leaf icon indicating copy to clipboard operation
leaf copied to clipboard

Published 20 hours ago verified publisher icon uwrit

Support LDAP for Authentication

Open marshall-ucsd opened this issue 3 years ago • 3 comments

Almost all of our site's web-based applications (in-house and 3rd-party) support LDAP for authentication via Active Directory. It appears Leaf does not (yet?) support LDAP, which is a significant omission. Adding LDAP support will make Leaf much easier to install in AD-based environments.

marshall-ucsd avatar Apr 21 '21 15:04 marshall-ucsd

Hi @marshall-ucsd, this is an excellent point! In fact early on in Leaf development we made an effort to develop functionality around support LDAP-based auth via Active Directory, but as we don't use it at UW we're not able to robustly test or validate it. Thus this is a case where we'd ask other sites to contribute code, while we advise where helpful.

You can find elements of our LDAP/AD efforts around:

  • https://github.com/uwrit/leaf/blob/master/src/server/API/Options/StartupExtensions.Services.cs#L218
  • https://github.com/uwrit/leaf/blob/master/src/server/API/Authorization/ActiveDirectoryEntitlementProvider.cs
  • https://github.com/uwrit/leaf/blob/master/src/server/Services/Authorization/ActiveDirectoryMembershipProvider.cs

Hope this helps. Let us know any additional questions you may have - we'd welcome contributions!

Best, -nic

ndobb avatar Apr 22 '21 17:04 ndobb

Thank you - we're actively looking into completing this feature, but have a few questions:

  1. What state is the current implementation in? Are we talking major work needed or just testing and tweaking?
  2. Is there any documentation on the authentication architecture, and how it connects with other elements of Leaf?
  3. For configuration, are there any guidelines we should follow for adding configuration properties (e.g., LDAP server name and port)?
  4. Is anyone else working on this already? Don't want to duplicate effort.
  5. Any updates for https://leafdocs.rit.uw.edu/development_and_testing/development/ ?

Thank you very much - I hope we can help to implement this very useful functionality.

marshall-ucsd avatar May 05 '21 17:05 marshall-ucsd

Excellent, that sounds good. Regarding (1) and (3), @cspital can you recall your work on this and provide comments?

Regarding (2) I don't believe we have solid documentation on the authentication architecture in general; most of the existing auth docs are specific to SAML2.

For (4), no, not to my knowledge, so I don't think this work would be duplicative.

For (5), that's in our upcoming internal TODOs. Our last big docs update push touched on test deployments so the development section will be next. At a high level, I'd suggest

  • Use Visual Studio 2019 (MacOS or Windows) for running the server
  • VS Code + NPM for running the client
  • SQL Server on Windows or Docker for running the DB

ndobb avatar May 05 '21 18:05 ndobb