I created a bunch of changes that allow frab user authentication to be from 3rd party - LDAP server (closes #17) and Google (closes #20) for now. Others (github, facebook etc.) should be easy now.

I will submit them as different commits so it's easier to review the code. For starters I attach here the documentation for the final state - I think it should go to the wiki after merging.

✂️✂️✂️=== start documentation===✂️✂️✂️

Integration --> User authentication

By default, frab let people to register to the frab webside by providing a username and a password. You can change that to support authentication via one or more third party services as well. It's important to notice that a user (identified by an e-mail address) can only be associated with one kind of a login. i.e., she can either login via frab's username/password form or via Google integration - not both. It is therefore best to select an authentication strategy before deploying to production.

Authenticate with Google

You'll need to get from Google a Client ID and a Client Secret. The process is something like this:

1. Go to 'https://console.developers.google.com'
2. Select your project.
3. Go to Credentials, then select the "OAuth consent screen" tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'

Then update the environment variables GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET.

Authenticate with LDAP server

LDAP integration is helpful when deploying frab in an enterprise, where you don't want new users to remember another password. To enable Sign in with an LDAP server, populate the following environment variables:

1. NAME_FOR_LDAP= This name will appear in the frab login screen, following "Sign in". This overrides the language-dependent value defined in the locale. This is usually the enterprise name or the name of the organization managing the access.
2. LDAP_PROMPT_TITLE= (optional) - This name will appear as the title in the LDAP credentials entry form. (i.e. Enter your NASA username and password:).
3. LDAP_HOST=
4. LDAP_PORT=
5. LDAP_METHOD= One of: plain, ssl, tls.
6. LDAP_BASE_DN=
7. LDAP_UID= or LDAP_FILTER= - LDAP_UID indicates which LDAP field is used to search users.

• Common values for enterprises are: LDAP_UID=sAMAccountName or LDAP_UID=UserPrincipalName
• Commonly LDAP_UID=uid for OpenLDAP
• You can also use LDAP_FILTER for more complex scenartios. Example: LDAP_FILTER='(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'

8. LDAP_BIND_DN= not needed if server allows anonymous access. This is the Distinguished Name of the user which will be used for binding and user lookup
9. LDAP_BIND_PASSWORD= not needed if server allows anonymous access.

See https://github.com/omniauth/omniauth-ldap documentation for more details.

Granting administration rights to users from third-party services

After logging on once, the user account is created in frab's database and then permissions and authorizations can be modified as usual, by an administration via the web UI. If frab's username/password form is enabled, you can login with the [email protected] account to gain admin rights; but this account is not available if the form is disabled. The initial admin users in this case should be provided via an environment variable. For example

[email protected],[email protected]

You should keep this list to a minimum, and log in immediately after setting up the system in production so that the accounts are not misused.

Disabling frab's own username/password form

You can disable frab's own username/password form by specifying this environment variable:
DISABLE_FRAB_DIRECT_LOGIN=1

Note that once done, logging into frab is only possible through a third-party service, so you should have an admin user which can be authenticated via third party service

✂️✂️✂️=== end documentation===✂️✂️✂️

For testing, the following environment variables enable LDAP testing with the server from http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

NAME_FOR_LDAP=free testing server at ldap.forumsys.com
LDAP_PROMPT_TITLE=Login as gauss or tesla. password is 'password'.
LDAP_HOST=ldap.forumsys.com
LDAP_PORT=389
LDAP_METHOD=plain
LDAP_BASE_DN=dc=example,dc=com
LDAP_UID=uid
LDAP_FILTER=
LDAP_BIND_DN=
LDAP_BIND_PASSWORD=
[email protected]