Login systems

Bonsai currently support two login systems, LDAP authentication and a simple username and password authentication. These login sytems are mutually exclusive so by chosing one the other is being disabled.

Simple authentication

The default authentication method is logging using a username and password. The password is being salted and stored in the mongo database.

LDAP authentication

Authentication can be made against an institutional LDAP3 server. You need an existing LDAP authentication server to user this authentication method. The users need to have an account in Bonsai in addition to having an entry on the LDAP server, because the user roles are determined from the Bonsai account.

Use either the API CLI or the Admin panel to create a new user.

The LDAP3 server connection is configured using environmental variables. At minimum you need to configure the following variables.

Minimal configuration csv-table

Variable name	Description
LDAP_HOST	Server host or IP
LDAP_PORT	Server port
LDAP_BASE_DN	Base distinguished name (DN) for searching the server
LDAP_BIND_DN	Admin bind DN
LDAP_SECRET	Optional password for the admin bind DN
LDAP_SEARCH_ATTR	Attribute to validate username against

See the config.py for all variables that can be configured using environment variables.

Example configuration

Here is a example of an LDAP based authentication configuration using docker-compose. We use a demo LDAP server populated with Futurama characters.

Example configuration

version: '3.9'
# usage:
# (sudo) docker-compose up -d
# (sudo) docker-compose down
services:
   mongodb:
      image: mongo:4.4.22
      ports:
         - "8813:27017"
      expose:
         - "27017"
      volumes:
         - "./volumes/mongodb:/data/db"
      networks:
         - bonsai-net

   redis:
      image: redis:7.0.10
      networks:
         - bonsai-net

   openldap:
      image: ghcr.io/rroemhild/docker-test-openldap:master
      container_name: openldap
      ports:
         - "10389:10389"
         - "10636:10636"
      networks:
         - bonsai-net
      privileged: true

   api:
      container_name: bonsai_api
      build:
         context: api
         network: host
      depends_on:
         - mongodb
      ports:
         - "8811:8000"
      environment:
         - DB_HOST=mongodb
         - REDIS_HOST=redis
         - LDAP_HOST=openldap
         - LDAP_PORT=10389
         - LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com
         - LDAP_SECRET=GoodNewsEveryone
         - LDAP_BASE_DN=dc=planetexpress,dc=com
         - LDAP_USER_LOGIN_ATTR=mail
         - LDAP_USE_SSL=false
         - LDAP_USE_TLS=false
      networks:
         - bonsai-net
      command: "uvicorn app.main:app --reload --log-level debug --host 0.0.0.0"

   app:
      container_name: bonsai_app
      build:
         context: frontend
         network: host
      depends_on:
         - mongodb
         - api
      ports:
         - "8812:5000"
      environment:
         - FLASK_APP=app.app:create_app
         - FLASK_ENV=development
         - "BONSAI_API_URL=http://mtlucmds2.lund.skane.se:8811"
      networks:
         - bonsai-net
      command: "flask run --debug --host 0.0.0.0"

networks:
   bonsai-net:
      driver: bridge
      ipam:
         driver: default
         config:
         - subnet: 172.0.30.0/24