Proposition to improve Teampass and LDAP authentication restriction

[patricklbs]

Nils I'd like to offer you some small change in your code.
Let me explain the problem and the solution we have found a friend and me to get around and solve this problem.

Problem:

Connect users with authentication password stored in an LDAP directory Active Directory. Restrict access to a specific OR utilistateurs so that all can not connect to the application.

The current solution of teampass ldap works but does not match our need for all users in the directory can connect to AD Teampass which can be problematic.

Php ldap functions used in the application from a develloppement a result of php script ADLdap.
After an understanding of the use of these different class, it appears that it is impossible to implement the solution restriction by OR. This allows the course of active directory, change passwords, add a user, etc. ... But not to restrict access or via OR Group. Only a script adapted could provide a solution.

http://adldap.sourceforge.net/

To circumvent the inability of restriction via OR, I decided to restrict access only to users in the database of Teampass. If the user is not part of the base is rejected well as Active Directory have already endorsed, it rejects the application user.

You can see what happens with this link where I put the change and an explanatory video.
Hoping to participate and improve your excellent application. And especially that it can be used for another in any case we it serves us well.

http://www.informaddict.net/teampass-et-ldap/

Sincerely yours.
Patrick.

[nilsteampassnet]

HEllo Patrick,

Many thanks for your explanations and details, very interesting.
Actually TP uses the library adLDAP for LDAP connection ... but it is an old version. I've seen that the actual one is 4.0.3.

I really like your work, and makes me think that I should develop a kind of "extensions manager".

With your permission, I would like to add it in the TP webpage.

Thanks

Nils

[patricklbs]

Nils Yes there is no problem you have my consent. We are pleased to participate in your project.

Patrick.

[Raboo]

Well in my opinion not only shall you be able to restrict users of certain OR's(AD groups) to entire teampass. You should also be able to restrict or auto assign users of AD groups to specified TP roles.
Cause lets say you have team DEV and team OPS.
DEV should only be able to access DEV role passwords and not OPS..

[jekader]

I also think it would be great to somehow map LDAP groups to TP roles. Hopefully someone will send a patch that implements this functionality.

Will also check out the new feature from this thread (as I understood it's included in 2.1.17) - currently in my installation anyone with a valid LDAP user can connect to teampass. Although if he has no roles, he will see 0 passwords, which is good enough for me.