feature: LDAP assumes memberof is available which is deprecated in OpenLDAP

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐

https://authcrunch.com/

Apache License 2.0

1.42k stars 70 forks source link

feature: LDAP assumes memberof is available which is deprecated in OpenLDAP #332

Open ForceFaction opened 5 months ago

ForceFaction commented 5 months ago

A clear and concise description of what you want the system to do.

The system should not assume memberof for LDAP. Every group contains a list of memberUids which should be searched instead for the users uid.

What are the Caddyfile directives that need to be added.

The Caddyfile needs a flag that disables memberof. Then the groups a user belongs to can be found with a search_group_filter like this (&(memberUid=%s)(objectClass=posixGroup)) where %s is the uid of the user.

greenpau commented 5 months ago

@ForceFaction , what are the changes you propose? Please provide a sample Caddyfile snippet. What are the changes to “go-authcrunch”? https://github.com/greenpau/go-authcrunch/blob/main/pkg/ids/ldap/authenticator.go