Add Directory Authentication and Role Mapping#1191
Draft
sempervictus wants to merge 1 commit into
Draft
Conversation
Implement trait-based external authentication provider architecture
supporting LDAP/LDAPS with dynamic user provisioning and group-based
RBAC mapping.
The implementation enables deployment owners to leverage existing
Active Directory or OpenLDAP directories for user authentication and
role assignment. Users are automatically provisioned on first
authentication based on directory group membership mapped to OpenFang
roles (owner/admin/user/viewer).
Key features:
- LDAPS support with TLS/SSL and self-signed certificate handling
- Group-to-role mapping with privilege hierarchy (higher role wins)
- Automatic user provisioning from directory attributes
- Credential separation (bind passwords in env until vaults work)
- Connection timeout enforcement and certificate validation
- Seamless integration with existing static user configuration
The trait-based design allows future extension to SAML and OIDC
providers while maintaining a consistent authentication interface.
Security considerations:
- TLS enforcement required for all LDAP connections
- Bind credentials never stored in configuration files
- Certificate validation enabled by default (bypass disabled)
- Role mappings use regex patterns for flexible group matching
- Users created only after successful directory authentication
Configuration:
```toml
[[external_auth_providers]] │
type = "ldap" │
name = "active-directory" │
uri = "ldaps://dc01.example.com:636" │
bind_dn = "CN=Service Account,OU=Service Accounts,DC=example,DC=com" │
bind_password_env = "LDAP_BIND_PASSWORD" │
base_dn = "DC=example,DC=com" │
│
[external_auth_providers.attribute_mapping] │
user_id_attr = "sAMAccountName" │
name_attr = "displayName" │
email_attr = "mail" │
group_attr = "memberOf" │
│
[[external_auth_providers.role_mappings]] │
group_pattern = "CN=OpenFang-Admins,OU=Groups,DC=example,DC=com" │
role = "admin" │
│
[[external_auth_providers.role_mappings]] │
group_pattern = "CN=OpenFang-Users,OU=Groups,DC=example,DC=com" │
role = "user" │
│
[[external_auth_providers.role_mappings]] │
group_pattern = "CN=OpenFang-Viewers,OU=Groups,DC=example,DC=com" │
role = "viewer" │
│
[external_auth_providers.connection] │
timeout_secs = 30 │
tls_enabled = true │
ca_cert_path = "/etc/ssl/certs/example-ca.pem" │
start_tls = false │
disable_tls_verify = false
```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement trait-based external authentication provider architecture supporting LDAP/LDAPS with dynamic user provisioning and group-based RBAC mapping.
The implementation enables deployment owners to leverage existing Active Directory or OpenLDAP directories for user authentication and role assignment. Users are automatically provisioned on first authentication based on directory group membership mapped to OpenFang roles (owner/admin/user/viewer).
Key features:
The trait-based design allows future extension to SAML and OIDC providers while maintaining a consistent authentication interface.
Security considerations:
Configuration:
Summary
Implement directory authentication trait and LDAP/S initial directory provider
Changes
Testing
cargo clippy --workspace --all-targets -- -D warningspasses-- unrelated failure in telegram section:
cargo test --workspacepasses (wasm targets fail in MPROTECT systems by the way)Security