Add LDAP user integration

[jnraine]

Allow the configuration and integration of an LDAP server to synchronize group membership from an LDAP-based group to a munkiserver-based group.

As the implementation takes shape, the above requirements may change.

[rickychilcott]

When we say synchronize what do we mean? I think the easiest implementation would be to parse through the users groups upon login, and have those LDAP group names be attributes attached to the User Groups for each unit. Then each permission;s shortname will inform MunkiServer which permission level to grant.

For instance, the Library unit might say it's LDAP group name is "munki-library" and the permissions for Library are User ("user") and Administrator("administrator"). If they are in the munki-library-administrator group then they will be granted Administrator privileges to the Library unit.

Pulling the user's groups could happen upon login only, on a time schedule, or upon cookie expiration. I think the safest and most secure would be at login and on a every 5 minute basis.

[jnraine]

As I see it, there are two very different ways to synchronize groups: group mirroring and group subscription. Group mirroring refers to mirroring LDAP groups to munkiserver groups (name and members). Group subscription is when a munkiserver group subscribes to an LDAP group's (or multiple groups) members.

I favour the latter. With group mirroring, it becomes unclear who has permission to what group. To what unit does each group belong? With group subscription, anyone with user group create/modify permission can create a group and subscribe that group to an LDAP group's members.

The UI for this would be a simple field that allows a user to type an LDAP group name.

I would likely delegate the task of group synchronization to a cronjob that ran every 5 minutes, as you mentioned, and cut out the check at login – for the sake of snappiness.

Does that sound suitable for your environment?

[rickychilcott]

I think we're thinking the same thing then. So In the User Group UI, you could edit the group and instead of just a name and description, there would also be an LDAP Group name (where you would write something like "munkiserver-library-administrators"). Correct?

My only thing is that you have to do the LDAP authentication at login anyway, it wouldn't be hard for you to do a query of the users groups and put them into the correct groups at login. Perhaps this is one of those things that it's hard to communicate over text.

[jnraine]

Yep, sounds like were are on the same page.

Regarding the user group membership synchronization, perhaps we could do a check upon login for only that user's membership. I'm not particularly familiar with LDAP query performance – if that makes little to no difference in request time, I wouldn't be oppose that idea. In fact, it'd be quite handy.

I'll move on this next time I code with munkiserver.

On 2011-10-30, at 2:49 PM, Ricky Chilcott wrote:

I think we're thinking the same thing then. So In the User Group UI, you could edit the group and instead of just a name and description, there would also be an LDAP Group name (where you would write something like "munkiserver-library-administrators"). Correct?

My only thing is that you have to do the LDAP authentication at login anyway, it wouldn't be hard for you to do a query of the users groups and put them into the correct groups at login. Perhaps this is one of those things that it's hard to communicate over text.

Reply to this email directly or view it on GitHub: https://github.com/jraine/munkiserver/issues/87#issuecomment-2571762