Hi,
I am a professional fire officer, and I am currently managing a Debian server in my fire brigade (Genova, Italy), hosting a couple of applications docker images.
I would like to simplify the management of this server, to allow other colleagues to help me out. I have been studying YunoHost for some time. It seems indeed a great solution: an easy UI for daily maintenance, and the flexibility of a real Linux distro.
But as we have ~600 users (firefighters…), I would like to keep using the same simple custom authentication mechanism we currently have: thanks to a python script, username and password are checked by quering our SMTP server. This is a kind of poor-man SSO.
Reading the docs and the discussions, I learned that YunoHost has a local LDAP server, and currently cannot offer external authentication.
So I would like to try to adapt YH authentication code as follows:
- The user enters username and password in the YunoHost login panel.
- YH calls an external custom script to check if the provided username and password are ok (In my case, this would be a simple query of our SMTP server).
- if username and password are ok: YH calls the local LDAP and check if the user exists:
- if the user exists in LDAP: YH updates the user password in the LDAP, and allows the authentication.
- if the user does not exist in LDAP: YH adds the new user to the LDAP (username, email, and password, the rest is set to default), and allows the authentication.
- if username and password are not ok: YH calls the local LDAP and checks if the user exists:
- if the user exists in LDAP: YH disables the user in LDAP (eg. by scrambling the password), and rejects the authentication.
- if the user does not exist in LDAP: YH does nothing, and rejects the authentication.
- if the external script fails (eg. due to a network error): YH calls the LDAP and checks the provided username and password against the locally cached username and password.
- If the user exists and the password is ok: YH allows the authentication (resilient when my SMTP is down!).
- else: YH rejects the authentication.
- if username and password are ok: YH calls the local LDAP and check if the user exists:
This would be a very simple method for the YH team to offer the feature of external authentication with a foreign SSO (eg. Google, Active Directory, …) to advanced YH admins.
IMHO this would be a great added value for YH, with a very little maintenance burden for the YH team, because the external script is a responsibility of the admin.
Even if I am not a professional developer, I can try to start this little development and contribute a PR for your evaluation.
So, three questions before starting:
-
Do you think this idea is reasonable/feasible? or am I missing anything evident in this cold winter evening?
-
If the previous answer is postive, I kindly ask you to quickstart me: where should I look in YH codebase for user authentication?
-
And, is anybody else interested in this feature and willing to discuss it a little more?
Thank you very much in advance,
Emanuele Gissi
(PS J’aime bien parler et ecrire en Français aussi)