-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP integration #64
Comments
Hello, I began coding a LDAP authentication utility in Python.
You can find it at https://github.com/georgesk/galene, under the
directory https://github.com/georgesk/galene/tree/master/other/ldap
I modified the code published in
***@***.*** to interact
with a LDAP directory, and wrote a utility `test_autentication.py` to
check whether the JWT message sent by the server (implemented in
`auth.py`) does contain useful data.
Dear Juliusz, I wonder why the JSON data sent to this service provide a
"group" field. As far as I know, people are used to login with only a
username and a password; if there is any group for them, the server must
find it automatically.
In your post ***@***.***,
you wrote a code which copies the group name to the "aud" field of the
token to be encrypted by jwt. However, when this "aud" field is in use,
I run into errors with a message stating that there is a wrong audience,
whenever I call jwt.decode().
Is this concept of an audience important for Galene, or may I disregard
it, as I currently do with my implementation?
Best regards, Georges.
Juliusz Chroboczek a écrit :
… The upcoming version 0.5 of Galene will have support for external authorisation servers. A working but slightly incomplete version of that code is in the branch "auth" of the Galene repository. It is described here: ***@***.***
It would certainly be desirable if that support could be used to better integrate Galene with Yunohost. Other people who have expressed interest in working on an LDAP authorisation server for Galene are @erdnaxe and @georgesk.
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#64
--
Georges KHAZNADAR et Jocelyne FOURNIER
22 rue des mouettes, 59240 Dunkerque France.
Téléphone +33 (0)3 28 29 17 70
|
Excellent!
For reference, the URL is https://lists.galene.org/galene/87tugzwezl.wl-jch@irif.fr.
The server performs authorisation, not just identity management. The client asks the auth server "is the user username allowed to access the group group, and if so with what permissions?". The server consults the LDAP database, which merely says "this is the right password for this user" — this is just identity. After the LDAP server has replied, the auth server needs to make an authorisation decision — decide whether the user is allowed to login, and, if so, with what permissions. How this happens is application-specific, which is why it is done by the auth server, not by Galene. After the decision has been made, the auth server returns to the client a cryptographically signed token that says "user username is allowed to login to group group with the following permissions for the next 30s". The fields of the token are as follows:
Yes, it is important — without it, a malicious client could request a token for one group and use it in order to login to a different group.
The "aud" field is a list of strings, but may be replaced with a single string when it contains only one member. Galene will accept both syntaxes. Perhaps your JWT library doesn't accept the short form? Try setting it to a list with just one element. |
I've put a new version of the auth server, which checks for valid groups, at https://galene.org/galene-auth-server.py It also does both symmetric (HS256) and public key (ES256) authentication. |
The auth code is now merged into Galene master. The auth server is at |
First prototype at https://github.com/jech/galene-ldap |
The upcoming version 0.5 of Galene will have support for external authorisation servers. A working but slightly incomplete version of that code is in the branch "auth" of the Galene repository. It is described here: https://lists.galene.org/galene/87tugzwezl.wl-jch@irif.fr
It would certainly be desirable if that support could be used to better integrate Galene with Yunohost. Other people who have expressed interest in working on an LDAP authorisation server for Galene are @erdnaxe and @georgesk. Please see also the discussion at jech/galene#106.
The text was updated successfully, but these errors were encountered: