Hi,

We have set up Histomics using the digital_slide_archive repo using the docker compose installation method. We got the LDAP plugin working using our institution's LDAP server, but we noticed that if we supply a correct username and an incorrect password that Histomics still logs the user in. Any ideas on how we can secure the application for LDAP login? Currently any person accessing the site can login if they know a valid username.

Thanks,
Brendan Sheridan

What version of Girder and the ldap plugin are you using? If before 3.1.22, can you upgrade as see if you still have the issue? Do you have the fallback to Girder login checked (you want that turned off).

I'm not sure the version of Girder, but I just pulled the repo last week. The LDAP plugin is 3.1.22.

I think this got me to where I need to be, but I still find it strange that if I uncheck the fallback to Girder login box, then I can't login using the admin user. I worked around this by making a couple of LDAP user accounts site admins. This works, but it seems like it would still be rather easy to get ourselves into a scenario where we can't login with admin privileges.

Would you mind making this an issue in the Girder repo (there are more developers there that know something about how LDAP works)? Maybe the solution is that the fallback can only go to existing Girder admin users.

Sure, that all of that makes sense

Is there any fix if we end up not having an account that can login with admin privileges? I'm imagining there might be a way to allow "fallback to Girder login" using the DB somehow?

You could temporarily disable the ldap plugin (pip uninstall it, restart), log in as admin, do what is needed (probably flagging an ldap user as an admin), then reeanble the ldap plugin and restart.

Closing this; there were changes to Girder's LDAP plugin which may have addressed it. If not, please open or nudge issues on the Girder repo.