Open handlerug opened 3 years ago
This is the list of all the api libraries available, we probably need this one
The feature in question turned out to be an overly complex hairball of different protocols and communication methods with a ton of enterprise sauce on the top which I couldn't understand in a reasonable timeframe, so I'm unassigning it from myself. Feel free to pick it up.
Are we still going to implement this?
@bouncepaw Depends on how would we implement it, and how hard it is. SSO is usually released as Enterprise/Premium feature. 🤔
So, maybe we should wait for some Enterprise/Premium money whale to come and offer gold for this feature? And close the issue for now, because I don't think it's going to happen any time soon.
LDAP environment seems a little complicated to reproduce and mostly relies on M$ software (even though we have OpenLDAP). Do we have a real chance to put Mycorrhiza into enterprise?
Ew, Microsoft. Not in this mushroom garden.
I mean, it looks very simple enough with a provided library, we just add one more user source and a whole configuration section. And it is usable in *nix enterprise networks with OpenLDAP installed, not only M$.
Just... Is anybody here ready to perform a proper battle test? I've lost some teeth setting up ADDC on Linux when was getting my bachelor degree. Though, NixOS could have some options to make it less painful.
If it is so easy, then why did @handlerug resigned themselves from the task? They said it was hard. I suppose it is.
As for battle testing, @Astrr seems to be the best candidate. They are the one with the biggest interest in SSO after all.
This library was provided above: https://github.com/jtblin/go-ldap-client
It seems so unstable tbh.
Dunno, короче.
About simplicity, look the usage example: https://github.com/jtblin/go-ldap-client#usage I haven't look up any alternatives, but they're called low-level (we don't want stick hands into that, do we?).
By fact, this thing is just like simple sign-in, but instead of Mycorrhiza's own credentials DB is looks up the domain's one. The password should be sent with plain text in this case, though.
Uh oh alright let's keep this open then
It may look simple from the surface, but there might be some hidden gotchas that'll ruin the whole security model. I don't really want to deal with that possibility, so I resigned myself from the issue. Maybe it's simple, not like I know or care.
Yessss OpenID Connect support would be ideal, gonna take a look at #149 now :eyes:
https://en.wikipedia.org/wiki/Single_sign-on