Add LDAP auth support

.github/workflows/ci.yml

@@ -126,7 +126,7 @@ jobs:
         name: Install dependencies
         run: |
           sudo apt-get update -qq
-          sudo apt-get install -qq --no-install-recommends unpaper tesseract-ocr imagemagick ghostscript optipng
+          sudo apt-get install -qq --no-install-recommends unpaper tesseract-ocr imagemagick ghostscript optipng libldap2-dev libsasl2-dev
           pip install --upgrade pipenv
           pipenv install --system --dev --ignore-pipfile
       -
@@ -187,7 +187,7 @@ jobs:
         name: Install dependencies
         run: |
           sudo apt-get update -qq
-          sudo apt-get install -qq --no-install-recommends gettext liblept5
+          sudo apt-get install -qq --no-install-recommends gettext liblept5 libldap2-dev libsasl2-dev
           pip3 install -r requirements.txt
       -
         name: Download frontend artifact

Dockerfile

@@ -63,6 +63,10 @@ RUN apt-get update \
 		build-essential \
 		libpq-dev \
 		libqpdf-dev \
+		libldap2-dev \
+		libsasl2-dev \
+		python-dev \
+		libssl-dev \
 	&& python3 -m pip install --upgrade --no-cache-dir supervisor \
   && python3 -m pip install --no-cache-dir -r ../requirements.txt \
 	&& apt-get -y purge build-essential libqpdf-dev \

ansible/tasks/main.yml

@@ -33,6 +33,8 @@
       - build-essential
       - python3-setuptools
       - python3-wheel
+      - libldap2-dev
+      - libsasl2-dev
 
 # upstream virtualenv in Ubuntu 20.04 is broken
 # https://github.com/pypa/virtualenv/issues/1873

docs/setup.rst

@@ -281,12 +281,13 @@ writing. Windows is not and will never be supported.
     *   ``libpq-dev`` for PostgreSQL
     *   ``libmagic-dev`` for mime type detection
     *   ``mime-support`` for mime type detection
+    *   ``libldap2-dev`` for LDAP auth support
 
     Use this list for your preferred package management:
 
     .. code::
 
-        python3 python3-pip python3-dev imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support
+        python3 python3-pip python3-dev imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support libldap2-dev
 
     These dependencies are required for OCRmyPDF, which is used for text recognition.
 

paperless.conf.example

@@ -34,6 +34,17 @@
 #PAPERLESS_COOKIE_PREFIX=
 #PAPERLESS_ENABLE_HTTP_REMOTE_USER=false
 
+# LDAP Auth settings
+#PAPERLESS_ENABLE_LDAP_AUTH=True
+#PAPERLESS_LDAP_URI=ldap://ldap.example.com
+#PAPERLESS_LDAP_BIND_DN=CN=Paperless NG,OU=Apps,DC=domain,DC=com
+#PAPERLESS_LDAP_BIND_PASSWORD=p@ssw0rd
+#PAPERLESS_LDAP_USER_BASE=OU=People,DC=example,DC=com
+#PAPERLESS_LDAP_USER_FILTER=(sAMAccountName=%(user)s)
+#PAPERLESS_LDAP_FIRSTNAME_ATTR=givenName
+#PAPERLESS_LDAP_LASTNAME_ATTR=sn
+#PAPERLESS_LDAP_EMAIL_ATTR=mail
+
 # OCR settings
 
 #PAPERLESS_OCR_LANGUAGE=eng

requirements.txt

@@ -29,6 +29,7 @@ constantly==15.1.0
 cryptography==3.4.7
 daphne==3.0.2; python_version >= '3.6'
 dateparser==1.0.0
+django-auth-ldap==3.0.0
 django-cors-headers==3.8.0
 django-extensions==3.1.3
 django-filter==2.4.0

src/paperless/settings.py

@@ -183,6 +183,8 @@ def __get_boolean(key, default="NO"):
 # Security                                                                    #
 ###############################################################################
 
+AUTHENTICATION_BACKENDS = []
+
 AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")
 
 if AUTO_LOGIN_USERNAME:
@@ -198,14 +200,39 @@ def __get_boolean(key, default="NO"):
     MIDDLEWARE.append(
         'paperless.auth.HttpRemoteUserMiddleware'
     )
-    AUTHENTICATION_BACKENDS = [
-        'django.contrib.auth.backends.RemoteUserBackend',
-        'django.contrib.auth.backends.ModelBackend'
-    ]
+    AUTHENTICATION_BACKENDS.append(
+        'django.contrib.auth.backends.RemoteUserBackend'
+    )
     REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
         'rest_framework.authentication.RemoteUserAuthentication'
     )
 
+ENABLE_LDAP_AUTH = __get_boolean("PAPERLESS_ENABLE_LDAP_AUTH")
+
+if ENABLE_LDAP_AUTH:
+    import ldap
+    from django_auth_ldap.config import LDAPSearch
+    AUTHENTICATION_BACKENDS.append(
+        'django_auth_ldap.backend.LDAPBackend'
+    )
+    AUTH_LDAP_SERVER_URI = os.getenv("PAPERLESS_LDAP_URI", "ldap://localhost")
+    AUTH_LDAP_BIND_DN = os.getenv("PAPERLESS_LDAP_BIND_DN", "")
+    AUTH_LDAP_BIND_PASSWORD = os.getenv("PAPERLESS_LDAP_BIND_PASSWORD", "")
+    AUTH_LDAP_USER_SEARCH = LDAPSearch(
+        os.getenv("PAPERLESS_LDAP_USER_BASE", "ou=users,dc=example,dc=com"),
+        ldap.SCOPE_SUBTREE, os.getenv("PAPERLESS_LDAP_USER_FILTER", "(uid=%(user)s)")
+    )
+    AUTH_LDAP_START_TLS = os.getenv("PAPERLESS_LDAP_START_TLS", True)
+    AUTH_LDAP_USER_ATTR_MAP = {
+        "first_name": os.getenv("PAPERLESS_LDAP_FIRSTNAME_ATTR", "givenName"),
+        "last_name": os.getenv("PAPERLESS_LDAP_LASTNAME_ATTR", "sn"),
+        "email": os.getenv("PAPERLESS_LDAP_EMAIL_ATTR", "mail")
+    }
+
+AUTHENTICATION_BACKENDS.append(
+    'django.contrib.auth.backends.ModelBackend'
+)
+
 # X-Frame options for embedded PDF display:
 if DEBUG:
     X_FRAME_OPTIONS = 'ANY'