starred/bambuddy-maziggy-1
1
0
Fork 0
mirror of https://github.com/maziggy/bambuddy.git synced 2026-05-09 08:25:54 +02:00
Code Issues 44 Projects Packages Wiki Activity

[GH-ISSUE #794] [Feature]: LDAP auth #528

New issue
Closed
opened 2026-05-07 00:11:18 +02:00 by BreizhHardware · 8 comments
BreizhHardware commented 2026-05-07 00:11:18 +02:00
Owner
Copy link

Originally created by @dlawler489 on GitHub (Mar 24, 2026).
Original GitHub issue: https://github.com/maziggy/bambuddy/issues/794

Originally assigned to: @maziggy on GitHub.

Problem or Use Case

Would love a way to allow for LDAP auth for users to auth to Bambuddy, rather than local accounts

Proposed Solution

LDAP auth, coming from Active Directory - SAML with EntraID would be even better, but that could be harder.
User groups based on AD/ Entra Groups (so, something like, Bambuddy_Operator, Bambuddy_Admin, Bambuddy_Viewer).

Alternatives Considered

Not really any workarounds for it.

Feature Category

Other

Priority

Nice to have

Mockups or Examples

No response

Contribution

  • I would be willing to help implement this feature

Checklist

  • I have searched existing issues to ensure this feature hasn't already been requested
Originally created by @dlawler489 on GitHub (Mar 24, 2026). Original GitHub issue: https://github.com/maziggy/bambuddy/issues/794 Originally assigned to: @maziggy on GitHub. ### Problem or Use Case Would love a way to allow for LDAP auth for users to auth to Bambuddy, rather than local accounts ### Proposed Solution LDAP auth, coming from Active Directory - SAML with EntraID would be even better, but that could be harder. User groups based on AD/ Entra Groups (so, something like, Bambuddy_Operator, Bambuddy_Admin, Bambuddy_Viewer). ### Alternatives Considered Not really any workarounds for it. ### Feature Category Other ### Priority Nice to have ### Mockups or Examples _No response_ ### Contribution - [ ] I would be willing to help implement this feature ### Checklist - [x] I have searched existing issues to ensure this feature hasn't already been requested
BreizhHardware 2026-05-07 00:11:19 +02:00
BreizhHardware commented 2026-05-07 00:11:19 +02:00
Author
Owner
Copy link

@maziggy commented on GitHub (Mar 24, 2026):

Before we commit to building this, I'd like to gauge community interest. If you'd find this feature useful, please give this issue a thumbs up (👍) reaction so we can prioritize accordingly.

<!-- gh-comment-id:4115850967 --> @maziggy commented on GitHub (Mar 24, 2026): Before we commit to building this, I'd like to gauge community interest. If you'd find this feature useful, please give this issue a thumbs up (👍) reaction so we can prioritize accordingly.
BreizhHardware commented 2026-05-07 00:11:19 +02:00
Author
Owner
Copy link

@maziggy commented on GitHub (Apr 5, 2026):

Quick note on scope: We'll be implementing pure LDAP bind authentication. SAML, OIDC, and Entra ID/Azure AD integrations are out of scope — we want to keep this clean and dependency-light.

Before we start building, we'd love community input on a few design questions:

  1. Coexistence with local accounts
  • Should LDAP users exist alongside local accounts? (e.g., local admin as fallback when LDAP server is unreachable)
  • Or should enabling LDAP replace local auth entirely?
  1. Group-to-role mapping
  • Should we map LDAP groups to Bambuddy's existing roles (Admin, Operator, Viewer)?
  • If so, should this be configurable? (e.g., "LDAP group PrintFarm_Admins → Bambuddy Admin")
  • Or should all LDAP users get the same default role, with admins promoting manually?
  1. User provisioning
  • Auto-create Bambuddy user on first successful LDAP login (just-in-time provisioning)?
  • Or require an admin to pre-register allowed LDAP usernames?
  1. Configuration
  • LDAP server URL, bind DN, search base, group filter — anything else you'd need for your setup?
  • Does anyone need LDAPS (LDAP over TLS) or StartTLS?

Please share your thoughts and upvote the options that work best for your environment!

<!-- gh-comment-id:4188625982 --> @maziggy commented on GitHub (Apr 5, 2026): Quick note on scope: We'll be implementing pure LDAP bind authentication. **SAML, OIDC, and Entra ID/Azure AD integrations are out of scope — we want to keep this clean and dependency-light**. Before we start building, we'd love community input on a few design questions: 1. Coexistence with local accounts - Should LDAP users exist alongside local accounts? (e.g., local admin as fallback when LDAP server is unreachable) - Or should enabling LDAP replace local auth entirely? 2. Group-to-role mapping - Should we map LDAP groups to Bambuddy's existing roles (Admin, Operator, Viewer)? - If so, should this be configurable? (e.g., "LDAP group PrintFarm_Admins → Bambuddy Admin") - Or should all LDAP users get the same default role, with admins promoting manually? 3. User provisioning - Auto-create Bambuddy user on first successful LDAP login (just-in-time provisioning)? - Or require an admin to pre-register allowed LDAP usernames? 4. Configuration - LDAP server URL, bind DN, search base, group filter — anything else you'd need for your setup? - Does anyone need LDAPS (LDAP over TLS) or StartTLS? Please share your thoughts and upvote the options that work best for your environment!
BreizhHardware commented 2026-05-07 00:11:19 +02:00
Author
Owner
Copy link

@dlawler489 commented on GitHub (Apr 5, 2026):

Hi Maziggy,

  1. I would think, LDAP should exist with local accounts - at least just the admin account, so if the server isn't available the admin can fix it easier.
  2. Yes, role mapping would be great. And yes, configurable options for the name of the AD based groups please. Different places have different requirements for naming of things in AD. If the roles are too hard, admins can change the user afterwards, that's ok too, but having it automated based on the AD group would be great.
  3. User provisioning, perhaps leave that up to the admin to decide. I would rather add people who need access, than have it be a free for all.
  4. Those LDAP options should be fine, maybe support LDAPS if you have time? Probably should moving forward.
    Thanks for all the amazing work you've done with this project!
<!-- gh-comment-id:4188694619 --> @dlawler489 commented on GitHub (Apr 5, 2026): Hi Maziggy, 1. I would think, LDAP should exist with local accounts - at least just the admin account, so if the server isn't available the admin can fix it easier. 2. Yes, role mapping would be great. And yes, configurable options for the name of the AD based groups please. Different places have different requirements for naming of things in AD. If the roles are too hard, admins can change the user afterwards, that's ok too, but having it automated based on the AD group would be great. 3. User provisioning, perhaps leave that up to the admin to decide. I would rather add people who need access, than have it be a free for all. 4. Those LDAP options should be fine, maybe support LDAPS if you have time? Probably should moving forward. Thanks for all the amazing work you've done with this project!
BreizhHardware commented 2026-05-07 00:11:19 +02:00
Author
Owner
Copy link

@maziggy commented on GitHub (Apr 8, 2026):

Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you.

Docs -> https://wiki.bambuddy.cool/features/authentication/?h=ldap#setting-up-ldap

<!-- gh-comment-id:4204907284 --> @maziggy commented on GitHub (Apr 8, 2026): Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you. Docs -> https://wiki.bambuddy.cool/features/authentication/?h=ldap#setting-up-ldap
BreizhHardware commented 2026-05-07 00:11:20 +02:00
Author
Owner
Copy link

@DylanBrass commented on GitHub (Apr 11, 2026):

Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you.

Docs -> https://wiki.bambuddy.cool/features/authentication/?h=ldap#setting-up-ldap

Hello !

