ep_ldapauth

0.4.0 verified Sat Apr 25 auth: no javascript

Etherpad Lite plugin that provides LDAP-based authentication and authorization. Version 0.4.0 integrates with Etherpad's authentication hooks to allow users to log in using LDAP credentials. It supports both plain LDAP and LDAPS, configurable search filters, group-based access control (admin or read-only), and specific examples for FreeIPA. The plugin is released under GPL-2.0 and is maintained primarily for Etherpad Lite environments. It requires a properly configured settings.json with LDAP server details, search credentials, and group mapping. Notable differentiators: direct integration with Etherpad's auth system, no external dependencies beyond ldapjs, and support for anonymous read-only mode.

Common errors

error Error: connect ECONNREFUSED <ldap-host>:389 ↓

cause LDAP server not running or port blocked.

fix

Verify server host/port, firewall, and that LDAP service is up.

error Error: 49 - LDAP_INVALID_CREDENTIALS ↓

cause searchDN or searchPWD incorrect, or pattern not matching.

fix

Check searchDN and searchPWD values; verify accountPattern matches.

error Error: NoSuchObjectError: No such object ↓

cause accountBase or groupSearchBase DN incorrect.

fix

Verify base DNs using ldapsearch or similar tool.

error Error: operationsError ↓

cause Insufficient access rights for searchDN.

fix

Grant read permissions to the search user on the LDAP tree.

Warnings

breaking Configuration format changed: 'groupAttributeIsDN' must be boolean, not string 'true'/'false'. ↓

fix Set 'groupAttributeIsDN' to true or false without quotes.

deprecated 'anonymousReadonly' option may be deprecated; not in all examples. ↓

fix Omit or set to false if not needed.

gotcha Do not use 'require' or 'import' for this plugin; it is automatically loaded when in node_modules. ↓

fix Simply place in node_modules and configure settings.json.

gotcha LDAP server must be reachable; firewall or DNS issues cause silent failures. ↓

fix Test connectivity with ldapsearch or similar tool.

gotcha searchDN and searchPWD are required for binding; omit only if anonymous bind is allowed (rare). ↓

fix Provide valid credentials or ensure LDAP allows anonymous search.

Install

npm install ep_ldapauth

yarn add ep_ldapauth

pnpm add ep_ldapauth

Imports

default
wrong
```
import ep_ldapauth from 'ep_ldapauth'
```
correct
```
require('ep_ldapauth')
```
This is an Etherpad plugin loaded via hooks, not a standard import. It is not meant to be imported directly; it is activated by placing in Etherpad's node_modules and configuring settings.json.

Quickstart

Configuration for ep_ldapauth in Etherpad's settings.json, enabling LDAP authentication with admin group mapping.

{
  "users": {
    "ldapauth": {
      "url": "ldaps://ldap.example.com",
      "accountBase": "ou=Users,dc=example,dc=com",
      "accountPattern": "(&(objectClass=*)(uid={{username}}))",
      "displayNameAttribute": "cn",
      "searchDN": "uid=searchuser,dc=example,dc=com",
      "searchPWD": "supersecretpassword",
      "groupSearchBase": "ou=Groups,dc=example,dc=com",
      "groupAttribute": "member",
      "groupAttributeIsDN": true,
      "searchScope": "sub",
      "groupSearch": "(&(cn=admin)(objectClass=groupOfNames))",
      "anonymousReadonly": false
    }
  }
}