Open c8y3 opened 1 year ago
whikernel
commented
1 year ago Hi @c8y3
Yes indeed we might add this as an option. It was done on purpose but having both is probably the way to go. We're adding it to the roadmap 👍 We'll still need to have the user in DB to keep consistency in all the relationships. This is another thing on the roadmap, being able to delete a user for real while changing his account to a "ghost account".
Cheers
legoguy1000
commented
1 year ago I was about to make an issue for this https://github.com/dfir-iris/iris-web/blob/6f1c1984de38e57e5171cf9f42212c152715e266/source/app/configuration.py#L214 not actually being used anywhere. This is currently a blocker for our use with OIDC since we were hoping to not have to create users individually.
I would also not make it just for LDAP but OIDC too and any SSO in the future. With the current OIDC implementation, it requires oauth2-proxy which can restrict access by groups so auto creating users should be safe.
Is your feature request related to a problem? Please describe. When DFIR-IRIS is configured with ldap authentication mode, it is not possible to login users that are present in the ldap, but not already created in DFIR-IRIS. (the login page displays the authentication error: "Error: Wrong credentials. Please try again.") Since, the users are present in ldap, I would like them to access DFIR-IRIS without having to provision them manually.
Describe the solution you'd like It would be nice for DFIR-IRIS to automatically create users the first time they log in with their ldap credentials.
Describe alternatives you've considered As a work-around, we thought about writing an external script which retrieves all ldap users and creates them via the REST API in DFIR-IRIS. But, this is not that simple, since new users may be added to the ldap at any time. So we need to launch this script periodically. Maybe, as another alternative for DFIR-IRIS, when in ldap mode, the application could entirely rely on data present in the ldap, rather than creating users locally in its database?