rest-server icon indicating copy to clipboard operation
rest-server copied to clipboard

Published 20 hours ago verified publisher icon restic

Support LDAP Authentication

Open MorganDavis opened this issue 6 years ago • 9 comments

The .htpasswd auth is difficult to scale or manage beyond a few users. Supporting LDAP would allow for large number of users in both *nix and Windows environments.

MorganDavis avatar May 10 '18 17:05 MorganDavis

I have implemented a basic POC. But as I have implemented it now - and without having much golang knowledge - I doubt that my naive approach is going to scale. The LDAP-Server is going to be hammered with requests, a single restic snapshots alone results in eight LDAP calls.

I'm afraid an authentication cache level needs to be implemented, and that will definitely get ugly very quickly. Maybe I'm going to work on a solution based on pam+sssd.

frankf-cgn avatar Aug 04 '18 10:08 frankf-cgn

I just finished to implement some credential caching using freecache and it looks promising. Just have to write some tests and do some code cleanup. @mholt Are you interested in a PR? There is certainly the need to do some code review, because I'm new to golang.

frankf-cgn avatar Aug 06 '18 17:08 frankf-cgn

Quite possibly -- approximately how big is the change?

mholt avatar Aug 06 '18 17:08 mholt

I would suggest to implement a popen auth backend instead where rest-server opens a different process to handle authentication. This way anyone can implement an authentication backend in whatever language they like without rest-server having to ship with support for LDAP/IMAP/SSH/PAM/SMB/etc. PAM in particular sounds problematic, as it would require CGo if I'm correct.

Such a backend would read lines that could look like this (unindented JSON):

{"repo": "somerepo", "username": "someuser", "password": "somepassword", "action": "GET", "type": "snapshots", "object": "somehash"}\n

and respond with a message like {"ok": true}\n. The actual details of the protocol would require some more thought.

This would also allow for more complex rest-server ACLs without having to directly support all possible use cases within rest-server.

wojas avatar Aug 07 '18 06:08 wojas

I like this approach, it would reduce the complexity needed in rest-server. Hm.

fd0 avatar Aug 07 '18 09:08 fd0

@mholt I think it is not too intrusive. A little change to cmd/rest-server/main.go and a small addition to handlers.go (~16 lines). The LdapAuth implementation incl. caching of the credentials is ~200 lines.

@wojas @fd0: Beside the approach being indeed very flexible and powerful, it adds a lot of more functionality (and complexity/work). In my eyes, this is a good candidate for a new issue like "Implement Authorization (ACL)". httpasswd (and now ldap) is just more about plain and simple "Authentication".

frankf-cgn avatar Aug 07 '18 15:08 frankf-cgn

I will create a new issue for the popen backend.

wojas avatar Aug 07 '18 15:08 wojas

Wouldn't it be easier to use --no-auth and have a reverse proxy do the authentication? I'm pretty sure you can hook nginx into ldap

ashrude avatar Mar 26 '24 18:03 ashrude

A reverse proxy makes sense, but you do need to be careful about potential differences in path handling between the proxy and rest-server to not introduce security issues.

wojas avatar Mar 27 '24 08:03 wojas