Open pR0Ps opened 4 years ago
spl0k
commented
4 years ago That would be interesting yeah. I only have a vague knowledge of LDAP though.
What would you expect from this LDAP support? Besides authentication, should it be used as a mean for authorization too?
pR0Ps
commented
4 years ago Yes, I was thinking that LDAP would handle both. Authorization via testing if the users are members of certain LDAP groups, and authentication via LDAP-stored passwords (likely hashes, but that's something that's configured in LDAP). In my experience, this is how most LDAP-enabled applications work because it means that all user administration tasks (ie. change password, give admin access, revoke access entirely, etc) can be done via LDAP, which can be centrally-configured.
Here's a proposed config template I came up with based on the configuration options of a few other project's LDAP-related options that might make the proposed scope more clear:
[ldap]
; LDAP server to use. If this is non-null then LDAP will be enabled
; Default: none (don't use LDAP)
; Example: ldap://ldap.domain.tld:389
ldap_server =
; Base DN for all LDAP queries
; Required to use LDAP
; Example: dc=domain,dc=tld
base_dn =
; The LDAP search filter to use to find valid Supysonic users/admins
; Required to use LDAP
; Example:
; - user_filter = (memberOf=cn=supysonic_users,ou=group,dc=domain,dc=tld)
; - admin_filter = (memberOf=cn=supysonic_admins,ou=group,dc=domain,dc=tld)
user_filter =
admin_filter =
; The user and password to use to bind to the directory
; Default: none (use anonymous bind)
; Example: bind_user = cn=binduser,dc=domain,dc=tld
bind_user =
bind_password =
; Customize LDAP attribute mapping for creating users
; Default: username=uid, email=mail
username = uid
email = mail
I'd like for Supysonic to be able to use an LDAP directory to authenticate users.
I'd be willing to help out with the implementation.
Is this something you'd be open to adding to the project?