privacyidea-ldap-proxy

privacyidea-ldap-proxy copied to clipboard

Be able to configure multiple service accounts for different purposes

1

Right now, we use the service account specified in ``[service-account]`` for two purposes: * If ``bind-service-account`` is set to ``true``, a bind request that was authenticated successfully against privacyIDEA will...

fredreichbier

Support different realms/applications in case the app does not execute preamble

2

#13 implements mapping of applications to realms by monitoring the LDAP traffic for so-called *preambles*: A preamble is the LDAP search request performed by applications prior to a LDAP bind....

fredreichbier

Improve cache

2

Implement last_bind and first_bind. This is to cope with the "re_binds" of an application like owncloud. last_bind Specify how long the last bind may be over. If last_bind is over,...

cornelinux

Optimize the total number of LDAP connections

1

We assume an application that uses a service account to lookup the DN from a login name. Then, the login flow results in several LDAP connections established by the LDAP...

fredreichbier

twisted hangs when provding wrong host name

9

In ``config.ini`` setting in section ``[ldap-backend]`` the ``host = "ldap://1.2.3.4"``. twisted runs into this error: 2017-02-12T08:39:37+0100 [pi_ldapproxy.proxy.ProxyServerFactory] Unhandled Error Traceback (most recent call last): File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/python/log.py", line 86, in callWithContext...

cornelinux

Using the `lookup` mapping strategy, LDAP proxy runs out of open files for invalid DNs

3

We can reproduce this using locust: * Use `lookup` mapping strategy on the LDAP proxy * Edit `locustfile.py` and set `USER_DN` to a DN that does not exist in the...

fredreichbier

Handling of incoming LDAP requests

1

Right now, incoming LDAP bind and search requests are handled, whereas all other incoming requests are rejected (by sending a ``LDAPInsufficientAccessRights`` response). In particular, incoming LDAP unbind requests are rejected,...

fredreichbier

Differentiate between incoming search requests of the service account and the user

1

We have a config option ``allow-search`` in the ``[ldap-proxy]`` section which enables forwarding of incoming search requests to the LDAP backend. However, it would probably be nice to differentiate between...

fredreichbier

As described [in the Twisted docs](http://twistedmatrix.com/documents/current/core/howto/systemd.html#socket-activation), socket activation has the advantage that we do not have to start Twisted as a privileged user to bind to low ports. However, the...

fredreichbier

[This docstring](https://github.com/twisted/ldaptor/blob/ed5d140/ldaptor/protocols/ldap/ldapclient.py#L224) seems to suggest that the ldaptor client library does not validate the hostname of the server for STARTTLS connections. If this is the case, we should add a...

fredreichbier