lvroyce
commented
9 years ago Hi, now besides PAM, we can also use pre-configured LDAP for authentication
Open laptop006 opened 9 years ago
lvroyce
commented
9 years ago Hi, now besides PAM, we can also use pre-configured LDAP for authentication
laptop006
commented
9 years ago True, but allowing external auth allows things like SSO systems to work without additional effort.
alinefm
commented
9 years ago @laptop006 Could you elaborate more this feature request?
laptop006
commented
9 years ago Hmm, thought I already had, but clearly not. My reasoning is something like:
SSO systems such as SAML (most known via the Shibboleth version[1] in use in many universities) are fairly common in medium to large business & education environments.
It's not just a single data store, which you get with LDAP (either directly or via PAM), but that you only need to authenticate once, to a central site, to be authenticated to every system that uses it.
Actually implementing the client side of these protocols is a pain, and as modules for the major web servers already exist (that said, I've checked but it looks like nginx isn't quite there) allowing the web server to say "user is 'foo'" solves the problem nicely.
Another option, given the very limited use of roles in Kimchi at the moment would be to add a "method = none" authentication option that just treats every user as privileged, obviously not the default, but it would allow this use case to work, and is often useful for debugging.
Instead of using pam itself, kimchi should allow the use of external auth in the http proxy. This only makes sense once #570 is resolved.