Loomio
March 17th, 2014 05:01

LDAP Authentication way past due

Bryan
Bryan Public Seen by 560

First I'd like to thank you guys for the Diaspora and all of the developer contributions. I have nothing but praise for the Diaspora Project, but LDAP authentication is way past due.

I drop by the IRC channel every once and a while and I ask about LDAP authentication and I am greeted with a bit of reticence each time. I was told by a developer that none of the developers have the environment so it's not really a priority.

I was also told that I should implement it myself as if LDAP it is of very little consequence...like LDAP was some special feature that only I had a use case for. I actually did implement LDAP on my private pod which is running till this day but the code can't be updated because it breaks it.

Why isn't LDAP auth on the roadmap for Diaspora? Mind you, I don't know ruby but I got my pod to authenticate via LDAP and grab the users picture from the directory also. I almost got it working again with 0.3.0.3 and I'll eventually succeed, it's a lot of for work something that frankly should already be there. I can't/won't open my pod up for registrations without LDAP authentication

Diaspora would be running in a lot of schools, companies and large user environments. Even Media Goblin has LDAP support via python-ldap; it's just what you expect. Diaspora adoption and code contributions would definitely sky rocket if ldap authentication were there.

At this late date in the project, why is it not implemented yet? Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?

Thanks,

Bryan

Rasmus Fuhse

Rasmus Fuhse March 17th, 2014 07:53

LDAP is great, just as you said. But most developers here don't have the environment or the experience to create a connection to the active directory. LDAP is definitely a feature for companies, universities, schools and other organisations. The current userbase of diaspora is driven by freedom-lovers. So LDAP support would open diaspora up for a new kind of diaspora-users and developers, but the current developers are having enough to do with different stuff like federation-fixing.

DU

[deactivated account] March 17th, 2014 09:15

Hi Bryan.

Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?

I can't speak for others but no, I don't think it's critical in the slightest. Sure it's a "nice to have" feature but to my knowledge yours is the only ever request for LDAP support within Diaspora.

In terms of road map, a feature with such little demand would probably not even make it on to the road map.

I understand where you're coming from, we run message forums on our corporate network here for thousands of users via LDAP and frankly, I'd be lost without it, but in terms of Diaspora I just don't see the demand for it (in terms of actual requests).

If you've been able to get LDAP auth working with D* in the past that's one hell of an achievement and you're to be congratulated for it - even more so if you can get it working with 0.3.0.x - how about a blog post detailing your experiences and what's required to accomplish the support?

Jonne Haß

Jonne Haß March 17th, 2014 10:49

I'm said developer and I still stand to the point.

There's no core contributor using LDAP, if we implement support for it in the core code we'd need an environment to verify it still works as the development goes on. This is simply not existent. We dropped other deployment specifics and methods for this very reason, one example being Capistrano support. Even OpenShift support is maintained in a separate repository by me.

In my almost four years contributing to diaspora I've seen three or four requests for LDAP support. Implementing LDAP support actually isn't much effort for an somewhat experienced Rails developer, given that there are plugins for our authentication framework. As said we just don't have a test environment for it nor does any of the core members have personal motivation to maintain it. If it really is a that much needed feature, why don't we have a steady contributor maintaining it?

Therefore I also don't see that high potential in the additional user base you see.

Jason Robinson

Jason Robinson March 17th, 2014 18:44

@bryan if you have made it for your own pod - why not contribute it to diaspora* upstream? We're all contributing in our spare time and extra developers are always welcome.

I'm sure a well made LDAP authentication implementation would be welcome if someone did it. As Jonne said, no one has, so it doesn't exist.

Jonne Haß

Jonne Haß March 17th, 2014 20:53

I'd only welcome it upstream if you can guarantee to also maintain it upstream though, I'm repeating myself, but nobody currently contributing to upstream does so it'll go stale and will just be dropped then.

