gao-sun
commented
2 years ago thank you! that's what we are planning now :-) we have a public roadmap that you can track. it is definitely in our scope. stay connected.
Open adoresli opened 2 years ago
gao-sun
commented
2 years ago thank you! that's what we are planning now :-) we have a public roadmap that you can track. it is definitely in our scope. stay connected.
fleuraly
commented
2 years ago @adoresli hello this is Guamian from Logto Product team! Thanks for the feature request! I'm curious to learn more about your team or company's needs and situation. Would you mind spending around 10 minutes to e-chat through that? Also, feel free to join our discord channel. :P
taqtiqa-mark
commented
2 years ago One use case would be Light LDAP support. The LLDAP project may also help with integration testing?
gao-sun
commented
1 year ago we investigated LDAP and decided to move on after #3344, @darcyYe @wangsijie can add more context
darcyYe
commented
1 year ago The authorization process of LDAP is different from OAuth and OIDC. The latter works by Logto initiating an authorization request on behalf of the user, who then completes the authorization process through various means such as username and password or verification code. Upon successful authorization, Logto obtains permission. However, according to the authorization process of LDAP and the current Logto design, Logto needs to use the user's username and password information to request permission from the LDAP server. We do not want Logto to have access to the user's login information, as this may pose security and legal risks. We need to find a better way to address the above-mentioned issues.
kidlj
commented
11 months ago Logto needs to use the user's username and password information to request permission from the LDAP server.
Logto's password encryption algorithm may differ from LDAP's, how can this be possible?
chansdad
commented
10 months ago The authorization process of LDAP is different from OAuth and OIDC. The latter works by Logto initiating an authorization request on behalf of the user, who then completes the authorization process through various means such as username and password or verification code. Upon successful authorization, Logto obtains permission. However, according to the authorization process of LDAP and the current Logto design, Logto needs to use the user's username and password information to request permission from the LDAP server. We do not want Logto to have access to the user's login information, as this may pose security and legal risks. We need to find a better way to address the above-mentioned issues.
Isnt Logto already storing user login and password when it is functionaing as a identity provider? What i see is Logto has its own local db based authentication feature as well as authentication via saml and other providers . Can it be possible to mark a user as being authenticated via LDAP and not store the users password in logto but pass it over to ldap for authentication and authorization? One strategy that an be used is first authenticate via ldap and if user is not present, authenticate against local db . or vice versa . A common practice in enterprise applications implementing CAS . i would be very much interested in this feature. i came across logto for a product/ solution i am building which requires SAML and LDAP integration , and more so Azure AD authentication .
TheLonelinessOfHS
commented
4 weeks ago The authorization process of LDAP is different from OAuth and OIDC. The latter works by Logto initiating an authorization request on behalf of the user, who then completes the authorization process through various means such as username and password or verification code. Upon successful authorization, Logto obtains permission. However, according to the authorization process of LDAP and the current Logto design, Logto needs to use the user's username and password information to request permission from the LDAP server. We do not want Logto to have access to the user's login information, as this may pose security and legal risks. We need to find a better way to address the above-mentioned issues.
Try Bind Auth in LDAP which allows you to verify the password without getting the original password hash in store.
What problem did you meet?
I have fully experienced almost all the features, they're so excellent! But if I want to use it in my production environment, I need to solve the user sync problem manually.
Describe what you'd like Logto to have
Could your team add the LDAP Database authentication as one of the authentication methods in this app, it's a very useful feature. Thanks for your attention!