Skip to content

Ldap support

We'd like to be able to use an existing ldap database for user authentication.

There are many ways to go about this. For now we'd like to start with authentication only. App permissions would still be stored in the single-sign-on database.

Rough plan:

  • the configuration would have a toggle to enable ldap, and settings to configure the ldap server, bind credentials etc.;
  • the consent provider would create (on first login) or update (on subsequent logins) an internal user object based on information from the login;
  • the login provider's _verify_password would do the authentication either via ldap or via local database, depending on a radio button (or similar) in the login form, so you could actually have ldap users and internal, non-ldap users at the same time;
  • as a special case, the admin user would still be created as it is now, so as a local user object with preset password;
  • user-panel would need some changes as well, see user-panel#43 .
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information