New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP authentication #274
Comments
LDAP as an up or downstream? Meaning that we should allow LDAP as an identity pool for Kratos, or that Kratos is able to become an LDAP server? |
Well the seccond would be awesome but I don't really see a point in that since ldap is quite complex and there are already pretty good ldap servers out there. Kratos should be able to talk to one or more external ldap servers to authenticate users. |
Agreed - tracking but with an undefined milestone as we have to get other things done first. |
Usually big enterprises have existing ldap infrastructure and I would like to see a kratos/hydra construct which can authenticate users against it. |
If I have some spare time I can look into this. But did not look at the kratos core yet in detail. |
Cool! Contributions are always welcomed! |
that would a useful feature for enterprise. I'm evaluating the ory stacks, and now pending on this new feature to support existing ldap servers group. |
Feel free to start a plan how LDAP integration could be implemented in Kratos, contributions are welcome! |
Is there any further progress? |
So, where do I begin...Probably first with some background on this rather lenghty post. The reason for it is mainly my personality which drives me into practitiong what @jordansissel (author of Logstash) coined as ADD - Anger Driven Development :) And that simply lead me to the decision to put my spare time and hopefully further few lines of code to it. So in this post I'll go through the currently rather troubled situation with open-source SSO/IDP, some kludgy options available at this time, key architecture questions about this feature that need to be covered and options to be selected. I'll do my best structuring it so we can start constructive discussion probably on Slack. I've joined today, same nickname - @blufor - so you can contact me there. BTW That's the main goal of this post; to get things moving so the coding can start ASAP - while COVID effects still last and there's spare time ;) There are some references to links and notes that further explain certain statements or provide more background. It looks like this [a]. SSO and Identity isn't new
I remember more than 15 years ago, I've been tasked with deploying and delivering Sun Access Manager to a customer [b]. Really massive enterprise piece of Java shit that is luckily already in silicon heaven. It supported LDAP as IdP and Kerberos as SSO. Since then things have evolved, but rather in the sense of quantity. There are quite a lot of projects that provide both SSO integrations with standardized (cert, user/pass, and modern auth mechanisms. And not just paid, but also "freemium" (but sometimes free version lacks something you need) but also open-source. The problem is - almost all of them are in fsckin Java! [c]. But however those solutions might be, most of them provide login integration Kerberos and/or LDAP. And these two are gonna stay with us for some time. Many other services and tools integrate them and LDAP is generally a good battle-tested technology to be source of truth for identity verification and data lookup. The Bill Gates conspiracyThe reson, why i think this feature should have its priority increased is the current reality. Lots of the people asking about it is Microsoft's good business model. The Active Directory has been (and still is) requirement of many companies, including startups. From my last 5 customers only 1 didn't have Windows Domain but that changed some time after I left and the company grew a bit more. Why is that? Well, almost any successful company comes to a point when it has increasing amount of employees. And they need computers to work on. From what current market offers, Microsoft has been winning for a long time, so far thanks to lower price [d] and the capability of managing the machines centrally, which gives them ticks for certifications in future and is overall more complete solution (quality aside...). Now one Win Server license also hasn't been that expensive either. Plus for some time, you have their sales reps massively pushing their Cloud services with crazy initial discount (I've heard of 0$ bills up to 1yr). Those Cloud services of course integrate with on-prem Active Directory nicely. So compared to Google offerings, you're getting the same services basically, but M$ also packs workstation management in it. Like it or not, it just simply is a complete package. [e] Current Golang LDAP integrationsAutheliaReally neatly looking Go app with significant backing that integrates a lot, however the OIDC provider is still WIP. Anyways their LDAP integration in Go might serve as a point of reference [ldap_connection_factory.go, ldap_user_provider.go] Uses WertherIdentity Provider in itself that uses LDAP as data backend for login identities. Supports Login and Consent flows only. Has UI, integrates with ORY Hydra. Basically looks like Kratos with fewer features and added customizable UI ( No updates for some time, however recently got updated with Feature proposalWhat
How?Some of the previous crucial points need some further decisions to be made and I'd love ie @raffis or @aeneasr to voice their opinions and thoughts. Create model for connection configurationQuestions:
Somehow implement syncing the data from LDAP to Identity traitsThis one is probably the the most work to be done. First let's talk about syncing in itself. The necessity of a way of linking the data from LDAP is undisputable. Than means that some sort of unique LDAP identifiers needs to be saved into the Kratos Identity Object. However LDAP is quite often used as configuration tool for authorization by using group membership. This often changes and those changes need to be refrected in the identity traits. Most of the implementations I've checked (Keycloak, Authelia, Gluu,...) have some sort of background syncing. There are two approaches:
Each has its own treats: The first one obviously becomes a problem with large user bases. Can be mitigated a little by using multiple Kratos instances, each with different seach base to do a sort of "sharding". Also maybe it can possibly be implemented outside of Kratos and doing the updates via API. The second one wouldn't grow so rapidly and the periodic data sync could be linked to each account separately, providing equal distribution of sync interval starting points (based on identity update time) across the user-base. This would mean at least +1 a sync goroutine for each LDAP linked account... Regarding the RFC3062 password modify - It certainly would be nice, however I don't think it really has a high priority. As mentioned - having LDAP usuallu means having coverd management SOPs, like password change, or generic attribute update (surname + martial status, home address, gender...). The latter is IMHO out of scope of Kratos... but I might be wrong Questions:
Registration using first LDAP auth loginThis would be valid only when not using/implementing the full sync pattern. Othewise, all of the identities would be created/linked to existing ones during the first LDAP sync. Questions:
Notes:[a] Hello world [b] The customer...
