Does Meshcentral also support Light LDAP (LLDAP) ?

[siliconhippy]

Following up on your recent LDAP integration youtube, please look at this simplified GUI based, multi-integration (Authelia, Keycloak, Nextcloud, ...) LDAP fork:

https://github.com/nitnelave/lldap

Do you think Meshcentral will also support LLDAP besides LDAP?

---

Describe your issue A clear and concise description of what your issue is.

Screenshots If applicable, add screenshots to help explain your problem.

Server Software (please complete the following information):

• OS: [e.g. Ubuntu]
• Virtualization: [e.g. Docker]
• Network: [e.g. LAN/WAN, reverse proxy, cloudflare, ssl offload, etc...]
• Version: [e.g. 1.0.43]
• Node: [e.g. 18.4.0]

Client Device (please complete the following information):

• Device: [e.g. Laptop]
• OS: [e.g. Ubuntu]
• Network: [e.g. Local to Meshcentral, Remote over WAN]
• Browser: [e.g. Google Chrome]
• MeshCentralRouter Version: [if applicable]

Remote Device (please complete the following information):

• Device: [e.g. Laptop]
• OS: [e.g. Windows 10 21H2]
• Network: [e.g. Local to Meshcentral, Remote over WAN]
• Current Core Version (if known): [HINT: Go to a device then console Tab then type info]

Your config.json file

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  }
}

[Ylianst]

I have not tried it with LLDAP. MeshCentral makes use of ldapauth-fork and does really no LDAP operations except for user login. On login, the user information is given back and used by MeshCentral, it's super simple. At no point does MeshCentral try to query LDAP or do anything else. If I had to guess, it's probably going to work. If I get a chance, I may give it a try, but I have lots of requests.

[siliconhippy]

Ok thanks 👍 MeshCentral continues to be amazing as a FOSS comprehensive remote access tool with good tech support.

Now I just hope MC devs find an easy way to use meshagent remote access and some openLDAP database sync/ data exchange to create a remote access+ AAA FOSS tool ! 🤗😹

[Ylianst]

Thanks.

I don't quite understand the second part on "remote access+ AAA FOSS", but I recently added a way to have LDAP membership groups be synchronized with MeshCentral user groups, I have the blog on this here. I also have a YouTube video on that coming up on September 28th on the MeshCentral YouTube channel. It should allow you to grant device permissions based on LDAP memberships.

[siliconhippy]

Ylianst,

Great blog. I believe most of the LDAP + MC integration is bring addressed above.

What I meant was using meshagent as remote access for LDAP behind firewall/ blocked ports. One behind-firewall method is to use VPNs as you had suggested in the YouTube comments (my followup comment had disappeared.) The other way could be to use meshagent itself 😉

Anyway one nice and easy feature that could be added to the current MC+ LDAP integration: the ability to display /import LDAP username /other labels as device tags in MC. Or maybe it is done already ?

[Ylianst]

I see. At that point, it's a generic TCP port forwarding issue, nothing specific to LDAP. As long as an agent can forward a port back to to the target. If you have an exact idea on this, probably a good thing for a different issue.

As for "the ability to display /import LDAP username /other labels as device tags in MC" - probably don't have that. I would need more details on exactly what is needed and why it would be useful. I am out on vacation in a week for 6 weeks, probably not something I will look at short term.

[siliconhippy]

The LDAP username as a device tag is useful, IMHO: it tells you which username is attached to which device. So you don't have to find the 1-1 correspondence.