Authentication using LDAP: granting operator and token permissions

jech / galene-ldap

LDAP support for the Galene videoconferencing server

https://galene.org

MIT License

2 stars 2 forks source link

Authentication using LDAP: granting operator and token permissions #2

Open zerolabnet opened 1 year ago

zerolabnet commented 1 year ago

When using LDAP integration for the Galene videoconferencing server, the authenticated user does not consider the "unrestricted-tokens" parameter. The user joins with "Presenter" privileges, but cannot invite users.

jech commented 1 year ago

Thats normal: if you're using galene-ldap, you're delegating permission management to galene-ldap: the permissions are decided by galene-ldap, and Galene fully obeys the permissions that are contained in the token.

https://github.com/jech/galene-ldap/blob/master/token.go#L107

If you wish to allow users authenticated through galene-ldap to be able to create tokens, you'll need to modify galene-ldap so it provides the token permission. This could either be done when the user has a specific LDAP permission, or we could modify Galene so it informs the authentication server (galene-ldap) when the unrestrictedTokens option has been set. Or perhaps we could just have a list of groups in the galene-ldap configuration for which galene-ldap grants the token permission.

Which of the above would solve your use case? Or perhaps you have other ideas?

zerolabnet commented 1 year ago

Modify Galene so it informs the authentication server (galene-ldap) when the unrestrictedTokens option has been set – ideal option.

Thank you for a wonderful product!

zerolabnet commented 1 year ago

I have modified token.go in galene-ldap. Everything works as expected! Thank you for the tip, this solution is enough for me.

zerolabnet commented 1 year ago

One more question. How can I inform Galene from galene-ldap about who should be the group operator? From json, Galene only determines who the operator is for the built-in authorization mechanism.

jech commented 1 year ago

It's encoded in the permissions, using permission "op".

In order to implement it, you'd need to replace https://github.com/jech/galene-ldap/blob/master/token.go#L107 with something like

if isOperator(location, username) {
    m["permissions"] = []string{"op", "present", "token"}
} else {
    m['permissions"] = []string{"present', "token"}
}

It's not currently implemented, since I'm not sure how the isOperator function operate: should it consult LDAP, should it consult a hard-wired list of usernames?

zerolabnet commented 1 year ago

It will be enough if the parameters are taken from galene-ldap.json in the following format:

"op": [
    {"group": "xxx", "username": ["xxx","yyy"]},
    {"group": "yyy", "username": ["xxx","yyy"]}
]

jech commented 1 year ago

@ericgaspar @erdnaxe Opinions?

zerolabnet commented 1 year ago

I have implemented this format in my fork. For me this question is no longer relevant, I think we can close the issue. Also, it would be more correct of me to open it in the galene-ldap repository.