Updating a bare metal installation & LDAP configuration

[t0roide]

Hi there!

I have bare metal installation on a mini pc running Ubuntu Server , followed the docs to install and everything worked perfectly and I've been using InvenTree for a couple of months now on this setup. Currently I'm trying to update to the latest InvenTree version and configure LDAP auth.

Reading the docs the first recommendation is to backup everything, and the issue I'm having with this is the fact that when installing an inventree user was created, so I can't copy folders to directories that are not the inventree home directory. I would like to know if this is actually how it's supposed to work, inventree directories only accessible for the inventree user? and if so, then how do you guys backup your data for bare metal installation? and do you backup eveeeerything in the inventree home directory?

And the second question on the topic of updating, when pulling the new version straight to the src folder, is it ok to just delete the old src folder and pull the new version on a new src folder or is there a more elegant way to do it? I know the outline for updating is layed out on the docs but I don't wanna mess up my installation since I can't back up yet, previously I followed the instructions to upgrade on a docker installation but not sure about how this parallels to bare metal exactly.

And the final question about LDAP authentication, I have a working LDAP server that I use for other services like NextcCloud and GitLab, and wanted to add this feature to InvenTree as well. Like the image shows, in the docs the variables for configuring LDAP authentication are in the form of "AUTH_LDAP_GROUP_SEARCH = " or "parameter = something".

This looks like the parameters used in the .env file for the docker setup, but bare metal configurations are through a config.yaml file where parameters are shown in a different way.

For example in .env style email configs are INVENTREE_EMAIL_BACKEND, INVENTREE_EMAIL_HOST, INVENTREE_EMAIL_PORT etc, but in bare metal config.yaml style this parameters are like the picture below, so what are the parameters to set up the LDAP in the config.yaml file?

And that's it, I know it's a lot but I've been digging around trying to find more straightforward info on this, checking out the discussions and issues, but I'm not feeling super clear about this two topics so thought I could ask the pros for advice! 😄

✨ Thank you in advance for your help! 😄 InvenTree has been an incredible tool for my team and so far we love it 💖, thanks for putting this software out there and maintaining it!! ✨

[matmair]

Hi there @t0roide .
General comment: These are very different issues, I would appreciate separate discussions/issues in the future as it is difficult to track what has been resolved in this way.

Regarding the backup: You can use a cron job to run the export command and zip up the media folder as a sudo(er) user.

Regarding executing user: Running as a non-privileged user is generally very much recommended for any piece of software. In the context of InvenTree this becomes especially important when you start using plugins. As they hook into the python interpreter directly malicious plugins might access everything the executing user has access to. That can be very bad.

Using LDAP for auth: This is an advanced topic requiring knowledge of Django's middleware structure. As the most common LDAP libraries for Django require OS-level dependencies it is not included in the project.
The screenshot you posted contains python code. That could be used in a custom authentication backend.

[t0roide]

Great, first sorry for the mess @matmair , I'll keep that suggestion in mind for future issues.

Second I understand perfectly what you said about the privileged/un-privileged user, thanks for the explanation! I solved my issue giving my root/main user some permissions to the InvenTree home directory (inventree user remains un-privileged) , now I can access the files needed for the backup and move them around where I want them to be (outside of the inventree home directory), and I'll definitely do the cron job thing to make it all future proof. The thing I'll be backing up is the data folder and the .json file with the invoke-export, not just the media since I wanna be extra careful and I'm terrified of messing up what we already have in there hahaha.

On my third question about where to pull the update, I realized the answer was in the docs all along, on the Updating Inventree section in the Bare Metal Intro (https://inventree.readthedocs.io/en/latest/start/install/#initialize-database) not on the updating section in Migrating data, a simple git pull origin master was the thing needed, since I was panicking a bit I missed it! But I leave it here just in case it could be helpful for someone.

And finally on the LDAP, I can see it must be pretty complicated, it would be great to have this option in a more accessible way to configure for inexperienced users (like me), I feel like an LDAP is a staple for many teams and it would be incredible to have more ways to set it up for InvenTree auth. I'll study this and maybe in the future I'll manage to implement it for my actual installation! Thanks for the pointers on this topic!

[matmair]

Hi there @t0roide
I worked on the setup experience for bare metal. Once #3743 merges there will be a single-line installer! Thought you might be interested. Also a FR for LDAP was opened #3746

[compumatter]

t0roide if you're still seeing this I'm curious if you ever got through the LDAP integration shown here https://django-auth-ldap.readthedocs.io/en/latest/

Otherwise, @matmair can you confirm that those docs still work with the current version of Inventree ? Since I can't find much in discussions / issues I'm just trying to get some confirmation before going down the rabbit hole. LDAP is a requirement for our company.

[matmair]

Sometimes things are not discussed because they just work 😇.
LDAP is in general one of the more seldom-used enterprise features for InvenTree. The protocol is very old and I would advise against using it if there is not a very clear benefit compared to OIDC or one of the many supported SSO providers.

If you want to use LDAP you are probably in a Microsoft environment - I would suggest using AAD (with OIDC, not SAML) or Microsoft Graph in that case. That has the added benefit of better visibility in your Office / Sharepoint Portal.

[compumatter]

In our case, we are using a Linux Samba Active Directory environment. It is the company domain and the server is hosted on-premises. We create business servers for clients and this is our main installation type. Nothing is Sharepoint in fact our typical client is trying to break free of the SaaS model.

So LDAP is mission-critical for us. We'd really like to embrace Inventree for client servers. So there is a very clear benefit. What do you think?

[matmair]

From a security perspective, I would not recommend LDAP anymore, to many things that can go wrong.
You can still use it with InvenTree, it is just not built in by default.

[compumatter]

I'm glad to hear we can still use it. I hope someday you will consider building in default support.

In cases where the LDAP server and the application both live on the same server, there should be no unique security issues. That is how we are using it. We have various LDAP-supported software, including (but not only) Nextcloud, Mediawiki, Leantime (project management), Resourcespace (digital asset mgmnt) and of course Samba Active Directory. By the way Samba 4 has divorced itself from OpenLDAP and now provides its own LDAP built-in which allows it to control its own destiny and insure it is more tightly aligned with any Active Directory changes.

All of these products mentioned above have ongoing "built in" support for LDAP.

As far as I know, LDAP is still the only "rights management" approach that is generally supported by self-hosted web applications. Many web apps of course have no external rights management possible. That is a problem for businesses once they have enough employees. Hire / Fire means removing them from every application they use whereas with LDAP we need only disable them there and all applications will allow / reject them.

So I will begin the task. Thank you.

[matmair]

LDAP is old and dependency heavy if django-ldap is used so probably no. Except someone else creates a clean PR that does not blow up our docker image by 80 MB.

oAuth/OIDC is gaining a lot of traction in the last few years and is much more suitable in my eyes but that can depend. I am managing the IT for a mid-size business by day and deploying 80+ apps so I have some experience with SSO, rights management and HR processes in a highly compliant and regularly audited environment.

[compumatter]

@matmair these technologies may indeed be more suitable. It's a study of its own. Even if proves true, the reality for myself and other Active Directory servers out there, is that LDAP is the only self-hosted connective tissue that the majority of web apps have agreed upon as the solution. I'll dig in on the django solution.

Is native LDAP in Inventree the kind of project that if a business were to provide some financial support to push it along it would be something of interest?

[matmair]

I am not interested in pushing this forward but there is #3746 as there is interest from time to time. Maybe @SchrodingersGat is interested in implementing it if someone is willing to sponsor it.