From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id 84970991E71 for ; Wed, 3 Aug 2022 13:48:15 +0200 (CEST) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key; unprotected) header.d=stroeder.com header.i=@stroeder.com header.a=rsa-sha256 header.s=stroeder-com-20201114 header.b=u84w+cmF DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1659527294; bh=2SagzgcYmWTQUtjo7LmGAjNjxkx+Bk0hRPN/cFoVt0w=; h=Date:Subject:To:References:From:In-Reply-To:From; b=u84w+cmF/MB04pQf6L5V+b8PK7YRjBDtY7LSXFBlLiUg5ZVtyhgsEs/sr1Qn0P059 HbLqtF2zpTD6/OFYnvyp9c6IPFOVn+mme+33X4K8O4+U9FCutloEsgicdKGmtOfCLc GQ1+y79419pgvuB1j6hU04c171vf8cDrHvXQ7X+cQ7uYjCAqSTfNEi47nyfHtgn7Ic 5zgzxqhYVdBmqId9bWDSP9DPnQe5HrDwdb8VvyhMumujPpUm1p0QZXxV6yg Message-ID: <60bd0693-51c5-a0ff-7469-80b0fa2aeea4@stroeder.com> Date: Wed, 3 Aug 2022 13:48:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: galene@lists.galene.org References: <878ro5bqpf.wl-jch@irif.fr> <875yj9boxg.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= In-Reply-To: <875yj9boxg.wl-jch@irif.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: 4RBMWTDME6A6WK7JBZBYXSJ7E2EZXF7G X-Message-ID-Hash: 4RBMWTDME6A6WK7JBZBYXSJ7E2EZXF7G X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.5 Precedence: list Subject: [Galene] Re: Experimental LDAP integration for Galene List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 8/3/22 12:29, Juliusz Chroboczek wrote: >> In general when implementing an LDAP auth client it's very helpful to make >> the LDAP filter for searching the user entry configurable with kind of >> template string. > > I agree. (Side note, I wish the LDAP community had come up with > a standard schema for YP-like functionality, but that ship has sailed.) YP-like schema *is* defined in RFC 2307 (and I-D for RFC 2307bis) and is implemented by the usual NSS LDAP clients like sssd, nss-pam-ldapd or similar. But this schema is not widely used in user management environments which are not dedicated to Linux login integration. >> Especially the hard-coded filter >> >> (&(objectClass=posixAccount)(uid=%s)) >> >> won't work in most LDAP deployments which do not use this object class for >> accounts, with MS AD being the most prominent example. >> >> Especially you could define for simple access control: >> >> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org)) > > I agree, both the base and the filter should be configurable per group. > In addition, we need some convention to encode Galene permissions > (present, record, op etc.) within LDAP. Note that LDAP admins are most times rather reluctant to extend the schema to something application-specific. E.g. in bigger enterprises it's nearly impossible to extend the MS AD schema. => Implement a group-role mapping or group-permissions assignment within galene-ldap. > I am in touch with at least two groups of users interested in LDAP > integration (yunohost.org and crans.org). I'm pretty sure the above potential LDAP-integration users would also be more than satisfied with a solution where they host an OpenID Connect Provider (OP) in front of their LDAP server. > If you know any users of Galene that are interested in deploying > OpenID, please get me in touch with them. I won't mention my customers in public. But I can confirm that *direct* LDAP authc is nowadays considered rather legacy and everybody is heading in the WebSSO-direction based on OpenID Connect (using the enterprise LDAP servers as backend). And application-specific claims (like Galene permissions) can be usually configured within client-specific config in WebSSO servers by defining custom mappings. Ciao, Michael.