Sync users via LDAP / AD or another remote MySQL server table

[Schaussi]

Just another suggestion; would be useful especially in environments with already existing centralized user management.

[wvengen]

Interesting idea! Another option would be to support external authentication providers #336.

[wvengen]

See also the Discourse plugin and foodcoop-adam's userinfo and vokomokum plugins.

[decentral1se]

Hey, great that this is already being proposed. LDAP support would be particularly useful as I am thinking about packaging this application for self-hosting with the https://yunohost.org/ project (which makes great use of a LDAP SSO integration).

If someone could point me in the right direction of which extension/plugin/whatever might be suitable for using and if the PR would be accepted, then I might give it a shot. I'm no Ruby programmer but let's see :bomb:

[wvengen]

A very quick reply on how external SSO for Foodsoft may look like. The most clean way would be to add support in Foodsoft #336, but until that has happened, a plugin could be a solution now.

The vokomokum plugin uses a shared cookie and queries an external service for auth information based on the cookie, and auto-creates users and groups based its response. But the plugin also does many other things, so it's not that straightforward to pick out the things you need, I guess.

I'd start making something like this:

• hook ApplicationController#redirect_to_login (like here) to redirect to a custom controller in the plugin that does the login
• you may also want to hook logout there to do single-logout
• implement a custom controller with the login action, which checks if user is logged into SSO
  • this could do an OAuth-like redirect dance
  • a (domain-)shared cookie could be used (like the vokomokum plugin)
  • there must be more ways to tackle this
• user info is probably best retrieved by an API call from Foodsoft
• if a user doesn't exist, create it
• (optional) if you have groups in SSO, update memberships

[wvengen]

One question: what does SSO mean here in "LDAP SSO"? Is it a) that you enter your credentials once, and then you use the 'login' in other applications (like OAuth)? Or is it b) that you have a central username/password combination, which you can use to log into Foodsoft?