As a user I can login using my organization LDAP credentials

Q1. What is the problem that you are trying to solve?
Large organizations already have a directory with people name and details, as well as “global password”, it would make sense for orgnazation to be able to levarage that data.
See also. An admin of I can import people and groups from an LDAP directory - #5 by remy

Note: this will create additional issues that would require to be solved as well:
a- Potentially people will be using a “weaker” authentication mechanism, see. Passbolt Help | Authentication in passbolt
b- User would still need to type their passphrase to decrypt secrets: it will be confusing as they will be asked for two passwords in different context (e.g. one to login, one to decrypt passwords)
c- It could create a deadlock scenario: the user stored their password for LDAP is in passbolt, but need LDAP password to login.
d- Passbolt becomes unusable if LDAP is offline / in maintenance
e- More other future features such as offline use more complicated

Q2 - Who is impacted?
Organization having a directory.

Q3 - Why is it important and/or urgent?
It is strategic for passbolt to solve the need of larger organization.

Q4 - What is your proposed solution? (optional)

Potential ways to go around additional issues:

  • Do not use a passphrase specific to passbolt but leverage the password from LDAP: e.g. keep the use of the key but only use the passphrase under the hood. For example the passphrase is encrypted using a secret stored in LDAP? This changes the security model however.

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters

Sorry for my late reply on this. Are you tackling this now?

Some remarks to the points above:
Q1:
a- It is true that the auth mechanism for LDAP might be weaker. LDAP could also only used to proof the identity of a person, and not directly to encrypt the secret.

b- This is true, again the LDAP “login” could be only necessary to create the account at the first login. Afterwards it can be checked if the LDAP account is active without the User PW and dismiss the account if the initial LDAP account is not available any more. (Out of experience will the users use the same pw for the secrete as they use for the LDAP login, so you might also consider to handle this transparently.)

c- The LDAP password needs to be able to be restored through an organisational process. You are right that this will not help to decrypt the secret. So again probably its best to 1th use LDAP to proof the identity of a user (and also provide some information … Name, Office, Picture …) and then 2nd to check if the identity is still valid. But make for the user clear that the PW for Passbolt is not a “login” but more like an independent Masterpassword.

d- Again, not if LDAP is only used for proof of ID.

Q3:
Basically it is necessary that a user can trust that a user in passbolt is the user she knows from the other company systems. (Especially for shared passwords.)

  • Further use case might be that a user can share a password to a LDAP Group (where the definition of the group might change through time in the LDAP). I know this might also give some headaches as at least one of the group needs to decrypt the PWs for a potential new group memeber.

Q4:
Multiple options:
1.) Use LDAP only for the account creation process. The user needs to verify against LDAP to be able to create an account. Second the LDAP is polled continuously to dismiss an Passbolt user as soon as the user becomes inactive. (Should be optional, an organisation might consider letting the user indefinitely use the Passbolt instance.)

2). Use the LDAP Password as Passphrase for Passbolt, first auth against LDAP if success full use the same creds to decrypt the secret. (Problems ahead with deadlocks and password reset.)

3). Use the LDAP only as a lookup to verify if an “email” is valid in the LDAP thus can be used to create an account on the organisational Passbolt.

I hope this gives some ideas. Cheers
Michael

Currently done with Azure AD, but not LDAP.