LDAP Auth Support #99
Conversation
|
Ohh... I so much don't want to maintain this... Is it possible to add some kind of a plugin interface instead? |
|
Well, the LDAP specific bits are minor, but the changes to make auth more modular is the much larger set of changes. However, with a few more changes, I think it would be possible to take the actual LDAP bits out and make just that a separate module. |
|
+1 for a plugin interface. +2 for a plugin interface and auth plugin type template w/ LDAP as functional first example :) @jasonrm are you looking into doing such a thing? |
|
I can't merge this directly, causes too many tests to fail. Mostly because of how unauthorized users are supported currently. But I'm working to either merge some of those changes, or rewrite existing code along those lines, so keeping it open for the reference. |
|
@keyvanfatehi ,
I think functional first example will be this one: Code that understands it is in If anyone is willing to support ldap plugin, I could help with that (the code is right here, needs a tiny bit of changing and a bunch of documentation probably). I'd welcome suggestions about the api. Usergroups added, but maybe there are other things I missed. |
|
I created a ldap plugin based on this PR: I have no idea whether it works or not, and I don't use ldap, so I can't really test it. Basically, if you are interested in having ldap authentication, you can take over its development (or just write your own from scratch). Let me know if I can help with this. Closing this PR, since it has too much tests failed. I might return to it if we decide to refactor config system (it's pretty terrible right now). |
So I wrote this a couple of months back, but didn't do a pull request because it felt like a bit of an ugly hack.
Well, it's still an ugly hack, but since I saw another request for LDAP support in #84, I figured I might as well make it a little more public. I wish I could spend more time cleaning this up, but unfortunately I really am lacking the time, so no hard feelings if you don't want to merge/support this. It works well enough for our needs right now so it's hard to justify spending any more work time on this.
Part of the changes were to the authentication and storage auth flow. I moved authentication/authorization related things out of lib/config and into lib/auth, lib/auth-local, and lib/auth-ldap. Most of the authorization functions are now in lib/access-control-list, which is used by lib/authenticated-user.
The recent addition of htpasswd support does conflict a little as it will create a user even if it fails to login to the LDAP server if both ldap and local backends are enabled and users_file is set. I moved the htpasswd related functions into auth-local, although now that I think about it, auth-htpasswd might have been better.