IG: I am using OpenLDAP with my users using the basics of inetorgperson.schema
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema not to say I cannot use another, I just have my users generated with the basics to authenticate in PAM or otherwise, with a good selection of MOSTLY unused fields. I would not mind using a specific schema for my accounts to pare down the fields, but it would be good to support mappings from inetorgperson as well, because it is fairly common for authentication info. Comments regarding below: 1a) If [some new config option] is set, and no user exists in LDAP for a user already in the citadel account, delete citadel account. (this could be done manually, but would be nice to have the option for citadel to do its own housekeeping) This could have a time where it is posted for purging, but if the account shows back up in LDAP and the user authenticates properly, then the purge is cancelled. Just an idea, probably not a good one, but an idea. 2) yes assuming this is at citadel login (post successful authentication ) 3) Yes - although I can see this being touchy if the directory does not allow anonymous queries. Might need to make sure there is proper TLS support for LDAP in general if the password needs to go over the line. Many would run LDAP behind a firewall, but not always. 4) Is this assuming that open registration is enabled? As it is now, users do not log in with an email address, but I guess for an open system, it is possible. I am not entirely sure what the purpose would be. If someone has an LDAP account, they wouldn't usually use anything except their login uid for authentication (but I guess it could happen). More details on what you are thinking? It would be good to have either (/ both) a way to map fields to vcard info, no matter what the schema used, as long as certain basic fields are identified and/or a special schema with all the basics in place for direct mapping info. I will try to map out my thoughts: 1. UID _________________ ( with the blank being a user editable field which is the entry in the LDAP directory ) 2. EMAIL ________________ 3. NAME _________________ 4. LAST __________________ 5. ADDRESS ________________ etc... So then when the system polls the LDAP for the initial card creation and account creation, the admin / aide can control what info gets injected where. It would be good as well to have a field which is the citadel-account-format where you can take each of these fields (on the citadel side this time) and map out how the UserName / local account name is generated. So you would have a field with an index of available %uid %fname etc and be able to construct %uid@%domain or %lname_%fname etc. As it is, I have accounts which I like to reference by their username, but the default email format as was patched in by harry coin was to default to First_Last@ which we never use. It would be good to not force a default based on personal preference from a software side. Let the admin choose. We also with LDAP need to include a way of generating a user list for room permissions and invite lists so that you can use the dropdown list to invite people to a room who are LDAP members. We currently have no method to do this without taking the GAB entry, and stripping out the email address from it. I could go on, but I would like to know how this sounds. > Mon Aug 28 2017 07:20:32 PM EDT from IGnatius T Foobar @ Uncensored >Subject: Re: LDAP / Cit-NG > > >bennabiy: question for you! > >I know you're using LDAP on your system, but which LDAP server and what does >the schema look like? If we're going to pull email addresses in from LDAP at >account creation time, I need to know where to pull them from. I'm guessing >you're using OpenLDAP or 389-Directory-Server , and maybe the RFC-whatever >schema? I have to admit, the fact that you were able to configure email >addresses from the directory server and that it worked was kind of an >accident :) > >I'm running Active Directory on my development system, so it's likely that >we will have different schemas, and I need to make sure we can work either >way. I'm rebuilding my dev system now to point to the directory this time. > >Here's what I'm thinking: > >1. As always, when someone logs into an LDAP-enabled Citadel server, create >the account if needed. >2. New: if [some new config option] is set, scan the LDAP account for email >addresses which match valid Citadel domains, and set those in the account. >3. New: if [some new config option] is set, do the same for every account >automatically from time to time (nightly? hourly? when asked?) > >And as a possible feature: > >4. Possible: if someone tries to log in using an email address that does not >exist, scan LDAP and create the account. > >I'm not sure how/if that last feature would work, though. > >Let me know what you think; I'm starting to get this thing spun up again. > > > >
