LDAP Auth on the Mastodon

Mastodon uses the local database as the authentication method.

However, under some circumstances, you can use external authentication providers. At first release, LDAP auth has some problems. But now it works fine. I think few people needs ldap auth, but there are no documents to setup LDAP auth.

This blog post describes the setup of ldap authentication.

Setup LDAP auth

Setting values are placed on the .env.production.sample. This post uses Mastodon v3.1.4.

# LDAP authentication (optional)
# LDAP_ENABLED=true
# LDAP_HOST=localhost
# LDAP_PORT=389
# LDAP_METHOD=simple_tls
# LDAP_BASE=
# LDAP_BIND_DN=
# LDAP_PASSWORD=
# LDAP_UID=cn
# LDAP_MAIL=mail
# LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
# LDAP_UID_CONVERSION_ENABLED=true
# LDAP_UID_CONVERSION_SEARCH=., -
# LDAP_UID_CONVERSION_REPLACE=_

LDAP_METHOD

Only simple_tls or start_tls is acceptable.

LDAP_TLS_NO_VERIFY is hidden parameter for using no SSL/TLS encrypted ldap connection.

LDAP_BASE

Base DN

LDAP_BIND_DN

Bind DN here. Anonymous bind is unsupported.

LDAP_UID

LDAP attribute for username.

LDAP_MAIL

LDAP attribute for email address.

LDAP_SEARCH_FILTER

You can set the ldap search filter for matching the ldap user. LDAP search filter’s syntax are defined at RFC 4515.

Sample setting is as follows.

LDAP_UID=cn 
LDAP_MAIL=mail
LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))

It will replace %{uid} with LDAP_UID%{mail} with LDAP_MAIL. %{email} will be user input email address.

When the user logged in with above default LDAP setting,

(|(cn=%{hoge@example.com})(email=hoge@example.com))

will be created as the search filter.

LDAP_UID_CONVERSION_ENABLED

Mastodon has a character type limitation for username. Following characters are allowed.

/[a-z0-9_]+([a-z0-9_\.-]+[a-z0-9_]+)?/i

In this case, some characters which prohibited in the Mastodon may appear in the LDAP.

LDAP_UID_CONVERSION_SEARCH is the characters that exists in LDAP but prohibited in the Mastodon. LDAP_UID_CONVERSION_REPLACE is a replaced character from prohibited characters on the mastodon.

For this sample settings, ., – in tha LDAP username will be replaced with _ . For instance, ash-phy user exists on the LDAP, he will be ash_phy on the Mastodon.

How does the Mastodon change after enabled LDAP?

New registration is no needed.

When the new user logged in the Mastodon, user account will be create on the Mastodon immediately.Even if the administrator set the Registrations mode to Nobady can sign up, new ldap user can sign up the Mastodon. Confirmation mail will not send at this this.

When LDAP enabling on the running server.

When enabling the LDAP auth on the running Mastodon server, local and LDAP will be active at the same time. At first Mastodon will try to authenticate with LDAP. If fail, will try to local authentication. Already existing user can use the both passwords LDAP and local. After enabling LDAP, the Mastodon server can create and use local user.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s