search

operasoftware / dns-ui

Opera's LDAP-authenticated PowerDNS user interface
Apache License 2.0
283 stars 58 forks source link

LDAP-authentication/authorization #38

Open joachimtingvold opened 6 years ago

joachimtingvold commented 6 years ago

Hi,

I'm guessing "patches welcome" is the general idea, but thought it would be good to discuss it first, before I start coding.

We're looking to start using this frontend, but we already "protect" some of our services with a dummy (i.e. static/simple) BasicAuth "wall" (to avoid being scraped/tested for vulnerabilities/brute-force/similar).

(yes, I know it's somewhat "security by obscurity", but that's just one of the layers, and mitigates the majority of attempts to find flaws).

However, this solution does not combine well with this project that relies on the web server doing the LDAP part (via BasicAuth).

I'm therefore looking to implement the LDAP-authentication/authorization as part of the front-end (web form, bla bla). Shouldn't be that much work, and the rest of the logic would remain more or less the same.

Some questions;

1) Any particular reason why it was done this way in the first place? Simplicity? (i.e. keep the LDAP-logic outside the project?). 2) I guess we want it to be configurable what to use? (i.e. a switch where you can select which method to use). 3) Anything else that should be thought of? I'm already having #29 in mind when doing this, so that it should be easier to expand the code to handle that as well.

thomas-pike commented 6 years ago

Hi

Thanks for your interest in contributing! Some answers to your questions:

  1. The only real reason is that this is how most web apps in use within our company worked at the time that this was developed. I would be more than happy to have this functionality moved into the application, and also away from HTTP authentication, so that we can also resolve #20.
  2. Yes, it would be good to retain the ability to delegate authentication to the web server, so server admins can continue to use any dedicated Apache/Nginx authentication module if they need to.
  3. When considering how to allow server admins to configure the authentication method, it might be wise to consider allowing for possible future expansion of authentication methods (eg. integrating with external SSO solutions).
Learloj commented 6 years ago

I'd be really interested in this enhancement as well! :-)

emollusion commented 3 years ago

Maybe this is a bit further for the work needed, but turning to PAM instead of LDAP all together could be a good improvement as well. PAM is already used by nginx to authenticate so shouldn't be that much different.