From: "Michael Ströder" <michael@stroeder.com> To: galene@lists.galene.org Subject: [Galene] Re: Experimental LDAP integration for Galene Date: Wed, 3 Aug 2022 13:48:13 +0200 [thread overview] Message-ID: <60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com> (raw) In-Reply-To: <875yj9boxg.wl-jch@irif.fr> On 8/3/22 12:29, Juliusz Chroboczek wrote: >> In general when implementing an LDAP auth client it's very helpful to make >> the LDAP filter for searching the user entry configurable with kind of >> template string. > > I agree. (Side note, I wish the LDAP community had come up with > a standard schema for YP-like functionality, but that ship has sailed.) YP-like schema *is* defined in RFC 2307 (and I-D for RFC 2307bis) and is implemented by the usual NSS LDAP clients like sssd, nss-pam-ldapd or similar. But this schema is not widely used in user management environments which are not dedicated to Linux login integration. >> Especially the hard-coded filter >> >> (&(objectClass=posixAccount)(uid=%s)) >> >> won't work in most LDAP deployments which do not use this object class for >> accounts, with MS AD being the most prominent example. >> >> Especially you could define for simple access control: >> >> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org)) > > I agree, both the base and the filter should be configurable per group. > In addition, we need some convention to encode Galene permissions > (present, record, op etc.) within LDAP. Note that LDAP admins are most times rather reluctant to extend the schema to something application-specific. E.g. in bigger enterprises it's nearly impossible to extend the MS AD schema. => Implement a group-role mapping or group-permissions assignment within galene-ldap. > I am in touch with at least two groups of users interested in LDAP > integration (yunohost.org and crans.org). I'm pretty sure the above potential LDAP-integration users would also be more than satisfied with a solution where they host an OpenID Connect Provider (OP) in front of their LDAP server. > If you know any users of Galene that are interested in deploying > OpenID, please get me in touch with them. I won't mention my customers in public. But I can confirm that *direct* LDAP authc is nowadays considered rather legacy and everybody is heading in the WebSSO-direction based on OpenID Connect (using the enterprise LDAP servers as backend). And application-specific claims (like Galene permissions) can be usually configured within client-specific config in WebSSO servers by defining custom mappings. Ciao, Michael.
next prev parent reply other threads:[~2022-08-03 11:48 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-03 9:51 [Galene] " Juliusz Chroboczek 2022-08-03 10:17 ` [Galene] " Michael Ströder 2022-08-03 10:29 ` Juliusz Chroboczek 2022-08-03 11:48 ` Michael Ströder [this message] 2022-08-03 12:25 ` Juliusz Chroboczek
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com \ --to=michael@stroeder.com \ --cc=galene@lists.galene.org \ --subject='[Galene] Re: Experimental LDAP integration for Galene' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox