[GH-ISSUE #296] add LDAP auth support #231

New issue

Closed

opened 2026-05-07 00:21:50 +02:00 by BreizhHardware · 5 comments

BreizhHardware commented 2026-05-07 00:21:50 +02:00

Owner

Copy link

Originally created by @prabirshrestha on GitHub (Jun 1, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/296

I would like to use LDAP auth for all my apps that I host as I can centrally manage users/passwords and groups for my family. Changing password in one place can change password everywhere. This also allows me to enforce certain password policy centrally.

I have found authelia's configuration to be the best that allows granular configuration. https://www.authelia.com/docs/configuration/authentication/ldap.html

This should be tackled in multiple steps.

• Syncing user/passwordhash from ldap. I have seen most apps have an option to auto create account when using LDAP and also only sync when first signed in. This could allows using both local and ldap accounts as sometimes wrong ldap configuration can lock you out forever though this may not be an issue here since configuration is done by a file. Once the user is synced to sqlite, you could probably cache the auth info and only verify it every X mins or sync in background.
• User and admin roles should be a separate filter in LDAP. You can take an example from gitea. https://docs.gitea.io/en-us/authentication/#ldap-lightweight-directory-access-protocol
• Topic acl is interesting. For start it could be local only but later could be moved to using ldap groups.

Originally created by @prabirshrestha on GitHub (Jun 1, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/296 I would like to use LDAP auth for all my apps that I host as I can centrally manage users/passwords and groups for my family. Changing password in one place can change password everywhere. This also allows me to enforce certain password policy centrally. I have found authelia's configuration to be the best that allows granular configuration. https://www.authelia.com/docs/configuration/authentication/ldap.html This should be tackled in multiple steps. * Syncing user/passwordhash from ldap. I have seen most apps have an option to auto create account when using LDAP and also only sync when first signed in. This could allows using both local and ldap accounts as sometimes wrong ldap configuration can lock you out forever though this may not be an issue here since configuration is done by a file. Once the user is synced to sqlite, you could probably cache the auth info and only verify it every X mins or sync in background. * User and admin roles should be a separate filter in LDAP. You can take an example from gitea. https://docs.gitea.io/en-us/authentication/#ldap-lightweight-directory-access-protocol * Topic acl is interesting. For start it could be local only but later could be moved to using ldap groups.

BreizhHardware 2026-05-07 00:21:50 +02:00

• closed this issue
• added the
  prio:low
  enhancement
  server
  labels

BreizhHardware commented 2026-05-07 00:21:51 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Jun 1, 2022):

I like the idea of integrating with LDAP or other auth systems, but when we discussed in #19 (please read!), there was no clear winner of technologies. Everybody uses different things and wants different things. If I wanted to please everyone I'd do nothing but integrate auth systems.

For this precise reason, I hate dealing with auth. You put a ton of work into it and in the end, you make 1/5 people happy, and the others just say "why didn't you do X instead".

So I won't be doing this in the near future, but I'm happy to accept pull requests (provided the design has been discussed with me first). 👍

<!-- gh-comment-id:1143609246 --> @binwiederhier commented on GitHub (Jun 1, 2022): I like the idea of integrating with LDAP or other auth systems, but when we discussed in #19 (please read!), there was no clear winner of technologies. Everybody uses different things and wants different things. If I wanted to please everyone I'd do nothing but integrate auth systems. For this precise reason, I hate dealing with auth. You put a ton of work into it and in the end, you make 1/5 people happy, and the others just say "why didn't you do X instead". So I won't be doing this in the near future, but I'm happy to accept pull requests (provided the design has been discussed with me first). :+1:

BreizhHardware commented 2026-05-07 00:21:51 +02:00

Author

Owner

Copy link

@prabirshrestha commented on GitHub (Jun 2, 2022):

Thanks for sharing the link. I don't think it is good to have n number of auth providers although some standard ones could be ok.

You could use OIDC for auth on most of the servers. Here are links to some of the popular website configurations. (You will need to view source or use curl for some of these as browsers may show blank screen while rendering json).

• https://www.facebook.com/.well-known/openid-configuration
• https://accounts.google.com/.well-known/openid-configuration
• https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Here are some reasons why I chose LDAP:

• The reason I didn't propose OIDC is it may not work for ACLs as there is no standard concept for groups as in LDAP.
• LDAP also works out of box in poplar NAS such as True Nas and Synology or you can easily self-host some of the open source LDAP servers.
• You can support LDAP with minimal changes.

There are two distinct pieces that should be tackled separately - Authentication and ACLS.
Authentication

(not familiar with go so adding psuedo code to exiting code).

func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) {
	if username == Everyone {
		return nil, ErrUnauthenticated
	}
	user, err := a.User(username)

        if ldapEnabled {
          if user == nil {
              if allowLdapNewUserSync {
                  user, err := a.AddLdapUser(username, password)
              }
          } else user.account_type == 'ldap' && user.synced_time > ago(1h) {
              user, err := a.SyncLdapUser(username, password)
          }
        }

	if err != nil {
		bcrypt.CompareHashAndPassword([]byte(intentionalSlowDownHash),
			[]byte("intentional slow-down to avoid timing attacks"))
		return nil, ErrUnauthenticated
	}
	if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {
		return nil, ErrUnauthenticated
	}
	return user, nil
}

func (a *SQLiteAuth) AddLdapUser(username, password) {
    var valid, err := AuthenticateViaLdap(username, password)
    if valid {
       a.AddUser(username, password)
       a.SyncLdapGroups(username)
    }
}

func (a *SQLiteAuth) SyncLdapUser(username, password) {
    var valid, err := AuthenticateViaLdap(username, password)
    if valid {
        // update user.synced_time 
       a.SyncLdapGroups(username)
    } else {
       // remove user and return nil
    }
}

I wouldn't worry about groups now as this could be manually added by the cli. But having at least authenticate go via ldap would be great.

