Support LDAP Authentication

[MorganDavis]

The .htpasswd auth is difficult to scale or manage beyond a few users. Supporting LDAP would allow for large number of users in both *nix and Windows environments.

[frankf-cgn]

I have implemented a basic POC. But as I have implemented it now - and without having much golang knowledge - I doubt that my naive approach is going to scale. The LDAP-Server is going to be hammered with requests, a single restic snapshots alone results in eight LDAP calls.

I'm afraid an authentication cache level needs to be implemented, and that will definitely get ugly very quickly. Maybe I'm going to work on a solution based on pam+sssd.

[frankf-cgn]

I just finished to implement some credential caching using freecache and it looks promising. Just have to write some tests and do some code cleanup. @mholt Are you interested in a PR? There is certainly the need to do some code review, because I'm new to golang.

[mholt]

Quite possibly -- approximately how big is the change?

[wojas]

I would suggest to implement a popen auth backend instead where rest-server opens a different process to handle authentication. This way anyone can implement an authentication backend in whatever language they like without rest-server having to ship with support for LDAP/IMAP/SSH/PAM/SMB/etc. PAM in particular sounds problematic, as it would require CGo if I'm correct.

Such a backend would read lines that could look like this (unindented JSON):

{"repo": "somerepo", "username": "someuser", "password": "somepassword", "action": "GET", "type": "snapshots", "object": "somehash"}\n

and respond with a message like {"ok": true}\n. The actual details of the protocol would require some more thought.

This would also allow for more complex rest-server ACLs without having to directly support all possible use cases within rest-server.

[fd0]

I like this approach, it would reduce the complexity needed in rest-server. Hm.

[frankf-cgn]

@mholt I think it is not too intrusive. A little change to cmd/rest-server/main.go and a small addition to handlers.go (~16 lines). The LdapAuth implementation incl. caching of the credentials is ~200 lines.

@wojas @fd0: Beside the approach being indeed very flexible and powerful, it adds a lot of more functionality (and complexity/work). In my eyes, this is a good candidate for a new issue like "Implement Authorization (ACL)". httpasswd (and now ldap) is just more about plain and simple "Authentication".

[wojas]

I will create a new issue for the popen backend.

[ashrude]

Wouldn't it be easier to use --no-auth and have a reverse proxy do the authentication? I'm pretty sure you can hook nginx into ldap

[wojas]

A reverse proxy makes sense, but you do need to be careful about potential differences in path handling between the proxy and rest-server to not introduce security issues.