[PR #1214] Add LDAP support #2864

New issue

Closed

opened 2026-03-01 18:00:59 +03:00 by kerem · 0 comments

kerem commented

2026-03-01 18:00:59 +03:00

Owner

Original Pull Request: https://github.com/ArchiveBox/ArchiveBox/pull/1214

State: closed
Merged: Yes

Summary

This project uses Django, which has an LDAP authentication backend that can be enabled (if you install it). These changes add the required configuration options to select and configure this backend to be used instead of Django's internal user backend.

Example environment variable configuration:

LDAP: "True"
LDAP_SERVER_URI: "ldap://daniel-authenticator:3389"
LDAP_BIND_DN: "ou=archivebox,ou=services,dc=daniel-authenticator"
LDAP_BIND_PASSWORD: "secret-bind-user-password"
LDAP_USER_BASE: "ou=users,ou=archivebox,ou=services,dc=daniel-authenticator"
LDAP_USER_FILTER: "(objectClass=user)"

LDAP_USERNAME_ATTR: "uid"
LDAP_FIRSTNAME_ATTR: "givenName"
LDAP_LASTNAME_ATTR: "sn"
LDAP_EMAIL_ATTR: "mail"

This configuration works against the LDAP server I use. There should be sufficient configuration options to work with any LDAP server, if properly configured.

The "LDAP" option defaults to False, in which case there are no changes to how Django handles authentication.

There is a bit of an annoyance with how this currently works, which is that when a user logins in for the first time, they are denied because they are not "staff". Once they get denied login for the first time, an existing superuser can mark them as "superuser" and then they will be able to login properly. I tried to figure out a way to set all LDAP users to superuser by default as a workaround, but I couldn't figure it out so that is not included in this PR. For now though, this behavior is okay for me personally because user authentication is still handled centrally, even if I have to specifically set all the users I want to have superuser permissions to actually be able to login. If in the future ArchiveBox does not require any special user permissions to login, then first-time logins will succeed.

#554
Also I want all user authentication to go through LDAP on my personal server, so I went ahead and add that functionality.

Changes these areas

Bugfixes
Feature behavior
Command line interface
Configuration options
Internal architecture
Snapshot data layout on disk

Let me know if there is anything I can do to help get this merged.

**Original Pull Request:** https://github.com/ArchiveBox/ArchiveBox/pull/1214 **State:** closed **Merged:** Yes ---  # Summary This project uses Django, which has an LDAP authentication backend that can be enabled (if you install it). These changes add the required configuration options to select and configure this backend to be used instead of Django's internal user backend. Example environment variable configuration: ``` LDAP: "True" LDAP_SERVER_URI: "ldap://daniel-authenticator:3389" LDAP_BIND_DN: "ou=archivebox,ou=services,dc=daniel-authenticator" LDAP_BIND_PASSWORD: "secret-bind-user-password" LDAP_USER_BASE: "ou=users,ou=archivebox,ou=services,dc=daniel-authenticator" LDAP_USER_FILTER: "(objectClass=user)" LDAP_USERNAME_ATTR: "uid" LDAP_FIRSTNAME_ATTR: "givenName" LDAP_LASTNAME_ATTR: "sn" LDAP_EMAIL_ATTR: "mail" ``` This configuration works against [the LDAP server I use](https://github.com/DanielBatteryStapler/daniel-authenticator). There should be sufficient configuration options to work with any LDAP server, if properly configured. The "LDAP" option defaults to False, in which case there are no changes to how Django handles authentication. There is a bit of an annoyance with how this currently works, which is that when a user logins in for the first time, they are denied because they are not "staff". Once they get denied login for the first time, an existing superuser can mark them as "superuser" and then they will be able to login properly. I tried to figure out a way to set all LDAP users to superuser by default as a workaround, but I couldn't figure it out so that is not included in this PR. For now though, this behavior is okay for me personally because user authentication is still handled centrally, even if I have to specifically set all the users I want to have superuser permissions to actually be able to login. If in the future ArchiveBox does not require any special user permissions to login, then first-time logins will succeed. # Related issues #554 Also I want all user authentication to go through LDAP on my personal server, so I went ahead and add that functionality. # Changes these areas - [ ] Bugfixes - [X] Feature behavior - [ ] Command line interface - [X] Configuration options - [ ] Internal architecture - [ ] Snapshot data layout on disk Let me know if there is anything I can do to help get this merged.

kerem

2026-03-01 18:00:59 +03:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#2864

No description provided.

Rows
Columns