Open mittler-works opened 1 year ago
The second half (not storing password hashes) would get fixed with #8377
Aside from the PR above, users will still have to be synced even if this happens just-in-time due to the database design relying on the user existing within authentiks database
I think it is totally fine that users are synchronized just-in-time into the database, as long as it is not generally all users from the LDAP, but only those who log in. This is my main concern, as our LDAP is really huge and probably less than 5% will actually log in to Authentik.
This would mean that Authentik would need a mechanism that automatically creates users if they log in via LDAP Backend and do not yet exist in the database.
Is your feature request related to a problem? Please describe. Yes, we would like to use authentic with a pretty huge LDAP backend. We do not want to sync that entire LDAP into authentic for various reasons. Aside from that, we do not want to store the passwords of the LDAP users, even if they are hashed. On the one hand, this has data protection reasons, on the other hand, storing passwords is a bad idea for obvious reasons if no frequent synchronization takes place.
Describe the solution you'd like Keycloak handles this very well: https://www.keycloak.org/docs/latest/server_admin/#configuring-federated-ldap-storage
I would love to see similar handling in Authentik.
Describe alternatives you've considered Use Keycloak as LDAP proxy, i.e. use a Keycloak that authenticates against the LDAP and in turn is used as OIDC source in authentik.