An admin of I can import people and groups from an LDAP directory

ldap
admin
integration
groups

#1

Q1. What is the problem that you are trying to solve?
I’ve been very happy to find “LDAP integration” on the roadmap, but when I think about it I can find different use cases that need different developments. As a Sysadmin (and CISO) in a university one of my main challenges is to provide my users with exclusive and secured access to resources. An integration with LDAP will help me.

Q2 - Who is impacted?
System and network administrators.

Q3 - Why is it important and/or urgent?
This will increase adoption in organization that uses LDAP, e.g. larger orgs.

Q4 - What is your proposed solution? (optional)

  1. Having a script every night that pulls new users from LDAP to inject them in passbolt could do the trick, but it’ll probably create 70 to 80% never-used accounts. It can be done out of passbolt scope, though.

  2. An interesting option would be to allow self-registration to people only if they can authenticate first against an LDAP directory. The registration process would also pull user details (Name, email, pict?..) from the LDAP.

  3. A nice add-on would be to sync groups from LDAP (crontab for example), and to make it possible for a user to share a secret with a group.

  4. There should be an option to use the LDAP password as additional authentication factor.

ref. https://github.com/passbolt/passbolt_api/issues/22
See also. As a user I can login using my organization LDAP credentials

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters


Is there anything I can do to smooth future LDAP Integration?
LDAP release date
#2

Not sure if import is the correct wording in the LDAP use cases. Normally a service (passbolt) uses LDAP to authenticate a user (with his organisational password) and populates his infos to the service.


#3

What would be a better wording @loomi?


#4

LDAP can be used as Authentication Method for Passbolt.

(Sign-Up would be disabled and only users which are active in LDAP have a right to log-in.)


#5

LDAP can be used as Authentication Method for Passbolt.

@loomi if LDAP is used as the primary authentication method for passbolt that would have several drawbacks:

  • Using a “weaker” authentication mechanism, see. https://www.passbolt.com/help/tech/auth
  • User would still need to type their passphrase to decryt secrets: it will be confusing as they will be asked for two passwords in different context.
  • It could create a deadlock scenario: the user stored their password for LDAP is in passbolt, but need LDAP password to login.
  • Passbolt becomes unusable if LDAP is offline / in maintenance

I’m curious what other people think of having the approach you describe instead of what we had in mind (more of a sync’ script that populates profiles and group data and optionally ldap password as additional authentication factor).
We’re certainly not set on the approach, but it’s important expectations are clear for everyone.


As a user I can login using my organization LDAP credentials
#6

@loomi created a different issue there: As a user I can login using my organization LDAP credentials


#7

Hi Remy,
you´re right with “deathlock” but there should be enough backup ressources on an AD…not only on server. So for me it looks more like…lights out, AD out… but passbolt too. In that case a good export-function would be the better solution.
But having an ldap behind passbolt, authentication against it, single sign on would be a great idea…

"User would still need to type their passphrase…"
Sounds true so far… but maybe with the 2nd factor solution (depends on what you´ll do) you maybe can use that too inside passbolt to decrypt passwords.

nevertheless… having an ldap, users + groups would improve a lot, as with the groups you´ve people working together, so having that group in passbolt is good to have for sharing inside the group. no hand work needed. last but not least… creating more than 20 accounts by hand is just… stupid unneeded handwork :wink:


#8

OpenLDAP / Active Directory synchronization tool is now available as an experimental feature for Passbolt Pro Edition. You can learn more about it in the v2.3.0 release notes. The stable version of this feature will be announced following the results of this last iteration with the pro users.


LDAP release date