[Galene] Re: Experimental LDAP integration for Galene

[Juliusz Chroboczek <jch@irif.fr>]

> In general when implementing an LDAP auth client it's very helpful to make
> the LDAP filter for searching the user entry configurable with kind of
> template string.

I agree.  (Side note, I wish the LDAP community had come up with
a standard schema for YP-like functionality, but that ship has sailed.)

> Especially the hard-coded filter
> 
> (&(objectClass=posixAccount)(uid=%s))
> 
> won't work in most LDAP deployments which do not use this object class for
> accounts, with MS AD being the most prominent example.
> 
> Especially you could define for simple access control:
> 
> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))

I agree, both the base and the filter should be configurable per group.
In addition, we need some convention to encode Galene permissions
(present, record, op etc.) within LDAP.

That's why I'm publishing this prototype, so that interested parties can
work out the useful conventions.  Please deploy galene-ldap in a couple of
test groups, and let the list know what features would be useful in your
environment -- hopefully we can come up with something sufficiently
general for everyone while not being sendmail.cf.

> BTW: While historically I have quite strong LDAP background I'm still
> convinced that an OpenID Connect (OIDC) integration would be more helpful
> for the future.

I am in touch with at least two groups of users interested in LDAP
integration (yunohost.org and crans.org).  If you know any users of Galene
that are interested in deploying OpenID, please get me in touch with them.

-- Juliusz