fasten-onprem icon indicating copy to clipboard operation
fasten-onprem copied to clipboard

Published 20 hours ago verified publisher icon fastenhealth

[Feature] External LDAP or LDAP import

Open lenaxia opened this issue 2 years ago • 5 comments

What is this?

Enable the ability to use LDAP for Fasten. To simplify user management, enable the importing from and querying against of an LDAP server for authentication.

Implementation

Import users with live query on login - This is the preferred method, where an import form LDAP is enabled, either as a recurring job, or as a one time user triggered action, against a user-defined filter (e.g. memberOf=cn=fastenUsers,cn=groups,dc=domain,dc=com). Import would create a local user entity, tagged with LDAP and with no password defined. Upon login for an LDAP tagged user, an LDAP lookup is made to verify the password. This ensures that the user is always logged in against their most recent password, however it requires the LDAP server always be available, which is generally a safe assumption with LDAP.

Caching passwords - There is an option to cache the salted passwords locally so that there isn't a dependency on LDAP being live when login occurs, however this method is not recommended. If a user changes their password in LDAP, it would be up to either the Admin or a scheduled job to import the new salted password. This becomes a security risk during the all too common database leaks that are happening these days, e.g. LastPass, because old passwords would live longer than necessary after being changed.

Password Changes - There are two options here depending on if the admin wants to enable write access to the LDAP server. If write access is enabled, then a simple LDAP writeback can be performed upon password changes. If permissions are read only, the administrator can disable password changes for LDAP users and provide an external link to a password change tool.

Workflow

  • Initial Configuration
    • Administrator configures LDAP search filters and access credentials
    • Administrator clicks "Test Import" and Fasten performs an LDAP look up and presents a preview of users who will be imported
    • Administrator clicks "Import" OR relies on a built in sync job (e.g. every 24 hours)
      • Fasten creates a user entity for every user imported. May import additional information such as email, displayName, photo, etc
  • User attempts to login
    • Fasten checks if a user is flagged as LDAP
      • If not flagged as LDAP, regular login pathway is followed
    • Fasten opens a connection and bind request to the LDAP server to authenticate the user
    • If bind succeeds, user is logged in and may proceed as usual.

Security

LDAP protocol requires plaintext password exchange, which would necessitate ldaps for security. Optionally, Fasten may be able to reference the userPassword property of the LDAP query and salt the password internally to perform a comparison using Base64Encode(SHA1(password+salt)+salt). This would replace the second bind with the user submitted plaintext credentials.

When is this needed?

Sooner rather than later. While the current mechanism would work for myself as a single user, I would block rollout to my family contingent on LDAP. The only workaround would be if a functional export/import feature existed that would allow migrating to LDAP-imported accounts down the line.

lenaxia avatar Jan 26 '23 18:01 lenaxia