Comments (5)
Hey thanks for bringing this up, as I'm not super familiar w/ LDAP. Basically what you're describing is a flow that looks like:
- User enters credentials in web app
- Server takes those credentials and attempts to bind/connect to LDAP using them.
- If LDAP rejects the credentials, user is NOT authenticated.
- If LDAP accepts the credentials, user IS authenticated.
Is there typically any additional steps made to retrieve details about the user and the groups associated with the user?
from kafka-webview.
Thanks for getting back so quickly. I'm no LDAP expert myself, I just tried to integrate webview with our server and came across the problem here. The flow you describe is accurate. My impression is that during the bind process additional details about the user can be retrieved such as group membership.
From my current understanding, one important thing is that "ldaps://" is used when sending passwords in plaint text, and the LDAP server needs to be setup to support this.
It sounds like spring supports this process natively, I found the following two resources:
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/ldap.html
https://stackoverflow.com/questions/5255158/spring-ldap-bind-for-successful-connection
All this being said, I don't know much about LDAP myself, so take this with a grain of salt.
from kafka-webview.
Yea, let me do some research and understand the most common way ldap is integrated. I followed this tutorial which may or may not have been the best reference.
from kafka-webview.
So digging it looks like SpringBoots out of the box LDAP integration supports two modes of integration:
For LDAP servers with anonymous access, it connects anonymously and searches for a matching user record. I imagine this use case is not very common.
For LDAP servers that do NOT have anonymous access, you provide a management userDn and password. SpringBoot's integration will bind using these credentials, and then perform the user look as described above.
What has been described in this issue would be a third mode, where the user supplied credentials are used to bind to LDAP. Assuming LDAP accepts those credentials and the bind is successful, the above search would be performed to find the matching user's groups. From looking online it appears as tho this is not supported out of the box, but likely possible to implement with a bit of custom coding.
from kafka-webview.
@Crim ,
Your analysis is right for connecting to the LDAP server: the application need to authenticate if server doesn't allow anonymous binding.
The problem here is more to actually authenticate the users connecting to kafka-webview, and more precisely to overcome the limit imposed by most seriously configured LDAP servers: you can't retrieve password hashs, so no local compare is possible within kafka-webview.
The most common way to get around this is exactly what you described before::
_* User enters credentials in web app
- Server takes those credentials and attempts to bind/connect to LDAP using them.
- If LDAP rejects the credentials, user is NOT authenticated.
- If LDAP accepts the credentials, user IS authenticated._
-> In this context, there is no need to use a separate Bind DN for the application itself...
Once you are connected as this user, you can query his group membership (for Active Directory, all the memberOf fields of the user record).
from kafka-webview.
Related Issues (20)
- Lets add warning log msgs when ignoring or overwriting user defined configuration values for deserializers HOT 1
- Kafka-Webview should provide option to "Stringify" ByteArray messages HOT 2
- Failing to connect to GSSAPI/SSL cluster HOT 2
- Custom protobuf deserializer failed because of pb version conflict HOT 2
- On View page, the "previous button" jump is twice as big as the "next button" jump. HOT 1
- use custom config.yml with docker
- Repository with ID="orgsourcelab-1031" not found HOT 1
- Expose actuator/health path without login HOT 1
- Selecting a Partition filter from a 'Stream' persists the partition as an enforced filter.
- Allow Filtering on Views Page HOT 3
- Consumer poll timeout is hardcoded
- How to Build this as a Single Jar/War file to deploy in server which doesn't have MVN/JDK HOT 2
- Disable server host name verification HOT 3
- "Unknown magic byte!" when deserializing avro message with TopicRecordNameStrategy HOT 2
- Mistake in environment variable name HOT 2
- Feature Request: Make `requestTimeoutMs` configurable per cluster HOT 3
- Security Update HOT 3
- [Docker] Execute web application fail while upgrade from v2.4.0 to 2.8.1 HOT 5
- Is webview vulnerable to Spring4Shell vulnerablity (CVE-2022-22965)? HOT 3
- unable to connect to AWS MSK clusters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kafka-webview.