Open amartin3225 opened 5 years ago
Hello @zulip/server-authentication, @zulip/server-streams members, this issue was labeled with the "area: authentication", "area: stream settings" labels, so you may want to check it out!
I think this makes sense to support; potentially the right model is to use the is_mirror_dummy
featureset (or similar) to create shadow accounts? I'm not sure.
I would love to see this feature added to get all LDAP users registered in Zulip automatically. Ideally just an enhancement to the existing "sync_ldap_user_data" script could get the job done, or perhaps a new script "provision_ldap_user_data" for this type of scenario that could be used together with the existing sync script.
And now that SAML support is arriving in Zulip, this LDAP sync enhancement would be really helpful.
I'm using LDAP to sync in users and metadata, and SAML is used to provide the Authentication. Having SAML configured but an empty user zulip ldap database makes for an odd login flow for new saml users:
Clicking "sign in using saml" for a new zulip user results in a login with the SAML IdP, then the IDP redirects to a Zulip Registration prompt asking for the LDAP Password for the now authenticated SAML user. Oddly, anything can be typed here, doesn't have to be their real LDAP password, then they click login, and the user data is provisioned from LDAP into the Zulip database, and the SAML login from then on is great for that user.
So once the user is registered, SAML is working great and intuitive. If the user is not already registered, SAML is a little clunky at the first sign on.
For many SAML deployments I think LDAP auto-registration will be required for a good login flow of someone logging into Zulip for the first time.
Also now that SAML is supported; the enterprise and LDAP user base will surely grow quickly too, so someone willing and able to put together a pull request will certainly emerge. (i'm willing, but not very able, looking at the sync script now)
I'm also taking a look now at how to do the LDAP lookup in python to get my list of LDAP users, then use the zulip API to register them all inside Zulip to overcome the issue "externally" for now.
The model is definitely intended to be that with our SSO authentication models (LDAP, etc.), one doesn't require that sort of dance.
We should probably have an option to support auto-creating users from LDAP if that's what an organization wants; there are downsides (in that it's then not clear which users actually have used Zulip), but they all seem like organization preferences to me. There are a few details we'll need to think about, like:
We should probably have an option to support auto-creating users from LDAP if that's what an organization wants
In my experience auto-import of all LDAP users is the "norm" for many LDAP supporting applications. But obviously just because something is the norm doesn't make it right or better.
Do we send the usual new user onboarding emails
Again just from my experience with other LDAP sync-able apps; user onboarding emails do not get sent out for users created via the import process. An option to send emails for imported users could be nice though, but I would disable it by default to prevent spamming the whole LDAP directory by accident during an import process.
Well, what one probably actually wants is to import the users but then have onboarding emails be sent on first login, not at import time, so the users still get that information.
I've created an external python3 script that can accomplish this feature request goal outside of Zulip itself.
The script does not have to be run locally on the Zulip server, it is completely external and only needs access to the LDAP URL and the Zulip API URL to function. Unfortunately that also means it needs to be configured separately too, you need to match the LDAP Base DN to what is configured in Zulip's settings.py.
Also note the script is currently matching on "userprinciplename" from an AD system, you may want/need to change that to "mail".
Be warned this received limited testing, and I'm NOT a python dev, so there may be CRITICAL problems in this script that I haven't detected yet. That said, it worked great in my ldap/saml lab for testing zulip integrations.
The script depends only on the "zulip" and "ldap" python3 libraries.
https://gist.github.com/peacepenguin/45ed1cd5ab32f7dadd03dcfbd1b5c857
Hello , is this created yet? This is a must in my opinion and all other platforms offer it .
Hello , is this created yet? This is a must in my opinion and all other platforms offer it .
Take a look at this python3 script. Just configure it and set it up as a cron job on your zulip server. Works great, gets the feature, just external to the zulip code base. But since it works via API, there's low risk of it breaking after zulip upgrades.
It's a really simple script, easy to read and modify.
https://gist.github.com/peacepenguin/45ed1cd5ab32f7dadd03dcfbd1b5c857
@mateuszmandera we've been getting a lot of requests for something like this; do we think it'd be an easy extension of manage.py sync_ldap_user_data
?
It would be nice to have this feature !
@peacepenguin many thanks for your script :+1:
I would like to be able to subscribe LDAP users to a stream before they login to Zulip for the first time. This is currently not possible since a user doesn't exist in Zulip until he/she first logs in, even if the user is active in LDAP. It would be nice to have an option that populates users in Zulip if LDAP sync is enabled, that way the users would exist before first login and their stream membership could be managed. Thanks!