Closed gaspardpetit closed 6 years ago
Nice work! Will this work as this?
That's exactly how it works. Basically SSO for authentication, then LDAP for authorization.
This patch will start compiling/working once Graylog 2.4 is released. In the mean time, I also have a local patch that does the same thing on 2.3 but is utterly ugly: it duplicates the Ldap code inside the SSO plugin. If this is needed by others I will submit it online in my own branch.
Hi! Great news! Thanks for the offer to make your patch available, but at our organization we will wait until 2.4 is released.
Hello @gaspardpetit - Graylog 2.4 has been released. Can you re-run the build and/or update the patch?
I'm looking forward this to be released.
Thanks!
Beware that graylog teams plans on moving to a different direction with https://github.com/Graylog2/graylog2-server/issues/3968 - I am guessing plugins will have to provide a different methods to authorization and authentication at some point. I think this separation is a better solution than the one I am providing, but it will take some time to put in place. Until then, this patch will be useful I think.
I'll review this shortly, sorry for the delay
Many thanks for your contribution!
Please note that the referenced issue will likely not be part of Graylog 3.0, so I expect this approach to work for quite a while.
The binary release might take until tomorrow because of setup issues, I'll update here once done.
Actually the release is already on https://github.com/Graylog2/graylog-plugin-auth-sso/releases/tag/2.4.1
Thanks again!
Much obliged and happy I could give some love back to this project. Cheers.
@gaspardpetit FWIW we've discovered a build issue with changed vendor dependencies, which causes the SSO plugin 2.4.1 to fail with the server 2.4.0 version. We are investigating what happened, but will likely release server 2.4.1 in the next coming days. If you build everything yourself, all the latest 2.4 branches should be compatible. Or you can wait for our official 2.4.1 release.
This change requires graylog2-server 2.4 because of the following update: https://github.com/Graylog2/graylog2-server/commit/1e69090e305d22b4355266307b13f96f0397d754
The objective of this change is to synchronize users with Ldap when signin-in or creating a user when Ldap is enabled. This makes it possible to store user information in Ldap (email, name, roles) and use SSO only for authentication.
This change should be integrated in a 2.4-snapshot branch and be merged only once graylog 2.4 is available.