certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Provisioner with ldaps support

Open reawakn opened this issue 5 years ago • 6 comments

What would you like to be added

Provisioner: Is it possible to add ldaps support (Active Directory) with filter function.

SSH User certificates: If a user is a member of a group, then set the appropriate extension in the ssh user certificate. Similar to matchgroup in sshd_config.

Why this is needed

For the internal user case with no internet.

reawakn avatar Aug 20 '20 06:08 reawakn

Hey, thanks for opening the issue! We've discussed LDAP before, so glad to see a request coming in from the community.

Question for you: Are you just trying to use Active Directory, or do you specifically want to use LDAP?

The reason being that Active Directory supports OAuth OIDC (which step-ca already supports) which is our preferred authentication method.

As of now, LDAP is not on the roadmap. If we see enough community support / requests in this area we will definitely reconsider.

dopey avatar Aug 25 '20 19:08 dopey

Hey, i try now dex with active directory, but i think the configurations are wrong.

my partconfiguration:

DEX:

staticClients:
- id: ssh-sso
  name: 'SSO for SSH'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0

CURL:

{
  "issuer": "http://ipv4:5556/dex",
  "authorization_endpoint": "http://ipv4:5556/dex/auth",
  "token_endpoint": "http://ipv4:5556/dex/token",
  "jwks_uri": "http://ipv4:5556/dex/keys",
  "userinfo_endpoint": "http://ipv40:5556/dex/userinfo",
  "device_authorization_endpoint": "http://ipv4:5556/dex/device/code",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}

STEP:

step oauth --oidc --bare --provider http://IPv4:5556/dex/.well-known/openid-configuration --client-id ssh-sso --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0
use a valid provider: google

Can you post a example configuration, please.

reawakn avatar Sep 16 '20 11:09 reawakn

@reawakn I believe the problem is that your provisioner URI (http://IPv4:5556/dex/.well-known/openid-configuration) is using HTTP, not HTTPS. OAuth and OIDC require use of TLS (HTTPS) everywhere.

mmalone avatar Sep 16 '20 22:09 mmalone

Any support to implement this? We are working through a use case to provision user certificates right now, and the email limitation is a bit of an issue. @dopey

TheSecMaven avatar Jun 07 '21 21:06 TheSecMaven

Looking into this, it would be easy to use this well maintained library to do the work, would just need to parameterize it to accept input from CA.json https://github.com/go-ldap/ldap

TheSecMaven avatar Jun 08 '21 12:06 TheSecMaven

Hi,

I was also hoping for the possibility of implementation of LDAP in StepCA because I have central authentication and authorization through LDAP. Is there any chance for this implementation?

Enetrati avatar Mar 29 '22 10:03 Enetrati