Using SSO for authentication and LDAP for roles


#1

Hi,

I would like to use the SSO plugin for authentication, but then configure the user roles using LDAP. I could not get this to work at the moment and before looking into how this could be done in the code, I was wondering if others had already attempted this and succeeded?

If this cannot be done, I see three options to implement this and would appreciate feedback before attempting to implement the solution :

  1. Modify the LdapUserAuthenticator to be “SSO aware” - i.e. read the SSO settings to find from which HTTP header to retrieve the username, and even if the principal password is empty, sync LDAP for that user before failing the authentication. The SSO plugin would then authorize the user and roles would be in sync with LDAP.

  2. Split authentication and role sync in LdapUserAuthenticator and always “sync” after a successful login regardless of which authenticator was used. This seems like an important refactor of the authentication plugin api, but I feel it would be the cleanest way to achieve this (i.e. apply list of authenticators from top to bottom until one succeeds, then apply another list of role sync form top to bottom until one succeeds)

  3. Make SSO “Ldap aware” and have it retrieve the Ldap settings and have it load a “LdapUserAuthenticator” using injection and have it call updateFromLdap on it if Ldap is enabled and user has just signed-in.


(Jan Doberstein) #2

Hej @gpetit

what you like to have is currently not possible. You would need to implement that with your own Plugin.

Your wishlist would be:

  • Authenticate via SSO
  • Authorization via LDAP

We already have the following feature request:

https://github.com/Graylog2/graylog2-server/issues/3968


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.