true`
Added LDAP and SAML instructions and example instructions (#30) 2021-01-05 12:18:12 +01:00			```

			The `openldap` needs to run in the same network as the `sharelatex` container (which by default would be `overleaf_default`), so we'll proceed with the following steps:

			- Run `docker network create overleaf_default` (will possibly fail due to a `network with name overleaf_default already exists` error, that's ok).
Update ldap test image to 1.1 This is required due to latest changes in the LDAP test image 2021-02-17 13:15:52 +01:00			- Start `openldap` container with `docker run --network=overleaf_default --name=ldap rroemhild/test-openldap:1.1`
Added LDAP and SAML instructions and example instructions (#30) 2021-01-05 12:18:12 +01:00			- Edit `variables.env` to add the LDAP Environment Variables as listed above.
			`- Restart Server Pro`

			You should be able to login using `fry` as both username and password.