From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key; unprotected) header.d=irif.fr header.i=@irif.fr header.a=rsa-sha256 header.s=dkim-irif header.b=XXvikRfl Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 501A0991DF1 for ; Wed, 3 Aug 2022 12:29:33 +0200 (CEST) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 273ATXYh016704; Wed, 3 Aug 2022 12:29:33 +0200 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id F3174AE809; Wed, 3 Aug 2022 12:29:32 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:references :in-reply-to:subject:subject:from:from:message-id:date:date :received:received; s=dkim-irif; t=1659522571; x=1660386572; bh= IkcTfGgB38khSCHmSNpV3Qjpw7HDyd4bkRswRWTXizY=; b=XXvikRflEUM0VX6E j3y4jKAwJH8d0EBEapQxfaeMksgZ+ysrkoNvr5XTZIPoT6ADNGRrYwF9kjQjdu9y Nb0ufRvd3QGDdZrcKcgEVaRVdphaN4QBNv0fjyQzjkYH3zamiHBc7zwu4Zx7xqwR C+97K4K7JAphVB0a+lPpfdtaX4+t0Ejvv/7lM0VJcX1mzP/I3KMXcwuTGjhiMJV8 HpsIIdUkv76jA+e7Ru0kCYuvAEypIe8umJlhRlk/srg05K5bCSVaJaDby5U4UXkp One9/v4vFnerbssJrvZCwleEojAg1w2Jr4zvt97s3yldsR20Rng1A5otVu3IeLon 07dR1g== X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id CJ7SDGmqJjRE; Wed, 3 Aug 2022 12:29:31 +0200 (CEST) Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id B7669AE807; Wed, 3 Aug 2022 12:29:31 +0200 (CEST) Date: Wed, 03 Aug 2022 12:29:31 +0200 Message-ID: <875yj9boxg.wl-jch@irif.fr> From: Juliusz Chroboczek To: Michael =?ISO-8859-1?Q?Str=F6der?= In-Reply-To: References: <878ro5bqpf.wl-jch@irif.fr> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Wed, 03 Aug 2022 12:29:33 +0200 (CEST) X-Miltered: at korolev with ID 62EA4E0D.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 62EA4E0D.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 62EA4E0D.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: 3Q2EFMPU5U3IW7BCCA2YOXDI3XBPFPSQ X-Message-ID-Hash: 3Q2EFMPU5U3IW7BCCA2YOXDI3XBPFPSQ X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.5 Precedence: list Subject: [Galene] Re: Experimental LDAP integration for Galene List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: > In general when implementing an LDAP auth client it's very helpful to make > the LDAP filter for searching the user entry configurable with kind of > template string. I agree. (Side note, I wish the LDAP community had come up with a standard schema for YP-like functionality, but that ship has sailed.) > Especially the hard-coded filter > > (&(objectClass=posixAccount)(uid=%s)) > > won't work in most LDAP deployments which do not use this object class for > accounts, with MS AD being the most prominent example. > > Especially you could define for simple access control: > > (&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org)) I agree, both the base and the filter should be configurable per group. In addition, we need some convention to encode Galene permissions (present, record, op etc.) within LDAP. That's why I'm publishing this prototype, so that interested parties can work out the useful conventions. Please deploy galene-ldap in a couple of test groups, and let the list know what features would be useful in your environment -- hopefully we can come up with something sufficiently general for everyone while not being sendmail.cf. > BTW: While historically I have quite strong LDAP background I'm still > convinced that an OpenID Connect (OIDC) integration would be more helpful > for the future. I am in touch with at least two groups of users interested in LDAP integration (yunohost.org and crans.org). If you know any users of Galene that are interested in deploying OpenID, please get me in touch with them. -- Juliusz