A Drawpile-compatible auth server backed by LDAP
- Node.js v12 or greater
- An LDAP server
- A Drawpile server configured for external authentication
See docker-compose.yml
for an example Compose file. Alternatively, you may want to use docker run
:
$ cp config.example.toml config.toml
$ $EDITOR config.toml # see README.md "Configuring the auth server" for details
$ docker run -d --rm \
-p 8081:8081 \
-v path/to/config.toml:/usr/src/app/config.toml:ro \
bytewave81/drawpile-ldap-auth-server
You don't want to use my shiny Docker setup? But I worked so hard on it!
$ git clone https://github.com/BytewaveMLP/drawpile-ldap-auth-server.git
$ cd drawpile-ldap-auth-server
$ yarn install
$ yarn build
$ cp config.example.toml config.toml
$ $EDITOR config.toml # see README.md "Configuring the auth server" for details
$ node .
In order to make use of this, you need to configure Drawpile to look for your external auth server. Note that both Drawpile and clients will need access to the auth server, so drawpile-ldap-auth-server must be internet-facing. I recommend putting this behind nginx in order to allow secure communications between clients and the server.
To configure Drawpile to direct clients to this auth server, add the following entries to the [config]
section of your Drawpile instance:
; enable extauth and direct users to the auth server
extauth = true
; PUBLIC key for token signing, see "Generating a token keypair"
extauthkey = ""
; users must be in this LDAP group in order to user the instance (optional)
extauthgroup = user
; should Drawpile fall back to the internal user database if the auth server is unreachable?
extauthfallback = false
; drawpile-ldap-auth-server can pull moderator status from LDAP groups; set this to true if
; you'd like to enable that
; Drawpile flag: MOD
extauthmod = true
; drawpile-ldap-auth-server can also allow users to host sessions based on LDAP group membership;
; set this to true if you'd like that as well
; Drawpile flag: HOST
extauthhost = true
; drawpile-ldap-auth-server may additionally retrieve user avatars from LDAP; set this to true
; if you want Drawpile to request user avatars upon authentication
; You must also configure ldap.imageAttribute in your drawpile-ldap-auth-server configuration
extAuthAvatars = true
; should guests be allowed to access Drawpile?
; this setting must match the setting in config.toml for drawpile-ldap-auth-server
allowGuests = false
; should all users be allowed to host sessions?
; if allowGuests is false but this is true, *any* authenticated user will be allowed to host sessions
; regardless if they have the HOST flag
allowGuestHosts = false
Additionally, you need to pass the --extauth
parameter to drawpile-srv
which points to the public-facing URL for your drawpile-ldap-auth-server instance.
First, copy config.example.toml
to config.toml
. Then, open it in your favorite editor. Each config option is explained rather clearly in the config comments.
For more details on TOML syntax, see the README.
If you would prefer, you may set configuration options through environment variables/command-line arguments rather than through the config file. Each config option has a corresponding environment variable/argument which will override the value listed in the config if set. Note that ldap.flagGroups
does not have an associated environment variable mapping; this is the only value which must be set in config.tmol
.
Additionally, there are two environment-only configuration options relating to logging. These are:
-
LOG_LEVEL
The Winston log level to use. By default, this is
info
ifNODE_ENV
isproduction
, anddebug
otherwise. It's probably best to leave this as the default; setting this to anything belowdebug
may expose sensitive information in your logs, and should only be used for debugging. -
NODE_ENV
The environment this instance is running under. By default, this is assumed to be
development
, in which case debug-level logging output is enabled (unless overridden viaLOG_LEVEL
). Set this toproduction
in an actual deployment (the Docker image does this for you).
Drawpile uses libsodium to handle token verification, which expects a "raw" format Ed25519 public key (ie, no container format). However, OpenSSL (and therefore Node) operate on containerized keys using DER and PEM formats. As such, you will need to generate your keypair in a very specific manner.
# generate private key; this goes in config.toml or in your environment as DRAWPILE_AUTH_TOKEN_SIGNING_KEY
$ PRIVKEY="$(openssl genpkey -algorithm ed25519 -outform DER | openssl base64)"; echo $PRIVKEY
# generate public key; this goes in your Drawpile config.ini
$ echo "$PRIVKEY" | openssl base64 -d | openssl pkey -inform DER -outform DER -pubout | tail -c +13 | openssl base64
PRs, feature suggestions, and bug reports welcome.
Copyright (c) Eliot Partridge, 2020. Licensed under the MIT License.