I am getting this error on the daily release :

[bambuddy] 2026-04-11T05:29:55.225572463Z 2026-04-11 01:29:55,225 INFO [backend.app.services.ldap_service] LDAP authentication successful for user: <USER> (DN: cn=<USER>,ou=users,dc=ldap,dc=goauthentik,dc=io, groups: 14)
[bambuddy] 2026-04-11T05:29:55.239484820Z INFO:     192.168.5.149:52516 - "POST /api/v1/printers/camera/stream-token HTTP/1.1" 401 Unauthorized
[bambuddy] 2026-04-11T05:29:55.246772906Z 2026-04-11 01:29:55,246 WARNING [backend.app.api.routes.auth] LDAP authentication error, falling back to local: (sqlite3.IntegrityError) NOT NULL constraint failed: users.password_hash
[bambuddy] 2026-04-11T05:29:55.246825316Z [SQL: INSERT INTO users (username, email, password_hash, role, auth_source, is_active, cloud_token, cloud_email) VALUES (?, ?, ?, ?, ?, ?, ?, ?) RETURNING id, created_at, updated_at]
[bambuddy] 2026-04-11T05:29:55.246847306Z [parameters: ('<USER>', '<EMAIL>', None, 'user', 'ldap', 1, None, None)]
[bambuddy] 2026-04-11T05:29:55.246863446Z (Background on this error at: https://sqlalche.me/e/20/gkpj)
[bambuddy] 2026-04-11T05:29:55.249384743Z INFO:     192.168.5.149:52502 - "POST /api/v1/auth/login HTTP/1.1" 500 Internal Server Error
[bambuddy] 2026-04-11T05:29:55.277639538Z ERROR:    Exception in ASGI application
[bambuddy] 2026-04-11T05:29:55.277734528Z   + Exception Group Traceback (most recent call last):
[bambuddy] 2026-04-11T05:29:55.277755791Z   |   File "/usr/local/lib/python3.13/site-packages/starlette/_utils.py", line 81, in collapse_excgroups
[bambuddy] 2026-04-11T05:29:55.277772751Z   |     yield
[bambuddy] 2026-04-11T05:29:55.277789068Z   |   File "/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 192, in __call__
[bambuddy] 2026-04-11T05:29:55.277808815Z   |     async with anyio.create_task_group() as task_group:
[bambuddy] 2026-04-11T05:29:55.277827008Z   |                ~~~~~~~~~~~~~~~~~~~~~~~^^
[bambuddy] 2026-04-11T05:29:55.277841828Z   |   File "/usr/local/lib/python3.13/site-packages/anyio/_backends/_asyncio.py", line 799, in __aexit__
[bambuddy] 2026-04-11T05:29:55.277856745Z   |     raise BaseExceptionGroup(
[bambuddy] 2026-04-11T05:29:55.277874262Z   |         "unhandled errors in a TaskGroup", self._exceptions
[bambuddy] 2026-04-11T05:29:55.277891218Z   |     ) from None
[bambuddy] 2026-04-11T05:29:55.277930322Z   | ExceptionGroup: unhandled errors in a TaskGroup (1 sub-exception)
[bambuddy] 2026-04-11T05:29:55.277952902Z   +-+---------------- 1 ----------------
[bambuddy] 2026-04-11T05:29:55.277967392Z     | Traceback (most recent call last):
[bambuddy] 2026-04-11T05:29:55.277983458Z     |   File "/usr/local/lib/python3.13/site-packages/uvicorn/protocols/http/httptools_impl.py", line 420, in run_asgi
[bambuddy] 2026-04-11T05:29:55.278001628Z     |     result = await app(
[bambuddy] 2026-04-11T05:29:55.278016282Z     |         self.scope, self.receive, self.send
[bambuddy] 2026-04-11T05:29:55.278033588Z     |     )
[bambuddy] 2026-04-11T05:29:55.278085962Z     |   File "/usr/local/lib/python3.13/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
[bambuddy] 2026-04-11T05:29:55.278103285Z     |     return await self.app(scope, receive, send)
[bambuddy] 2026-04-11T05:29:55.278150642Z     |   File "/usr/local/lib/python3.13/site-packages/fastapi/applications.py", line 1163, in __call__
[bambuddy] 2026-04-11T05:29:55.278167375Z     |     await super().__call__(scope, receive, send)
[bambuddy] 2026-04-11T05:29:55.278200202Z     |   File "/usr/local/lib/python3.13/site-packages/starlette/applications.py", line 90, in __call__
[bambuddy] 2026-04-11T05:29:55.278216579Z     |     await self.middleware_stack(scope, receive, send)
[bambuddy] 2026-04-11T05:29:55.278237065Z     |   File "/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 186, in __call__
[bambuddy] 2026-04-11T05:29:55.278253505Z     |     raise exc
...
[bambuddy] 2026-04-11T05:29:55.282845141Z [SQL: INSERT INTO users (username, email, password_hash, role, auth_source, is_active, cloud_token, cloud_email) VALUES (?, ?, ?, ?, ?, ?, ?, ?) RETURNING id, created_at, updated_at]
[bambuddy] 2026-04-11T05:29:55.282866371Z [parameters: ('<USER>', '<EMAIL>', None, 'user', 'ldap', 1, None, None)]
[bambuddy] 2026-04-11T05:29:55.282938561Z (Background on this error at: https://sqlalche.me/e/20/gkpj) (Background on this error at: https://sqlalche.me/e/20/7s2a)
[bambuddy] 2026-04-11T05:29:58.794645849Z INFO:     127.0.0.1:33778 - "GET /health HTTP/1.1" 200 OK

