-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Support #118
Comments
+1 |
that would be awesome! edit: sorry didnt know github +1 existed:) |
Please use github's reactions for +1's. Thanks! This will be done when everything else is out of the way. There are currently more pressing things like an unfinished UI and dynamic inventories! |
+1 |
Ok guys, in order to build this i need to know some detail. Can you provide a use case? |
Okay, I'll give it a try - hope it gets not to complicated and understood what you've been asking for. My usecase would look like this: In LDAP users are part of one or more ldap groups. IMHO it would be a good idea to have the concept of roles, so that users or groups can be mapped to a role (mapping of groups is prefered). Ideally semaphore would provide multi-tenancy capability. Therefore I got multiple groups of users that should be able to have one or more projects. They should not be able to see other projects, but should be able to create new projects. Therefore I might be a good idea to introduce something like "organization". Within a project I would need at least two different types of roles, project administator and executer role. For beeing able to use this in a sane way I would suggest the following
Nice to have:
This is a proposal - I'm open for discussion. |
any plans for implementation of this? we need to auth users from AD or from Google (both works for us) |
@hhenkel @matejkramny Based on what hhenekl said, Initially I thought something like this for the Backend: With in this in mind, we can think about the following behavior:
To start, if have thinking about roles maybe we should implement an RBAC model ... but we are using angular to provide our frontend ... In this point I really don't have a clue (maybe a check within a service?) about how path we should go ... In the github we have https://github.com/mikespook/gorbac project for the server side ... To finish the job we need an Authorization Management interface to manage Entities, Roles, Permissions. What you think? |
I think that we should start with simplest approach: implement LDAP authentication with the authnz_entity table and integrate it with the GIN framework. The following lib looks like to be the best implementation for now: |
I'm seeing two issues rolled together here. I too am in an AD environment, and I'm after a multi-tenant solution. You need three parts to solve the multi-tenant side:
I would suggest splitting RBAC into a separate issue since its implementation is independent of AD authentication. The other part that is missing from your RBAC model is limiting not only what actions can be performed, but what objects or group of objects they can be performed on. This is where the concept of an organization, or a mapping to a group is important. To elaborate, if I can assign either an organization or a group to an inventory, then that group or organization can be used to limit which users can access that inventory. This is orthogonal to what a user can do with that inventory. Organizations are a 1:1 mapping to the object (in this case an inventory item), whereas groups are generally many to many. |
Hi, guys. I plan to implement a simple LDAP auth here, like "If this LDAP user have right password and belongs to right LDAP subtree - add it to the users table and authorize him". After, if it will be work good - we can do more complex things, like inventory/project/etc limitations. |
Added simple LDAP auth as described in my previous comment. |
Closed by #310 |
Now that LDAP is integrated (& soon the security issue fixed), I have some questions for you guys since I don't use LDAP systems. Should the users be created in semaphore if they don't exist in the semaphore database but have been authenticated using LDAP? Soon we'll have a better permissions system (starting with @strangeman's PR). Does LDAP have a permission system that semaphore can utilise? We could also poll for users from the LDAP system and do something with that. |
@matejkramny : Can you please link the permissions PR you mentioned? Usually one uses LDAP groups, and map them to roles.. is that what you need, or something else? |
Not a PR, an issue. I got that wrong. It's #344.
Possibly. My understanding of this: If one user was in the "admins" LDAP
group and it was configured to map to the "admin" permission in semaphore,
upon logging in for the first time (effectively signing up to semaphore)
the user would be automatically "admin".
|
@matejkramny I'll try to describe quickly what I've seen in other applications: Other application normaly allow you to specify an ldap search string, which can consist of multiple "conditions" or "rules" (and / or combinations). For the mapping part it is a s I initialy wrote and comes down to what @pasikarkkainen wrote: A user is normally a member of 1 to n groups An application normally works with the concept of roles like "admin" or "user". When using an LDAP backend you normally try to map groups to roles to make administration easier but one could also map specific users to a role.
You should always evaluated if the user still is in the admin LDAP group and not depend on what has been set in the database, as the permissions could have been revoked in the LDAP. |
Currently, Semaphore haven't 'admin' users (see #318) Also, we should be able to map LDAP groups to the different Semaphore projects. |
it is a nice to have +1 |
From what I've seen so far users are stored in the database. It would be nice to have LDAP support, so that one could use existing groups to match "roles" and people could use their central managed password.
The text was updated successfully, but these errors were encountered: