From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113])
	by mail.toke.dk (Postfix) with ESMTPS id 5F43B991DC7
	for <galene@lists.galene.org>; Wed,  3 Aug 2022 12:17:46 +0200 (CEST)
Authentication-Results: mail.toke.dk;
	dkim=pass (1536-bit key; unprotected) header.d=stroeder.com header.i=@stroeder.com header.a=rsa-sha256 header.s=stroeder-com-20201114 header.b=fwJaGCIl
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com;
	s=stroeder-com-20201114; t=1659521863;
	bh=7+Cz2wMdnDoSfOql4lSHLS8YWmngy/ABZBYe9iYcIEU=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=fwJaGCIl2AqOWF3PNO82Jr+S3/AoZWrJDbLKpBfMTZx8BYieZV4jrwx1ht+IPfDiJ
	 Z0T/VacQf8sQbzh++WHWRIXvNqdFJN5B2onxFdM/vrMYtgpkBi8W/3uQ/5xVOQ8hkg
	 5FQwyOa1Sy1iT7MSDd3vGo7ihfCj5SHH7HwjdtDa6ocwVw9LG3SGDQC4I+TxDbpJZw
	 qIf3C51z8kuj4ct8/HMY3HY57gngGtuZrzQcXyBnRWPxHWNOB3zrb9RyGFg
Message-ID: <f93f8541-1859-bf91-497b-68da4225903a@stroeder.com>
Date: Wed, 3 Aug 2022 12:17:28 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Content-Language: en-US
To: galene@lists.galene.org
References: <878ro5bqpf.wl-jch@irif.fr>
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
In-Reply-To: <878ro5bqpf.wl-jch@irif.fr>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID-Hash: Z45432AJE4525UIWE6SHSA5B6DWPKCP4
X-Message-ID-Hash: Z45432AJE4525UIWE6SHSA5B6DWPKCP4
X-MailFrom: michael@stroeder.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.5
Precedence: list
Subject: [Galene] Re: Experimental LDAP integration for Galene
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/f93f8541-1859-bf91-497b-68da4225903a@stroeder.com/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Owner: <mailto:galene-owner@lists.galene.org>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

On 8/3/22 11:51, Juliusz Chroboczek wrote:
> https://github.com/jech/galene-ldap
> 
> Probably not very useful yet, but a good platform for further
> experimentation.  If you're running LDAP, please try setting it up and
> share your ideas about how it could be made useful.

In general when implementing an LDAP auth client it's very helpful to 
make the LDAP filter for searching the user entry configurable with kind 
of template string.

Especially the hard-coded filter

(&(objectClass=posixAccount)(uid=%s))

won't work in most LDAP deployments which do not use this object class 
for accounts, with MS AD being the most prominent example.

Especially you could define for simple access control:

(&(uid=%s)(memberOf=cn=test-auth,dc=example,dc=org))

Or any other kind of attribute-based login access control.

BTW: While historically I have quite strong LDAP background I'm still 
convinced that an OpenID Connect (OIDC) integration would be more 
helpful for the future. So you could leave LDAP integration, 2FA etc. to 
the usual WebSSO suspects like Keycloak, Authelia, CAS, Authentik etc. 
And admins can choose whatever other authc mech they want.

Ciao, Michael.