Repository files navigation

A Drawpile-compatible auth server backed by LDAP

• Install
  • Prerequisites
  • Docker
  • Manual
• Usage
  • Configuring Drawpile
  • Configuring the auth server
    • Generating a token keypair
• Maintainers
• Contribute
• License

• Node.js v12 or greater
• An LDAP server
• A Drawpile server configured for external authentication

Seedocker-compose.yml for an example Compose file. Alternatively, you may want to usedocker run:

$ cp config.example.toml config.toml$$EDITOR config.toml# see README.md "Configuring the auth server" for details$ docker run -d --rm \    -p 8081:8081 \    -v path/to/config.toml:/usr/src/app/config.toml:ro \    bytewave81/drawpile-ldap-auth-server

You don't want to use my shiny Docker setup? But I worked so hard on it!

$ git clone https://github.com/BytewaveMLP/drawpile-ldap-auth-server.git$cd drawpile-ldap-auth-server$ yarn install$ yarn build$ cp config.example.toml config.toml$$EDITOR config.toml# see README.md "Configuring the auth server" for details$ node.

In order to make use of this, you need to configure Drawpile to look for your external auth server. Note that both Drawpile and clients will need access to the auth server, so drawpile-ldap-auth-servermust be internet-facing. I recommend putting this behind nginx in order to allow secure communications between clients and the server.

To configure Drawpile to direct clients to this auth server, add the following entries to the[config] section of your Drawpile instance:

; enable extauth and direct users to the auth serverextauth = true; PUBLIC key for token signing, see "Generating a token keypair"extauthkey =""; users must be in this LDAP group in order to user the instance (optional)extauthgroup = user; should Drawpile fall back to the internal user database if the auth server is unreachable?extauthfallback = false; drawpile-ldap-auth-server can pull moderator status from LDAP groups; set this to true if; you'd like to enable that; Drawpile flag: MODextauthmod = true; drawpile-ldap-auth-server can also allow users to host sessions based on LDAP group membership;; set this to true if you'd like that as well; Drawpile flag: HOSTextauthhost = true; drawpile-ldap-auth-server may additionally retrieve user avatars from LDAP; set this to true; if you want Drawpile to request user avatars upon authentication; You must also configure ldap.imageAttribute in your drawpile-ldap-auth-server configurationextAuthAvatars = true; should guests be allowed to access Drawpile?; this setting must match the setting in config.toml for drawpile-ldap-auth-serverallowGuests = false; should all users be allowed to host sessions?; if allowGuests is false but this is true, *any* authenticated user will be allowed to host sessions; regardless if they have the HOST flagallowGuestHosts = false

Additionally, you need to pass the--extauth parameter todrawpile-srv which points to thepublic-facing URL for your drawpile-ldap-auth-server instance.

First, copyconfig.example.toml toconfig.toml. Then, open it in your favorite editor. Each config option is explained rather clearly in the config comments.

For more details on TOML syntax, seethe README.

If you would prefer, you may set configuration options through environment variables/command-line arguments rather than through the config file. Each config option has a corresponding environment variable/argument which will override the value listed in the config if set. Note thatldap.flagGroups doesnot have an associated environment variable mapping; this is the only value whichmust be set inconfig.tmol.

Additionally, there are two environment-only configuration options relating to logging. These are:

• LOG_LEVEL

  TheWinston log level to use. By default, this isinfo ifNODE_ENV isproduction, anddebug otherwise. It's probably best to leave this as the default; setting this to anything belowdebug may expose sensitive information in your logs, and should only be used for debugging.

• NODE_ENV

  The environment this instance is running under. By default, this is assumed to bedevelopment, in which case debug-level logging output is enabled (unless overridden viaLOG_LEVEL). Set this toproduction in an actual deployment (the Docker image does this for you).

Drawpile uses libsodium to handle token verification, which expects a "raw" format Ed25519 public key (ie, no container format). However, OpenSSL (and therefore Node) operate on containerized keys using DER and PEM formats. As such, you will need to generate your keypair in a very specific manner.

# generate private key; this goes in config.toml or in your environment as DRAWPILE_AUTH_TOKEN_SIGNING_KEY$ PRIVKEY="$(openssl genpkey -algorithm ed25519 -outform DER| openssl base64)";echo$PRIVKEY# generate public key; this goes in your Drawpile config.ini$echo"$PRIVKEY"| openssl base64 -d| openssl pkey -inform DER -outform DER -pubout| tail -c +13| openssl base64

• Eliot Partridge

PRs, feature suggestions, and bug reports welcome.

Copyright (c) Eliot Partridge, 2020. Licensed underthe MIT License.