rport
rport copied to clipboard
cloudradar-monitoring
ldap auth support available?
is there any auth option for ldap servers? only can find local db or local file in docs
@miconx Shorty we will start implementing SSO. The first implementation will be based on oAuth and SAML will follow. Very likely, we will never implement a direct connection with an LDAP server. We consider this insecure because the cleartext password of the user will be accessible from the RPort server. You would have to install an OAuth add-on on top of your LDAP server that can issue tokens.
ok i see - just cannot understand the argument that LDAP should be insecure ? its secured via TLS - there is no cleartext password in transit at all ???
@miconx If the LDAP is located “behind” the RPort server, the users must enter the password on the RPort User Interface. The password is sent encrypted by TLS, but the rport server will decrypt it immediately. This is how all web servers work. From now on, the password is an encrypted variable inside the running web server. Anyone who has shell access to the rport server can manipulate the server easily to log all entered passwords to a log file. How the communication to the LDAP server is secured doesn't matter.
It's super fine with Oauth and SAML. it will be perfect to have that functionality.
We use the RportCLI tool a lot, it would be great if SAML and Oauth were also implemented when using the rportcli tool.
@thorstenkramm - LDAP is pretty scary by itself, but LDAPS should provide coverage for the cleartext data transfer concern while something like RADIUS with its various EAP paradigms can be used to effect MFA via the various MFA proxies from Duo/Okta/etc (though at least Okta fails miserably with anything other than PAP in the EAP). If you're looking for authentication vs attribution, then the directory-level entrypoint is probably not the best one and leveraging RADIUS which is fairly common existing infrastructure may provide a "safer" integration with legacy stacks.