L

lebarjack March 19th, 2014 09:30

Is there any possibility to modularize authentication?
If it's decoupled of the core Diaspora* sourcecode, it will be easier for external developer to add whatever authentication scheme they want (openid, ldap, kerberos, CAS...

Jonne Haß

Jonne Haß March 19th, 2014 18:21

It's already pretty much decoupled, we use Devise which is an authentication framework for Rails, there are several plugins to it and yes there's one for ldap.

Maciek Łoziński

Maciek Łoziński March 20th, 2014 09:29

Perhaps @bryan could open-source his LDAP implementation so other podmins could install it, and other developers could contribute to it. Maybe it could be made as some kind of plugin.

Jonne Haß

Jonne Haß March 20th, 2014 12:36

That's what I said, I see maintaining such functionality in a fork as the solution, as I do for OpenShift support for example.

Bryan

Bryan March 20th, 2014 21:02

@macieklozinski my so called "implementation" is not closed source; also it's not nice to insinuate such a selfish act. It was an awful hack that I just so happened to get working. I repeat...I do not know Ruby nor did I really attempt to learn it while I made it work.

So this you can't quite call an implementation or a "solution". It was a fix, which worked back when the code was at commit 4006c1502edd04cd4f7e4b48dc2c1681f96437e0, ie March 2012

Me having to argue the point about this being in the core of D* is like having to convince a hotdog vendor to sell buns with the hotdogs!

Yet, I am currently trying again and I'll get it to work, but perhaps not before I have deadlines that I'd like to have my pod up by. Once I get it working again I'll make sure to post it somewhere. That doesn't mean that everyone will just be able to use it seamlessly as I hoped but at least it can be referenced.

Bryan

Maciek Łoziński

Maciek Łoziński March 20th, 2014 21:16

Sorry, @bryan. I didn't know that your solution was already open source.

Rasmus Fuhse

Rasmus Fuhse March 21st, 2014 05:38

Fun fact: In fact to add some lines into a AGPL-code will always be an open source changeset because of the strong copyleft of (A)GPL.

AK

Alexander Kallenbach July 31st, 2014 08:11

I totally agree with Bryan. LDAP Authentication way past due!

DU

[deactivated account] August 1st, 2014 06:14

FWIW: Libertree implemented LDAP auth upon request. It's neither difficult, nor a maintenance burden (I personally don't use LDAP on my server). For keeping it working there are tests and there are usually no changes done to the authentication code that would break this.

There are very simple to use LDAP servers out there such as 389 Directory Server.

Libertree isn't using devise for auth but you are free to check out our code and take whatever you like.

Jason Robinson

Jason Robinson August 1st, 2014 17:14

I'd vote for merging LDAP in BUT someone needs to do the code. Endlessly requesting someone to do it will not make it happen :)

Augier

Augier August 2nd, 2014 18:43

Could this be a part of a bigger project ? I mean : let people have different ways to authentificate ? E.g : would a Mozilla Persona authentification mecanism be difficult or exhausting to maintain ?

Augier

Augier August 2nd, 2014 22:00

Ah ! Sry ! Didn't know !

Jason Robinson

Jason Robinson August 2nd, 2014 22:11

@augier no need to be sorry :D Just pointing that there is already discussion about it :)

Augier

Augier August 2nd, 2014 22:34

Ok. I don't see any pull request for that feature. Has anybody worked on untill then ?

Jason Robinson

Jason Robinson August 3rd, 2014 14:33

@augier no, it was just discussion :P

Boris Rybalkin

Boris Rybalkin February 7th, 2017 08:32

I cannot seem to find any code could you share any link?
I would like to maintain and test simple (no UI) ldap integration.
I am developing syncloud.org app store and we have openldap server on device to allow users to install apps and use same credentials.
As to the lack of environment for core developers this is no more an issue as you can get your raspberry pi and in 10 minutes you can have a diaspora with LDAP server on it :)

We even have integration tests:
https://github.com/syncloud/diaspora/blob/master/integration/verify.py