It seems to try to insert my user without a password and crashing.

<!-- gh-comment-id:4228270218 --> @DylanBrass commented on GitHub (Apr 11, 2026): > Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you. > > Docs -> https://wiki.bambuddy.cool/features/authentication/?h=ldap#setting-up-ldap Hello ! I am getting this error on the daily release : ``` [bambuddy] 2026-04-11T05:29:55.225572463Z 2026-04-11 01:29:55,225 INFO [backend.app.services.ldap_service] LDAP authentication successful for user: <USER> (DN: cn=<USER>,ou=users,dc=ldap,dc=goauthentik,dc=io, groups: 14) [bambuddy] 2026-04-11T05:29:55.239484820Z INFO: 192.168.5.149:52516 - "POST /api/v1/printers/camera/stream-token HTTP/1.1" 401 Unauthorized [bambuddy] 2026-04-11T05:29:55.246772906Z 2026-04-11 01:29:55,246 WARNING [backend.app.api.routes.auth] LDAP authentication error, falling back to local: (sqlite3.IntegrityError) NOT NULL constraint failed: users.password_hash [bambuddy] 2026-04-11T05:29:55.246825316Z [SQL: INSERT INTO users (username, email, password_hash, role, auth_source, is_active, cloud_token, cloud_email) VALUES (?, ?, ?, ?, ?, ?, ?, ?) RETURNING id, created_at, updated_at] [bambuddy] 2026-04-11T05:29:55.246847306Z [parameters: ('<USER>', '<EMAIL>', None, 'user', 'ldap', 1, None, None)] [bambuddy] 2026-04-11T05:29:55.246863446Z (Background on this error at: https://sqlalche.me/e/20/gkpj) [bambuddy] 2026-04-11T05:29:55.249384743Z INFO: 192.168.5.149:52502 - "POST /api/v1/auth/login HTTP/1.1" 500 Internal Server Error [bambuddy] 2026-04-11T05:29:55.277639538Z ERROR: Exception in ASGI application [bambuddy] 2026-04-11T05:29:55.277734528Z + Exception Group Traceback (most recent call last): [bambuddy] 2026-04-11T05:29:55.277755791Z | File "/usr/local/lib/python3.13/site-packages/starlette/_utils.py", line 81, in collapse_excgroups [bambuddy] 2026-04-11T05:29:55.277772751Z | yield [bambuddy] 2026-04-11T05:29:55.277789068Z | File "/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 192, in __call__ [bambuddy] 2026-04-11T05:29:55.277808815Z | async with anyio.create_task_group() as task_group: [bambuddy] 2026-04-11T05:29:55.277827008Z | ~~~~~~~~~~~~~~~~~~~~~~~^^ [bambuddy] 2026-04-11T05:29:55.277841828Z | File "/usr/local/lib/python3.13/site-packages/anyio/_backends/_asyncio.py", line 799, in __aexit__ [bambuddy] 2026-04-11T05:29:55.277856745Z | raise BaseExceptionGroup( [bambuddy] 2026-04-11T05:29:55.277874262Z | "unhandled errors in a TaskGroup", self._exceptions [bambuddy] 2026-04-11T05:29:55.277891218Z | ) from None [bambuddy] 2026-04-11T05:29:55.277930322Z | ExceptionGroup: unhandled errors in a TaskGroup (1 sub-exception) [bambuddy] 2026-04-11T05:29:55.277952902Z +-+---------------- 1 ---------------- [bambuddy] 2026-04-11T05:29:55.277967392Z | Traceback (most recent call last): [bambuddy] 2026-04-11T05:29:55.277983458Z | File "/usr/local/lib/python3.13/site-packages/uvicorn/protocols/http/httptools_impl.py", line 420, in run_asgi [bambuddy] 2026-04-11T05:29:55.278001628Z | result = await app( [bambuddy] 2026-04-11T05:29:55.278016282Z | self.scope, self.receive, self.send [bambuddy] 2026-04-11T05:29:55.278033588Z | ) [bambuddy] 2026-04-11T05:29:55.278085962Z | File "/usr/local/lib/python3.13/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__ [bambuddy] 2026-04-11T05:29:55.278103285Z | return await self.app(scope, receive, send) [bambuddy] 2026-04-11T05:29:55.278150642Z | File "/usr/local/lib/python3.13/site-packages/fastapi/applications.py", line 1163, in __call__ [bambuddy] 2026-04-11T05:29:55.278167375Z | await super().__call__(scope, receive, send) [bambuddy] 2026-04-11T05:29:55.278200202Z | File "/usr/local/lib/python3.13/site-packages/starlette/applications.py", line 90, in __call__ [bambuddy] 2026-04-11T05:29:55.278216579Z | await self.middleware_stack(scope, receive, send) [bambuddy] 2026-04-11T05:29:55.278237065Z | File "/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 186, in __call__ [bambuddy] 2026-04-11T05:29:55.278253505Z | raise exc ... [bambuddy] 2026-04-11T05:29:55.282845141Z [SQL: INSERT INTO users (username, email, password_hash, role, auth_source, is_active, cloud_token, cloud_email) VALUES (?, ?, ?, ?, ?, ?, ?, ?) RETURNING id, created_at, updated_at] [bambuddy] 2026-04-11T05:29:55.282866371Z [parameters: ('<USER>', '<EMAIL>', None, 'user', 'ldap', 1, None, None)] [bambuddy] 2026-04-11T05:29:55.282938561Z (Background on this error at: https://sqlalche.me/e/20/gkpj) (Background on this error at: https://sqlalche.me/e/20/7s2a) [bambuddy] 2026-04-11T05:29:58.794645849Z INFO: 127.0.0.1:33778 - "GET /health HTTP/1.1" 200 OK ``` It seems to try to insert my user without a password and crashing.
BreizhHardware commented 2026-05-07 00:11:20 +02:00
Author
Owner
Copy link

@maziggy commented on GitHub (Apr 11, 2026):

Available/Fixed in branch dev and available with the next release or daily build. Please let me know it it works for you now.

If you find Bambuddy useful, please consider giving it a on GitHub — it helps others discover the project!

