Open digitalray opened 8 years ago
robertmuehsig
commented
8 years ago It seems that thoses changes were not merged and with the current Gallery it may not be possible to use WindowsAuth (pure LDAP auth would be even harder...) - at least I failed to use WinAuth on my test IIS.
I will take a look and check if there is an easy solution.
digitalray
commented
8 years ago I see...too bad. I guess this would make a big feature with the current code. Thanks for your help. I'll wait to see if you found anything.
robertmuehsig
commented
8 years ago Ok - it seems with the current code it is not possible to use WindowsAuth.
When you try the usual steps (deactive anonymous access & enable windows auth) you will hit this CookieAuth-middleware https://github.com/NuGet/NuGetGallery/blob/master/src/NuGetGallery/Authentication/Providers/LocalUser/LocalUserAuthenticator.cs#L20
This could be resolved via a new config-entry (e.g. Auth.UseWindowsAuth true/false) and basically do nothing special because IIS will take care of the authentication.
A more challenging task would be to "preserve" the existing code behavior without an actual user. Currently the NuGet Gallery tracks registred users in the database and each user has 1-n "credentials". With WindowsAuth enabled, we would need to invoke the user-creation process when a user hit's his account page and maybe store his SID in the credential table. With this in place it should act more or less the same way as a username/password user, because each "visiting" windows auth user would be just be auto-registred in the database and linked via the SID.
Does this makes sense?
(To get things started I needed to use the real IIS for development, otherwise my windows users was not accepted with the localtest.me url.)
maartenba
commented
8 years ago Create a new auth provider? I have an Azure AD PR open right now which shows how these work.
robertmuehsig
commented
8 years ago Yeah - more or less. I think the difference would be that the actual "authentication process" is handled in IIS instead of the application and that there would be no real "signin/register" - instead it would be like a auto-register process.
My idea would be: If the Gallery is configured to use WindowsAuth, than hide all "Signout"/"Signin"/"Register" stuff and auto populate the user in the database and link it via his user SID when the user access the account page.
hubby2004
commented
7 years ago Any updates on the LDAP authentication module for NuGet Gallery?
skofman1
commented
7 years ago @hubby2004 , NuGet team is currently working on other features, and we won't have the capacity to implement LDAP authentication in the near future. That said, we do encourage PR contributions, and would gladly review a community PR.
Thanks for understanding.
jozefizso
commented
7 years ago I have the LDAP module in my fork of the NuGetGallery: https://github.com/goit/NuGetGallery but it is quite outdated. I'm in the process of merging the code with the latest NuGetGallery release.
Is it ok to port LDAP auth module and pull it into this issue? Or do you need its own issue for this?
skofman1
commented
7 years ago Hi @jozefizso ! Thanks for providing this functionality in your fork!
In order to decide if we are able to except a PR with the ported LDAP module, we need to understand how the port is done, and how it affects other auth scenarios. The preference would be to activate this auth option using config (that is off by default). Is this a possibility?
jozefizso
commented
7 years ago The LDAP functionality is implemented as external authentication service using NuGet Gallery API. It can be enabled in the web.config the same way as other auth providers.
I need to rework the user interface though, because right now we completely replace the login form with our LDAP form. I must investigate how to implement this in less obtrusive way.
The LDAP also depends on modified authentication code as we do not require user's to register and login using LDAP will automatically register new user accounts - this is great for internal NuGet Galleries but it is not suitable for official NuGetGallery release.
skofman1
commented
7 years ago @jozefizso , sounds like we need a completely different code path to support LDAP, that will affect both authentication flow and UI. One option to enable this feature, is for NuGet Gallery to support an extension model for authentication providers. For example, a design can be that a Gallery user that wants to get LDAP support installs an NuGet package, and this enables the new authentication experience. This approach will allow LDAP support, and also provide a method for other users to implement their own authentication extensions.
Created this issue to track this suggestion: https://github.com/NuGet/NuGetGallery/issues/3811
Could you update this page: https://github.com/NuGet/NuGetGallery/wiki/Hosting-the-NuGet-Gallery-Locally-in-IIS with instructions on how to enable LDAP authentication?
On this page https://github.com/NuGet/NuGetGallery/pull/562 it is stated that LDAP has been implemented and could be enabled by web.config modification. Are there any instructions on this?
This would be very useful as anyone hosting a private gallery would find it very beneficial to have Active Directory authenticate the user for NuGet Gallery.