-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Active Directory sync or auth #2639
Comments
You won't be able to directly auth against AD for SSO, we're not an authentication proxy - Kanidm is designed to be a replacement in an environment for AD. Having said that, there is sync functionality available - which means you might be able to sync account details (but likely not credentials) though not directly addressing Active Directory at this time. |
What they are asking for (in another channel) is the sync function. |
🤔 How hard would it be write a sort of interim migration tool that simply exports users from AD and then imports them into Kanidm? You'd just need a way to export the users, and a map of attributes, right? |
That's the easy part here @Gorian - the hard part is AD doesn't expose userPassword hashs like LDAP does in winsync. Because of that, it means that we then need to modify the kanidm auth session stack to be able to identify AD synced accounts, then proxy auth back to them via ldap. That requires some extra async to be added and a bunch of other fun. With samba 4 it might be possible, because they aren't as strict as true ad with attribute storage, so it could be possible make a sync account that can read it. But there also isn't any guarantee they have implemented the dirsync extension either because it's not a critical part of AD, but an optional extra. |
EDIT: Changed by @Firstyear on behalf of @phoenixbackups to better express the issue.
Allow synchronisation of accounts from AD/S4 with Kanidm. This may come in two flavours. The first is synchronisation of accounts from AD/S4 into Kanidm. The primary barrier here is how to retrieve ntlm hashes (if possible) from the directory as these are not stored in the partition (if my memory serves correctly).
The opposite is Kanidm to Ad/S4. This could be an alternative to our #1614 issue, where we could have a way to feed accounts to AD/S4 for the purposes of windows/samba integration. What would be important here is a way to feed these accounts with MFA, specifically if PIV certificates could be exposed for PKINIT. More research needed :)
The text was updated successfully, but these errors were encountered: