Open
Description
Good day!
I am using devicehub with AUTH_TYPE=auth-ldap, so my current command to start it is bellow:
stf auth-ldap
--port 3000
--ldap-url "ldap://ldap.example.com:389"
--ldap-bind-dn "uid=devicehub_ldap,cn=users,dc=example,dc=com"
--ldap-bind-credentials "<password for devicehub_ldap>"
--ldap-search-dn "cn=users,dc=example,dc=com"
--ldap-search-filter "memberOf=cn=devicehub,cn=groups,dc=example,dc=com"
--ldap-search-field "uid"
--app-url "https://devicehub.example.com"
--secret=nosecret
where devicehub_ldap is a user in ldap with read permissions in ldap, and devicehub is a group whose users can log into devicehub.
With this authentication scheme, all users in the ldap devicehub group will receive user rights and there will be no way to grant admin rights.
Maybe improve the launch of stf auth-ldap in such a way that it becomes possible to map a group in ldap to the corresponding role (admin or user), I mean the following
stf auth-ldap
--port 3000
--ldap-url "ldap://ldap.example.com:389"
--ldap-bind-dn "uid=devicehub_ldap,cn=users,dc=example,dc=com"
--ldap-bind-credentials "<password for devicehub_ldap>"
--ldap-search-dn "cn=users,dc=example,dc=com"
--ldap-auth-roles-mapping "cn=devicehub,cn=groups,dc=example,dc=com: ['user'];cn=devicehub_admin,cn=groups,dc=example,dc=com: ['admin']"
--ldap-search-field "uid"
--app-url "https://devicehub.example.com"
--secret=nosecret
or
stf auth-ldap
--port 3000
--ldap-url "ldap://ldap.example.com:389"
--ldap-bind-dn "uid=devicehub_ldap,cn=users,dc=example,dc=com"
--ldap-bind-credentials "<password for devicehub_ldap>"
--ldap-search-dn "cn=users,dc=example,dc=com"
--ldap-search-filter "memberOf=cn=devicehub,cn=groups,dc=example,dc=com"
--ldap-admins-search-filter "memberOf=cn=devicehub_admin,cn=groups,dc=example,dc=com"
--ldap-search-field "uid"
--app-url "https://devicehub.example.com"
--secret=nosecret
PS. And it would be nice if there was an opportunity to work via ldaps instead of ldap. As far as I understand ldaps is not supported.