Introduce ADR #1042
Introduce ADR #1042
Conversation
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Alex Unger <6905948+refs@users.noreply.github.com>
so embarrassing. Thx @phil-davis Co-authored-by: Phil Davis <phil@jankaritech.com>
| - Single binary: admin can manage users, groups and roles using the built in web ui (glauth) | ||
| - External LDAP: OCIS admin needs to use existing tool to manage users | ||
| - Separate OCIS and LDAP admin: OCIS admin relies on the LDAP admin to manage users | ||
|
|
There was a problem hiding this comment.
What about the two LDAP servers scenario, where we use the customers LDAP for internal users and another one (GLAuth?) for guest accounts? Might even make sense to have the web ui for disabling guest users...
There was a problem hiding this comment.
GLauth already has a primary and fallback backend. The chain can easily be extended to multiple backends. login and single user properties can even be made in parallel. The only challenge is merging results when searching recipients in multiple ldap servers, but since 1000 results are not helpful for users we can limit the page size to 10 per ldap. Furthermore, multiple ldap servers indicate larger deployments where user lookup via ldap is restricted to exact matches, eg. the full email. In these cases merging becomes trivial again.
We may want to cache these queries anyway in order not flood ldap servers with lookup requests.
There was a problem hiding this comment.
We decided to make multiple LDAP servers possible through an additional service which works as a connector to multiple LDAP servers and exposes their user information via the GraphAPI
There was a problem hiding this comment.
I would summarize the two comments to "GLAuth abstracts multiple LDAP servers that might exist into one that looks like one to the consumer. A GraphAPI will be provided to interact with GLAuth to manage guest users (for that, at least one of the LDAPs must be read/write)".
Thoughts:
- The GLAuth must somehow expose if it allows write ops to create or edit (Guest-) Users or not.
| - Separate OCIS and LDAP admin: OCIS admin relies on the LDAP admin to manage users | ||
|
|
||
| ### Resulting technical implications | ||
| - add graphapi to glauth so the ocis web ui can use it to manage users |
There was a problem hiding this comment.
I thought the web ui should move to GLAuth? Embedding it in oC Web could be done by wrapping it into an oC Web extension (need to check if that's possible. I don't want an iframe solution).
There was a problem hiding this comment.
We may not be able to theme the glauth web ui as we like it. Also the tight integration we have in the current implementation is awesome / slick. We need to embed glauth anyway. The first step would be to treat the current accounts service as the drop in ldap server with a web ui to manage users. It would mean merging ocis-accounts and ocis-glauth.
The next step would be to add the graph api to glauth. then we can build a web ui that uses glauth to manage accounts.
This accounts-management service would be a web ui to manage accounts via the graph api. It could be part of glauth or we use an embedded, tightly integrated version for ocis-web that follows our theme.
The final step would be a graphapi implementation that is backed by a real ldap server. I'd put that into glauth because it already has several backends. Having a graphapi <-> ldap proxy would fit GLauth I think.
But in order to have a truly embeddable web ui I think glauth shoul start with the graph api. It can then have a web ui or projects that want to embed it can build the ui in the way they want. The kopano guys @fbartels @longsleep might want to use react to embed it into konnectd.
There was a problem hiding this comment.
added as a bullet point, because I agree: keep the ui in GLAuth
|
|
||
| ### Resulting technical implications | ||
| - add graphapi to glauth so the ocis web ui can use it to manage users | ||
| - make graphapi service to directly talk to an LDAP server so our web ui can use it |
There was a problem hiding this comment.
I don't get this one 😅 we don't want to bypass LDAP admins. Thought that the web ui for user management is only supposed to be used in case we have GLAuth as LDAP replacement.
There was a problem hiding this comment.
The Basic idea is the following: We don't need write access via the LDAP protocol when a IDM would have a second interaction point via the GraphAPI.
We can imagine quite a lot of scenarios, where e.g. the provisoining of guest users in the IDM would happen via a public http api endpoint.
There was a problem hiding this comment.
ah but we learned that for small scale deployments some admins actually prefer a simple ui ... 🤷
If the web ui is self contained, having it in glauth should be fine. I don't want to build the next keycloak ...
There was a problem hiding this comment.
I thought that even the super-duper LDAP is covered by a thin layer of GLAuth?
There was a problem hiding this comment.
Why would a customer give us write access via GraphAPI when they don't want to give us write access via LDAP? 🤔 I thought about the web ui as an option to provide easy to use read/write access for the GLAuth tiny setup use case. As in the 5 people company that doesn't have an actual LDAP, the family who want to handle their photos and the like. Why would we want to build an accounts web ui for Siemens? They have their own tools for user management.
There was a problem hiding this comment.
GLAuth cannot write to an ldap server, it can only write to other backends.
Reworded the list
Co-authored-by: Benedikt Kulmann <benedikt@kulmann.biz>
|
Kudos, SonarCloud Quality Gate passed!
|
|
it is madr ... so markdown ... we should be able to embed |
|
@micbar maybe we can manage the docs generation with our normal docs pipeline? |
|
@butonic yes. First merge it. Then hook it up to hugo. |
| - Single binary: admin can manage users, groups and roles using the built in web ui (glauth) | ||
| - External LDAP: OCIS admin needs to use existing tool to manage users | ||
| - Separate OCIS and LDAP admin: OCIS admin relies on the LDAP admin to manage users | ||
|
|
There was a problem hiding this comment.
I would summarize the two comments to "GLAuth abstracts multiple LDAP servers that might exist into one that looks like one to the consumer. A GraphAPI will be provided to interact with GLAuth to manage guest users (for that, at least one of the LDAPs must be read/write)".
Thoughts:
- The GLAuth must somehow expose if it allows write ops to create or edit (Guest-) Users or not.
|
|
||
| ### Resulting technical implications | ||
| - add graphapi to glauth so the ocis web ui can use it to manage users | ||
| - make graphapi service to directly talk to an LDAP server so our web ui can use it |
There was a problem hiding this comment.
I thought that even the super-duper LDAP is covered by a thin layer of GLAuth?
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Benedikt Kulmann <benedikt@kulmann.biz>
We will keep track of Architectual Decision Records using Markdown in
/docs/adr.This PR adds three ADRs which @micbar, @dragotin, @hodyroff, @pmaier1, @IljaN and I were discussing today.