Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active Directory sync or auth #2639

Open
phoenixbackups opened this issue Mar 9, 2024 · 4 comments
Open

Active Directory sync or auth #2639

phoenixbackups opened this issue Mar 9, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@phoenixbackups
Copy link

phoenixbackups commented Mar 9, 2024
edited by Firstyear

EDIT: Changed by @Firstyear on behalf of @phoenixbackups to better express the issue.

Allow synchronisation of accounts from AD/S4 with Kanidm. This may come in two flavours. The first is synchronisation of accounts from AD/S4 into Kanidm. The primary barrier here is how to retrieve ntlm hashes (if possible) from the directory as these are not stored in the partition (if my memory serves correctly).

The opposite is Kanidm to Ad/S4. This could be an alternative to our #1614 issue, where we could have a way to feed accounts to AD/S4 for the purposes of windows/samba integration. What would be important here is a way to feed these accounts with MFA, specifically if PIV certificates could be exposed for PKINIT. More research needed :)
@yaleman yaleman added the enhancement New feature or request label Mar 9, 2024
@yaleman
Copy link
Member

yaleman commented Mar 9, 2024

You won't be able to directly auth against AD for SSO, we're not an authentication proxy - Kanidm is designed to be a replacement in an environment for AD.

Having said that, there is sync functionality available - which means you might be able to sync account details (but likely not credentials) though not directly addressing Active Directory at this time.

@Firstyear
Copy link
Member

What they are asking for (in another channel) is the sync function.

@Gorian
Copy link

Gorian commented Mar 9, 2024

🤔 How hard would it be write a sort of interim migration tool that simply exports users from AD and then imports them into Kanidm? You'd just need a way to export the users, and a map of attributes, right?

@Firstyear
Copy link
Member

That's the easy part here @Gorian - the hard part is AD doesn't expose userPassword hashs like LDAP does in winsync.

Because of that, it means that we then need to modify the kanidm auth session stack to be able to identify AD synced accounts, then proxy auth back to them via ldap. That requires some extra async to be added and a bunch of other fun.

With samba 4 it might be possible, because they aren't as strict as true ad with attribute storage, so it could be possible make a sync account that can read it. But there also isn't any guarantee they have implemented the dirsync extension either because it's not a critical part of AD, but an optional extra.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Organising Everything
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yaleman @Firstyear @Gorian @phoenixbackups