While this allows on-demand sync and could work for large number of ldap user, it does sprinkle the code.

The other option would be to have a background job that syncs with an ldap server every X mins and update the sqlite table. But need to verify if servers return password hash.

<!-- gh-comment-id:1144365363 --> @prabirshrestha commented on GitHub (Jun 2, 2022): Thanks for sharing the link. I don't think it is good to have n number of auth providers although some standard ones could be ok. You could use [OIDC](https://openid.net/connect/) for auth on most of the servers. Here are links to some of the popular website configurations. (You will need to view source or use curl for some of these as browsers may show blank screen while rendering json). * https://www.facebook.com/.well-known/openid-configuration * https://accounts.google.com/.well-known/openid-configuration * https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration Here are some reasons why I chose LDAP: * The reason I didn't propose OIDC is it may not work for ACLs as there is no standard concept for groups as in LDAP. * LDAP also works out of box in poplar NAS such as [True Nas](https://www.truenas.com/docs/core/coretutorials/directoryservices/ldap/) and [Synology](https://kb.synology.com/en-br/DSM/help/DirectoryServer/ldap_server?version=7) or you can easily self-host some of the open source LDAP servers. * You can support LDAP with minimal changes. There are two distinct pieces that should be tackled separately - Authentication and ACLS. **Authentication** (not familiar with go so adding psuedo code to exiting code). ```go func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) { if username == Everyone { return nil, ErrUnauthenticated } user, err := a.User(username) if ldapEnabled { if user == nil { if allowLdapNewUserSync { user, err := a.AddLdapUser(username, password) } } else user.account_type == 'ldap' && user.synced_time > ago(1h) { user, err := a.SyncLdapUser(username, password) } } if err != nil { bcrypt.CompareHashAndPassword([]byte(intentionalSlowDownHash), []byte("intentional slow-down to avoid timing attacks")) return nil, ErrUnauthenticated } if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil { return nil, ErrUnauthenticated } return user, nil } func (a *SQLiteAuth) AddLdapUser(username, password) { var valid, err := AuthenticateViaLdap(username, password) if valid { a.AddUser(username, password) a.SyncLdapGroups(username) } } func (a *SQLiteAuth) SyncLdapUser(username, password) { var valid, err := AuthenticateViaLdap(username, password) if valid { // update user.synced_time a.SyncLdapGroups(username) } else { // remove user and return nil } } ``` I wouldn't worry about groups now as this could be manually added by the cli. But having at least `authenticate` go via ldap would be great. While this allows on-demand sync and could work for large number of ldap user, it does sprinkle the code. The other option would be to have a background job that syncs with an ldap server every X mins and update the sqlite table. But need to verify if servers return password hash.

BreizhHardware commented 2026-05-07 00:21:51 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Jun 3, 2022):

I don't think I want to add LDAP support right now, but that doesn't mean it'll forever stay this way. I've got my hands full with the iOS app and the 50 other tickets, but I'll leave this open for a while.

You are of course free to fork and add LDAP support to your fork. If it's good code, I'll definitely consider merging it.

<!-- gh-comment-id:1145935640 --> @binwiederhier commented on GitHub (Jun 3, 2022): I don't think I want to add LDAP support right now, but that doesn't mean it'll forever stay this way. I've got my hands full with the iOS app and the 50 other tickets, but I'll leave this open for a while. You are of course free to fork and add LDAP support to your fork. If it's good code, I'll definitely consider merging it.

BreizhHardware commented 2026-05-07 00:21:52 +02:00

Author

Owner

Copy link

@NekoLuka commented on GitHub (Aug 19, 2024):

I was reading through #812 and came across a message of @wunter8

if a person is logged into Authelia and doesn't have a corresponding ntfy account with the same username, the ntfy web app will fail immediately. it will return a 401 unauthorized for every request (including static assets). is this expected?

I think that LDAP would be a great addition here to possibly create the user inside NTFY when it doesn't exist, preventing errors like this.
Furthermore, implementing it in a way that it logs users in by checking their credentials against the LDAP server would also not break any currently existing authentication ways for NTFY (basic auth and tokens).

What is the opinion about this approach?

<!-- gh-comment-id:2297226930 --> @NekoLuka commented on GitHub (Aug 19, 2024): I was reading through #812 and came across a message of @wunter8 > if a person is logged into Authelia and doesn't have a corresponding ntfy account with the same username, the ntfy web app will fail immediately. it will return a 401 unauthorized for every request (including static assets). is this expected? I think that LDAP would be a great addition here to possibly create the user inside NTFY when it doesn't exist, preventing errors like this. Furthermore, implementing it in a way that it logs users in by checking their credentials against the LDAP server would also not break any currently existing authentication ways for NTFY (basic auth and tokens). What is the opinion about this approach?

BreizhHardware commented 2026-05-07 00:21:52 +02:00

Author

Owner

Copy link

@vic1707 commented on GitHub (Sep 11, 2025):

+1

<!-- gh-comment-id:3281109091 --> @vic1707 commented on GitHub (Sep 11, 2025): +1

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#231

No description provided.