[c] Java...
[d] Let's see how Apple stirrs up the market in some time [e] One more great example...
|
Hello @blufor and thank you for the insightful post. Could actually become a blog post? @vinckr could help bring it on the main website so your work isn’t forgotten i. the thousands of github comments! Also sorry for my short answers - but I’m on mobile for holidays ;) So first of all we’ve been pushing LDAP back because we didn’t really want to deal with AD and all that stuff. But it’s great to have you here - you did your research and have knowledge- so it looks like there’s no better time to start working on this! I think the user sync model is nicer - easy to shard (and scale), less work for Kratos - no user filters, and so on! I imagine the syncer to be a worker like „kratos courier“ which makes it (a) optional and (b) easy to scale and (c) easy to configure using e.g. CLI flags. For OIDC we merge fields from the POST request (e.g. user consents to ToS) with data from OIDC which is first run through JsonNet for modification. The code for this starts here: https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy_registration.go#L9 We thought about system level traits but have not implemented them yet. However, adding those would be easy. One question is if we have them in traits or be part of another field (e.g. meta). This probably needs the most thinking! Alternatively we could also just disable the settings flow for those users? As we would disable other flows too (verification, recovery)? After thinking about this a bit more: It sounds to me as if all we want here is for a user to exchange their LDAP credentials for a kratos session token? Given that we don’t want registration, recovery, verification, profile updates? How does 2FA work with LDAP? |
Awesome thread! @aeneasr Could we reformat/expand it a little bit and then publish it under @blufor's name on our blog? Happy to take care of all the stuff around publishing it, just want to know if you are up to it and if that is generally something we would do? |
That was the idea :) |
So just curious, would I be able to use my Kratos users and connect a few of them to LDAP, but Kratos being the origin of the accounts? Not sure if it makes sense. Let me try to clarify. Let's say I have a Kratos instance for all my users. A set of those users are employees who need to work with LDAP applications. Is there any way I could use OpenLDAP the same way as something like Hydra, where main user authentication is handled by Kratos. Also, my understanding could be completely flawed, as I just started learning about this stuff. |
Currently we have no such capabilities in Ory Kratos. I think what this issue refers to is to use LDAP as an upstream provider (like "Sign in With Google") as most companies use e.g. Azure AD for their employee management. Your proposal would also work, it would mean that Ory Kratos becomes an LDAP server. So instead of issuing tokens or cookies, you could do LDAP queries against Ory Kratos. Both features are currently not available though. |
@blufor @aeneasr If you don't want all of that, then what would be the remaining advantages of Kratos over Werther? Session management (including logout) and 2FA/MFA? I think for a good user experience it's important to have a single UI where all account-related things are managed, i.e.:
Of course one can write a UI that has access to both the Kratos API and the LDAP API in order to use the right API for the right task, but I think it would be nicer if the UI only needed access to the Kratos API. Using both APIs would also lead to sync issues, i.e., a user updates something that is done through the LDAP API and this is not immediately synced to Kratos. I think registration and verification can indeed be left out for now, since in enterprises registration is typically done by admins who can use another UI for administrating the LDAP server. |
@blufor this would actually be a great blog post ("Quantity over quality - The problem with the evolution of modern SSO" or something) and I'm very happy to see someone acknowledge the clusterdump that is these java based IAM systems. |
Is there any further progress? |
I try to implement this in [1], based on v0.10.1 I did a local integration test with a prepared LDAP (389DS container), it works at least for my expectation. |
@neutronth this looks to be a really good starting point for LDAP integration. I've been thinking about creating a sync pipe between LDAP and PostgresDB using PingDataSync (not OSS) or some similar tooling but it would be really nice to be able to use LDAP as the backend. I'm going to play around with this. |
Hi @neutronth and @zambien, happy new year to you both! Thank you for the amazing Ory platform - it's a really key addition to the space. I wanted to ask whether the LDAP integration was something you're actively working on, as this would definitely be of interest to my team. Thank you. |
Hello 👋 |
Same here, we have a project right now that requires authentication of users that are defined in our customer's on-prem AD. Since we currently use Kratos as authentication backend, it would simplify our architecture if Kratos could talk to the AD using LDAP. However, we would still require some identities to be created in Kratos, for administrator access in case the connection to AD is down. We would be willing to contribute with time and code to get this implemented. |
Same here! |
Any plans to implement this? |
We have successfully applied the "hack" mentioned in #274 (comment), on top of Kratos v1.0 and it's working fine using OpenLDAP. The goal is to be able to use it in production in a few months, for a customer using Windows Server AD. We also need to have accounts using password strategy in parallel to LDAP strategy (for administration in case the LDAP connection is not working). @aeneasr It would be nice if we could make a contribution back into the Ory product regarding this, to not have to maintain our own fork of Kratos. Could someone in your team provide any feedback on whether the previously mentioned "hack" is a step in right direction regarding how LDAP integration would be designed? And also provide any feedback what else that should be done for this to be acceptable into Kratos? |
Nice @irisitymichaelgrundberg ! 👍 |
Describe the solution you'd like
I would like to see the possibility of ldap authentication. Following points should be considered:
Options:
Additional context
https://github.com/go-ldap/ldap
The text was updated successfully, but these errors were encountered: