ldap/active directory support
Scope
Users without LDAP accounts (or inactivated accounts) should not be allowed to log in to Passit.
Research
- One method is to build directory sync tools. Bitwarden does it this way. This isn't possible due to the very high level of effort and the limited capability to work with any LDAP server.
- lastpass uses a Windows/AD only client. This is obviously undesirable to support only Windows users.
- We could require two passwords to log in. A logged in user would need to authenticate to LDAP and again to decrypt their Passit data. "Remember me" features would make this tolerable however it may encourage users to reuse the same password for both, reducing their security.
- We could use their LDAP password for decryption - we almost certainly don't want to do this as it defeats the security model. If there was some safe way to reuse the typed in password for both LDAP and decryption that would be ideal but it's probably impossible.
- Would/could we support app.passit.io or would this be self hosted only? Gitlab does NOT support LDAP on gitlab.com for example.
- Could we sync user accounts with LDAP and not have individual users authenticate against LDAP? These would meet the goal of removing users who get inactivated in LDAP. It would not meet a goal of forcing all users to do LDAP authentication (is that a common thing?)
Follow up
- Should sync users via celery task (so that users with "remember me" get deactivated)
- A better admin dashboard
- Support for app.passit.io
Original report
First of all i like the project. But the missing feature why we don't use it at work, is it lacks integration with ldap. Don't know if that would fit in the current model. But it would be nice.
Edited by David Burke