LDAP Authentication way past due
Bryan
Public
Seen by 153
First I'd like to thank you guys for the Diaspora and all of the developer contributions. I have nothing but praise for the Diaspora Project, but LDAP authentication is way past due.
I drop by the IRC channel every once and a while and I ask about LDAP authentication and I am greeted with a bit of reticence each time. I was told by a developer that none of the developers have the environment so it's not really a priority.
I was also told that I should implement it myself as if LDAP it is of very little consequence...like LDAP was some special feature that only I had a use case for. I actually did implement LDAP on my private pod which is running till this day but the code can't be updated because it breaks it.
Why isn't LDAP auth on the roadmap for Diaspora? Mind you, I don't know ruby but I got my pod to authenticate via LDAP and grab the users picture from the directory also. I almost got it working again with 0.3.0.3 and I'll eventually succeed, it's a lot of for work something that frankly should already be there. I can't/won't open my pod up for registrations without LDAP authentication
Diaspora would be running in a lot of schools, companies and large user environments. Even Media Goblin has LDAP support via python-ldap; it's just what you expect. Diaspora adoption and code contributions would definitely sky rocket if ldap authentication were there.
At this late date in the project, why is it not implemented yet? Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?
Thanks,
Bryan
Rich Mon 17 Mar 2014 9:15AM
Hi Bryan.
Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?
I can't speak for others but no, I don't think it's critical in the slightest. Sure it's a "nice to have" feature but to my knowledge yours is the only ever request for LDAP support within Diaspora.
In terms of road map, a feature with such little demand would probably not even make it on to the road map.
I understand where you're coming from, we run message forums on our corporate network here for thousands of users via LDAP and frankly, I'd be lost without it, but in terms of Diaspora I just don't see the demand for it (in terms of actual requests).
If you've been able to get LDAP auth working with D* in the past that's one hell of an achievement and you're to be congratulated for it - even more so if you can get it working with 0.3.0.x - how about a blog post detailing your experiences and what's required to accomplish the support?
Jonne Haß Mon 17 Mar 2014 10:49AM
I'm said developer and I still stand to the point.
There's no core contributor using LDAP, if we implement support for it in the core code we'd need an environment to verify it still works as the development goes on. This is simply not existent. We dropped other deployment specifics and methods for this very reason, one example being Capistrano support. Even OpenShift support is maintained in a separate repository by me.
In my almost four years contributing to diaspora I've seen three or four requests for LDAP support. Implementing LDAP support actually isn't much effort for an somewhat experienced Rails developer, given that there are plugins for our authentication framework. As said we just don't have a test environment for it nor does any of the core members have personal motivation to maintain it. If it really is a that much needed feature, why don't we have a steady contributor maintaining it?
Therefore I also don't see that high potential in the additional user base you see.
Jason Robinson Mon 17 Mar 2014 6:44PM
@bryan if you have made it for your own pod - why not contribute it to diaspora* upstream? We're all contributing in our spare time and extra developers are always welcome.
I'm sure a well made LDAP authentication implementation would be welcome if someone did it. As Jonne said, no one has, so it doesn't exist.
Jonne Haß Mon 17 Mar 2014 8:53PM
I'd only welcome it upstream if you can guarantee to also maintain it upstream though, I'm repeating myself, but nobody currently contributing to upstream does so it'll go stale and will just be dropped then.
lebarjack Wed 19 Mar 2014 9:30AM
Is there any possibility to modularize authentication?
If it's decoupled of the core Diaspora* sourcecode, it will be easier for external developer to add whatever authentication scheme they want (openid, ldap, kerberos, CAS...
Jonne Haß Wed 19 Mar 2014 6:21PM
It's already pretty much decoupled, we use Devise which is an authentication framework for Rails, there are several plugins to it and yes there's one for ldap.
Maciek Łoziński Thu 20 Mar 2014 9:29AM
Perhaps @bryan could open-source his LDAP implementation so other podmins could install it, and other developers could contribute to it. Maybe it could be made as some kind of plugin.
Jonne Haß Thu 20 Mar 2014 12:36PM
That's what I said, I see maintaining such functionality in a fork as the solution, as I do for OpenShift support for example.
Bryan Thu 20 Mar 2014 9:02PM
@macieklozinski my so called "implementation" is not closed source; also it's not nice to insinuate such a selfish act. It was an awful hack that I just so happened to get working. I repeat...I do not know Ruby nor did I really attempt to learn it while I made it work.
So this you can't quite call an implementation or a "solution". It was a fix, which worked back when the code was at commit 4006c1502edd04cd4f7e4b48dc2c1681f96437e0, ie March 2012
Me having to argue the point about this being in the core of D* is like having to convince a hotdog vendor to sell buns with the hotdogs!
Yet, I am currently trying again and I'll get it to work, but perhaps not before I have deadlines that I'd like to have my pod up by. Once I get it working again I'll make sure to post it somewhere. That doesn't mean that everyone will just be able to use it seamlessly as I hoped but at least it can be referenced.
Bryan
Rasmus Fuhse · Mon 17 Mar 2014 7:53AM
LDAP is great, just as you said. But most developers here don't have the environment or the experience to create a connection to the active directory. LDAP is definitely a feature for companies, universities, schools and other organisations. The current userbase of diaspora is driven by freedom-lovers. So LDAP support would open diaspora up for a new kind of diaspora-users and developers, but the current developers are having enough to do with different stuff like federation-fixing.