<!-- gh-comment-id:4229197558 --> @maziggy commented on GitHub (Apr 11, 2026): Available/Fixed in branch dev and available with the next release or daily build. Please let me know it it works for you now. ----- If you find Bambuddy useful, please consider giving it a ⭐ on [GitHub](https://github.com/maziggy/bambuddy) — it helps others discover the project!
BreizhHardware commented 2026-05-07 00:11:20 +02:00
Author
Owner
Copy link

@maziggy commented on GitHub (Apr 15, 2026):

Guys, how is it going?

<!-- gh-comment-id:4252149520 --> @maziggy commented on GitHub (Apr 15, 2026): Guys, how is it going?
BreizhHardware commented 2026-05-07 00:11:20 +02:00
Author
Owner
Copy link

@dlawler489 commented on GitHub (Apr 27, 2026):

Hi, sorry, been a busy couple of weeks, only just got to update Bambuddy and test it. Working as expected! Thanks heaps!

<!-- gh-comment-id:4323759291 --> @dlawler489 commented on GitHub (Apr 27, 2026): Hi, sorry, been a busy couple of weeks, only just got to update Bambuddy and test it. Working as expected! Thanks heaps!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
github-repo-stats
bug-report-assets
dev
0.2.4b3
0.2.4b2
0.2.4b1
pr/1114
0.2.3.2
0.2.3.1
0.2.3
0.2.3b3
0.2.3b2
0.2.3b1
0.2.2.2
0.2.2.1
0.2.2b3
0.2.2
0.2.2b2
0.2.2b1
0.2.1.1
0.2.1
0.2.1b3
0.2.1b2
0.2.1b
0.2.0
0.2.0b
0.1.5-2-ctrl
v0.2.4b4-daily.20260508
v0.2.4b2
v0.2.4b3
v0.2.4b1
v0.2.3.2
v0.2.3.1
v0.2.3
v0.2.3b3
v0.2.3b2
v0.2.3b1-daily.20260407
v0.2.3b1
v0.2.2.2
v0.2.2.1
v0.2.3b1-daily.20260318
v0.2.3b1-daily.20260317
v0.2.3b1-daily.20260316
v0.2.2
v0.2.2b4-daily.20260314
v0.2.2b4-daily.20260313
v0.2.2b3-daily.20260312
v0.2.2b3-1
v0.2.2b2
v0.2.2-b2
v0.2.2b3
v0.2.2-b1
v0.2.2b1
v0.2.1.1
v0.2.1
v0.2.1b3
v0.2.1b2
v0.2.1b
v0.2.0
v0.1.9
v0.1.8.1
v0.1.8
v0.1.7
v0.1.6.2
v0.1.6.1
v0.1.6-hotfix
v0.1.6
v0.1.6b11
v0.1.6b10
v0.1.6b9
v0.1.6b8
v0.1.6b7
v0.1.6b6
v0.1.6b5
v0.1.6b4
v0.1.6b3
v0.1.6b2
v0.1.6b
v0.1.5-final
v0.1.5b7
v0.1.5b6
v0.1.5b5
v0.1.5b4
v0.1.5b3
v0.1.5b2
v0.1.5b
v0.1.4
v0.1.3
v0.1.2-bugfix
v0.1.2-final
v0.1.2
0.1.1
Labels
Clear labels   
A1

   
automated

   
automated

   
bug

   
bug

   
Closed due to inactivity

   
contrib

   
dependencies

   
dependencies

   
duplicate

   
enhancement

   
feedback

   
hold

   
invalid

   
Notes

   
P1S

   
pull-request
Mirrored from GitHub Pull Request

  
security

   
ThumbsUp

   
user-report

   
wontfix
No labels
A1
automated
automated
bug
bug
Closed due to inactivity
contrib
dependencies
dependencies
duplicate
enhancement
feedback
hold
invalid
Notes
P1S
pull-request
security
ThumbsUp
user-report
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/bambuddy-maziggy-1#528
No description provided.