Skip to content

feat: Implement LDAP authentication

Dmitry Ivanov requested to merge funbringer/implement-ldap-auth into 2.11.0-picodata

This authentication method doesn't store any secrets; instead, we delegate the whole auth to a pre-configured LDAP server. In the method's implementation, we connect to the LDAP server and perform a BIND operation which checks user's credentials.

Usage example:

box.schema.user.create('demo', { auth_type = 'ldap' })

-- Configure LDAP server connection URL and DN format string.
os = require('os')
os.setenv('TT_LDAP_URL', 'ldap://localhost:1389')
os.setenv('TT_LDAP_DN_FMT', 'cn=$USER,ou=users,dc=example,dc=org')

-- Authenticate using the LDAP authentication method via net.box.
conn = require('net.box').connect(uri, {
    user = 'demo',
    password = 'password',
    auth_type = 'ldap',
})

Additionally, now it's possible to specify the desired authentication method during user creation via auth_type, e.g.

box.schema.user.create('mickey', { auth_type = 'chap-sha1',
                                   password = 'foobar' })

Furthermore, authentication methods may now specify that they don't require password to create stored authentication info. Example:

box.schema.user.create('mickey', { auth_type = 'ldap' })

The patch is designed to be fully backwards-compatible; no extra migration steps should be required during upgrade.

Note that this patch adds two new dependencies: libldap (LDAP) & libsasl2 (SASL). In order to eliminate the need to install development packages for those dependencies, by default we use bundled sources (or downloaded tarballs) which are then built and linked statically; However, this doesn't rule out all the other build types available previously: it's still possible to build the whole project in dynamic linking mode (using -DENABLE_BUNDLED_LDAP=OFF) or e.g. using the static-build method (forcing everything to be static).

Examples (when in build dir):

# (Default) build static libldap & libsasl2
cmake ..

# Use dynamic linking
cmake .. -DENABLE_BUNDLED_LDAP=OFF

# Build everything using static-build
cmake ../static-build

It's also worth mentioning that both of those libraries (sans -dev parts) are highly likely to be installed in any modern Linux distribution.

Tests require a working LDAP server, so we download a platform-compatible build of GLAuth as well. For now, we support 4 targets: {Linux,Darwin}{amd64,arm64} (that should be enough).

We should probably adjust the CI's docker image at some point, but it's defined elsewhere and thus out of scope of this patch.

Merge request reports