LDAP with paperless ngx

fk22 · January 1, 2025, 12:11pm

Hi Forum,
happy New Year!

I am trying to install paperless ngx (https://docs.paperless-ngx.com/) in a docker container with LDAP using this tutorial LDAP Support - How I did it · paperless-ngx/paperless-ngx · Discussion #3228 · GitHub.

As I am a newbie to LDAP in general I am struggling to find the right inputs for this section


# The URL of the LDAP server(s).  List multiple servers for high availability ServerPool connection.
LDAP_AUTH_URL = ["ldap://ldap.example.com:389"]

# The LDAP search base for looking up users.
LDAP_AUTH_SEARCH_BASE = "ou=people,dc=example,dc=com"

# The LDAP username and password of a user for querying the LDAP database for user
# details. If None, then the authenticated user will be used for querying, and
# the `ldap_sync_users`, `ldap_clean_users` commands will perform an anonymous query.
LDAP_AUTH_CONNECTION_USERNAME = "svc_paperless"
LDAP_AUTH_CONNECTION_PASSWORD = "my secure password"

PAPERLESS_LDAP_UID_FORMAT = "uid={},ou=people,dc=example,dc=com"
PAPERLESS_LDAP_USER_GROUP = "cn=paperless_user,ou=groups,dc=example,dc=com"
PAPERLESS_LDAP_ADMIN_GROUP = "cn=paperless_admin,ou=groups,dc=example,dc=com"
PAPERLESS_LDAP_LLDAP_FIX = False

This is fine with:
LDAP_AUTH_URL = [“ldap://ucs.domain.internal:7389”]

this works with:

LDAP_AUTH_SEARCH_BASE = “dc=domain,dc=internal”

I used this Cool Solution - LDAP search user / simple authentication account to create a search user and filled

LDAP_AUTH_CONNECTION_USERNAME = “LDAPsearch”
LDAP_AUTH_CONNECTION_PASSWORD = “LDAPsearch user password”

but I am struggling with this section

PAPERLESS_LDAP_UID_FORMAT = “uid={},ou=people,dc=example,dc=com”
PAPERLESS_LDAP_USER_GROUP = “cn=paperless_user,ou=groups,dc=example,dc=com”
PAPERLESS_LDAP_ADMIN_GROUP = “cn=paperless_admin,ou=groups,dc=example,dc=com”

My aim is to have the UCS Administrator account to be the paperles ngx Admin and all users to be normal paperless-ngx users.

I am pretty sure it is quite easy to retrieve the input via ldapsearch but I don’t know how…

Can you help?

Schwardt · January 1, 2025, 7:41pm

Hi!

The LDAP plugin for paperless does not look very flexible when it comes to the distiguished name (DN) of user objects. In UCS the user objects can be located in every container somewhere below the LDAP base. IIRC this is also the case in Microsofts Active Directory. But the plugin asks you to define the DN in a very specific way. For UCS it should work with the following setting as long as all your users are located directly within cn=users,dc=example,dc=com and not within subcontainers:

PAPERLESS_LDAP_UID_FORMAT = “uid={},cn=users,dc=example,dc=com”

For the user groups the following can be a first start/used as a template for custom changes:

PAPERLESS_LDAP_USER_GROUP = "cn=Domain Users,cn=groups,dc=example,dc=com"
PAPERLESS_LDAP_ADMIN_GROUP = "cn=Domain Admins,cn=groups,dc=example,dc=com"

Please do not forget to exchange dc=example,dc=com with your specific UCS LDAP base!

Hope this helps for getting the plugin running.

Greetings

Sönke

fk22 · January 1, 2025, 9:21pm

Thank you! That solved the problem.