Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: "Michael Ströder" <michael@stroeder.com>
To: galene@lists.galene.org
Subject: [Galene] Re: Experimental LDAP integration for Galene
Date: Wed, 3 Aug 2022 13:48:13 +0200	[thread overview]
Message-ID: <60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com> (raw)
In-Reply-To: <875yj9boxg.wl-jch@irif.fr>

On 8/3/22 12:29, Juliusz Chroboczek wrote:
>> In general when implementing an LDAP auth client it's very helpful to make
>> the LDAP filter for searching the user entry configurable with kind of
>> template string.
> 
> I agree.  (Side note, I wish the LDAP community had come up with
> a standard schema for YP-like functionality, but that ship has sailed.)

YP-like schema *is* defined in RFC 2307 (and I-D for RFC 2307bis) and is 
implemented by the usual NSS LDAP clients like sssd, nss-pam-ldapd or 
similar.

But this schema is not widely used in user management environments which 
are not dedicated to Linux login integration.

>> Especially the hard-coded filter
>>
>> (&(objectClass=posixAccount)(uid=%s))
>>
>> won't work in most LDAP deployments which do not use this object class for
>> accounts, with MS AD being the most prominent example.
>>
>> Especially you could define for simple access control:
>>
>> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))
> 
> I agree, both the base and the filter should be configurable per group.
> In addition, we need some convention to encode Galene permissions
> (present, record, op etc.) within LDAP.

Note that LDAP admins are most times rather reluctant to extend the 
schema to something application-specific. E.g. in bigger enterprises 
it's nearly impossible to extend the MS AD schema.

=> Implement a group-role mapping or group-permissions assignment within 
galene-ldap.

> I am in touch with at least two groups of users interested in LDAP 
> integration (yunohost.org and crans.org).

I'm pretty sure the above potential LDAP-integration users would also be 
more than satisfied with a solution where they host an OpenID Connect 
Provider (OP) in front of their LDAP server.

> If you know any users of Galene that are interested in deploying 
> OpenID, please get me in touch with them.
I won't mention my customers in public. But I can confirm that *direct* 
LDAP authc is nowadays considered rather legacy and everybody is heading 
in the WebSSO-direction based on OpenID Connect (using the enterprise 
LDAP servers as backend). And application-specific claims (like Galene 
permissions) can be usually configured within client-specific config in 
WebSSO servers by defining custom mappings.

Ciao, Michael.

  reply	other threads:[~2022-08-03 11:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-03  9:51 [Galene] " Juliusz Chroboczek
2022-08-03 10:17 ` [Galene] " Michael Ströder
2022-08-03 10:29   ` Juliusz Chroboczek
2022-08-03 11:48     ` Michael Ströder [this message]
2022-08-03 12:25       ` Juliusz Chroboczek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com \
    --to=michael@stroeder.com \
    --cc=galene@lists.galene.org \
    --subject='[Galene] Re: Experimental LDAP integration for Galene' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox