feature request: Can add the LDAP connector integrate in it ?

[adoresli]

What problem did you meet?

I have fully experienced almost all the features, they're so excellent! But if I want to use it in my production environment, I need to solve the user sync problem manually.

Describe what you'd like Logto to have

Could your team add the LDAP Database authentication as one of the authentication methods in this app, it's a very useful feature. Thanks for your attention！

[gao-sun]

thank you! that's what we are planning now :-) we have a public roadmap that you can track. it is definitely in our scope. stay connected.

[fleuraly]

@adoresli hello this is Guamian from Logto Product team! Thanks for the feature request! I'm curious to learn more about your team or company's needs and situation. Would you mind spending around 10 minutes to e-chat through that? Also, feel free to join our discord channel. :P

[taqtiqa-mark]

One use case would be Light LDAP support. The LLDAP project may also help with integration testing?

[gao-sun]

we investigated LDAP and decided to move on after #3344, @darcyYe @wangsijie can add more context

[darcyYe]

The authorization process of LDAP is different from OAuth and OIDC. The latter works by Logto initiating an authorization request on behalf of the user, who then completes the authorization process through various means such as username and password or verification code. Upon successful authorization, Logto obtains permission. However, according to the authorization process of LDAP and the current Logto design, Logto needs to use the user's username and password information to request permission from the LDAP server. We do not want Logto to have access to the user's login information, as this may pose security and legal risks. We need to find a better way to address the above-mentioned issues.

[kidlj]

Logto needs to use the user's username and password information to request permission from the LDAP server.

Logto's password encryption algorithm may differ from LDAP's, how can this be possible?

[chansdad]

The authorization process of LDAP is different from OAuth and OIDC. The latter works by Logto initiating an authorization request on behalf of the user, who then completes the authorization process through various means such as username and password or verification code. Upon successful authorization, Logto obtains permission. However, according to the authorization process of LDAP and the current Logto design, Logto needs to use the user's username and password information to request permission from the LDAP server. We do not want Logto to have access to the user's login information, as this may pose security and legal risks. We need to find a better way to address the above-mentioned issues.

Isnt Logto already storing user login and password when it is functionaing as a identity provider? What i see is Logto has its own local db based authentication feature as well as authentication via saml and other providers . Can it be possible to mark a user as being authenticated via LDAP and not store the users password in logto but pass it over to ldap for authentication and authorization? One strategy that an be used is first authenticate via ldap and if user is not present, authenticate against local db . or vice versa . A common practice in enterprise applications implementing CAS . i would be very much interested in this feature. i came across logto for a product/ solution i am building which requires SAML and LDAP integration , and more so Azure AD authentication .