From: "Michael Ströder" <michael@stroeder.com>
To: galene@lists.galene.org
Subject: [Galene] Re: Experimental LDAP integration for Galene
Date: Wed, 3 Aug 2022 13:48:13 +0200 [thread overview]
Message-ID: <60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com> (raw)
In-Reply-To: <875yj9boxg.wl-jch@irif.fr>
On 8/3/22 12:29, Juliusz Chroboczek wrote:
>> In general when implementing an LDAP auth client it's very helpful to make
>> the LDAP filter for searching the user entry configurable with kind of
>> template string.
>
> I agree. (Side note, I wish the LDAP community had come up with
> a standard schema for YP-like functionality, but that ship has sailed.)
YP-like schema *is* defined in RFC 2307 (and I-D for RFC 2307bis) and is
implemented by the usual NSS LDAP clients like sssd, nss-pam-ldapd or
similar.
But this schema is not widely used in user management environments which
are not dedicated to Linux login integration.
>> Especially the hard-coded filter
>>
>> (&(objectClass=posixAccount)(uid=%s))
>>
>> won't work in most LDAP deployments which do not use this object class for
>> accounts, with MS AD being the most prominent example.
>>
>> Especially you could define for simple access control:
>>
>> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))
>
> I agree, both the base and the filter should be configurable per group.
> In addition, we need some convention to encode Galene permissions
> (present, record, op etc.) within LDAP.
Note that LDAP admins are most times rather reluctant to extend the
schema to something application-specific. E.g. in bigger enterprises
it's nearly impossible to extend the MS AD schema.
=> Implement a group-role mapping or group-permissions assignment within
galene-ldap.
> I am in touch with at least two groups of users interested in LDAP
> integration (yunohost.org and crans.org).
I'm pretty sure the above potential LDAP-integration users would also be
more than satisfied with a solution where they host an OpenID Connect
Provider (OP) in front of their LDAP server.
> If you know any users of Galene that are interested in deploying
> OpenID, please get me in touch with them.
I won't mention my customers in public. But I can confirm that *direct*
LDAP authc is nowadays considered rather legacy and everybody is heading
in the WebSSO-direction based on OpenID Connect (using the enterprise
LDAP servers as backend). And application-specific claims (like Galene
permissions) can be usually configured within client-specific config in
WebSSO servers by defining custom mappings.
Ciao, Michael.
next prev parent reply other threads:[~2022-08-03 11:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-03 9:51 [Galene] " Juliusz Chroboczek
2022-08-03 10:17 ` [Galene] " Michael Ströder
2022-08-03 10:29 ` Juliusz Chroboczek
2022-08-03 11:48 ` Michael Ströder [this message]
2022-08-03 12:25 ` Juliusz Chroboczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com \
--to=michael@stroeder.com \
--cc=galene@lists.galene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox