Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] Experimental LDAP integration for Galene
@ 2022-08-03  9:51 Juliusz Chroboczek
  2022-08-03 10:17 ` [Galene] " Michael Ströder
  0 siblings, 1 reply; 5+ messages in thread
From: Juliusz Chroboczek @ 2022-08-03  9:51 UTC (permalink / raw)
  To: galene

https://github.com/jech/galene-ldap

Probably not very useful yet, but a good platform for further
experimentation.  If you're running LDAP, please try setting it up and
share your ideas about how it could be made useful.

-- Juliusz

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Galene] Re: Experimental LDAP integration for Galene
  2022-08-03  9:51 [Galene] Experimental LDAP integration for Galene Juliusz Chroboczek
@ 2022-08-03 10:17 ` Michael Ströder
  2022-08-03 10:29   ` Juliusz Chroboczek
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Ströder @ 2022-08-03 10:17 UTC (permalink / raw)
  To: galene

On 8/3/22 11:51, Juliusz Chroboczek wrote:
> https://github.com/jech/galene-ldap
> 
> Probably not very useful yet, but a good platform for further
> experimentation.  If you're running LDAP, please try setting it up and
> share your ideas about how it could be made useful.

In general when implementing an LDAP auth client it's very helpful to 
make the LDAP filter for searching the user entry configurable with kind 
of template string.

Especially the hard-coded filter

(&(objectClass=posixAccount)(uid=%s))

won't work in most LDAP deployments which do not use this object class 
for accounts, with MS AD being the most prominent example.

Especially you could define for simple access control:

(&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))

Or any other kind of attribute-based login access control.

BTW: While historically I have quite strong LDAP background I'm still 
convinced that an OpenID Connect (OIDC) integration would be more 
helpful for the future. So you could leave LDAP integration, 2FA etc. to 
the usual WebSSO suspects like Keycloak, Authelia, CAS, Authentik etc. 
And admins can choose whatever other authc mech they want.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Galene] Re: Experimental LDAP integration for Galene
  2022-08-03 10:17 ` [Galene] " Michael Ströder
@ 2022-08-03 10:29   ` Juliusz Chroboczek
  2022-08-03 11:48     ` Michael Ströder
  0 siblings, 1 reply; 5+ messages in thread
From: Juliusz Chroboczek @ 2022-08-03 10:29 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

> In general when implementing an LDAP auth client it's very helpful to make
> the LDAP filter for searching the user entry configurable with kind of
> template string.

I agree.  (Side note, I wish the LDAP community had come up with
a standard schema for YP-like functionality, but that ship has sailed.)

> Especially the hard-coded filter
> 
> (&(objectClass=posixAccount)(uid=%s))
> 
> won't work in most LDAP deployments which do not use this object class for
> accounts, with MS AD being the most prominent example.
> 
> Especially you could define for simple access control:
> 
> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))

I agree, both the base and the filter should be configurable per group.
In addition, we need some convention to encode Galene permissions
(present, record, op etc.) within LDAP.

That's why I'm publishing this prototype, so that interested parties can
work out the useful conventions.  Please deploy galene-ldap in a couple of
test groups, and let the list know what features would be useful in your
environment -- hopefully we can come up with something sufficiently
general for everyone while not being sendmail.cf.

> BTW: While historically I have quite strong LDAP background I'm still
> convinced that an OpenID Connect (OIDC) integration would be more helpful
> for the future.

I am in touch with at least two groups of users interested in LDAP
integration (yunohost.org and crans.org).  If you know any users of Galene
that are interested in deploying OpenID, please get me in touch with them.

-- Juliusz

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Galene] Re: Experimental LDAP integration for Galene
  2022-08-03 10:29   ` Juliusz Chroboczek
@ 2022-08-03 11:48     ` Michael Ströder
  2022-08-03 12:25       ` Juliusz Chroboczek
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Ströder @ 2022-08-03 11:48 UTC (permalink / raw)
  To: galene

On 8/3/22 12:29, Juliusz Chroboczek wrote:
>> In general when implementing an LDAP auth client it's very helpful to make
>> the LDAP filter for searching the user entry configurable with kind of
>> template string.
> 
> I agree.  (Side note, I wish the LDAP community had come up with
> a standard schema for YP-like functionality, but that ship has sailed.)

YP-like schema *is* defined in RFC 2307 (and I-D for RFC 2307bis) and is 
implemented by the usual NSS LDAP clients like sssd, nss-pam-ldapd or 
similar.

But this schema is not widely used in user management environments which 
are not dedicated to Linux login integration.

>> Especially the hard-coded filter
>>
>> (&(objectClass=posixAccount)(uid=%s))
>>
>> won't work in most LDAP deployments which do not use this object class for
>> accounts, with MS AD being the most prominent example.
>>
>> Especially you could define for simple access control:
>>
>> (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))
> 
> I agree, both the base and the filter should be configurable per group.
> In addition, we need some convention to encode Galene permissions
> (present, record, op etc.) within LDAP.

Note that LDAP admins are most times rather reluctant to extend the 
schema to something application-specific. E.g. in bigger enterprises 
it's nearly impossible to extend the MS AD schema.

=> Implement a group-role mapping or group-permissions assignment within 
galene-ldap.

> I am in touch with at least two groups of users interested in LDAP 
> integration (yunohost.org and crans.org).

I'm pretty sure the above potential LDAP-integration users would also be 
more than satisfied with a solution where they host an OpenID Connect 
Provider (OP) in front of their LDAP server.

> If you know any users of Galene that are interested in deploying 
> OpenID, please get me in touch with them.
I won't mention my customers in public. But I can confirm that *direct* 
LDAP authc is nowadays considered rather legacy and everybody is heading 
in the WebSSO-direction based on OpenID Connect (using the enterprise 
LDAP servers as backend). And application-specific claims (like Galene 
permissions) can be usually configured within client-specific config in 
WebSSO servers by defining custom mappings.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Galene] Re: Experimental LDAP integration for Galene
  2022-08-03 11:48     ` Michael Ströder
@ 2022-08-03 12:25       ` Juliusz Chroboczek
  0 siblings, 0 replies; 5+ messages in thread
From: Juliusz Chroboczek @ 2022-08-03 12:25 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

>> I am in touch with at least two groups of users interested in LDAP
>> integration (yunohost.org and crans.org).

> I'm pretty sure the above potential LDAP-integration users would also be
> more than satisfied with a solution where they host an OpenID Connect
> Provider (OP) in front of their LDAP server.

Quite possibly, you'd need to speak to them.  The nice thing about
delegating authorisation to an external daemon is that these decisions
need not be made in Galene itself, they belong in the authorisation
server.  I'd be thrilled if somebody decided to write an authorisation
server for Galene that speaks OpenID Connect.

-- Juliusz

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-08-03 12:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-03  9:51 [Galene] Experimental LDAP integration for Galene Juliusz Chroboczek
2022-08-03 10:17 ` [Galene] " Michael Ströder
2022-08-03 10:29   ` Juliusz Chroboczek
2022-08-03 11:48     ` Michael Ströder
2022-08-03 12:25       ` Juliusz Chroboczek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox