LDAP Authentication way past due

First I’d like to thank you guys for the Diaspora and all of the developer contributions. I have nothing but praise for the Diaspora Project, but LDAP authentication is way past due.

I drop by the IRC channel every once and a while and I ask about LDAP authentication and I am greeted with a bit of reticence each time. I was told by a developer that none of the developers have the environment so it’s not really a priority.

I was also told that I should implement it myself as if LDAP it is of very little consequence…like LDAP was some special feature that only I had a use case for. I actually did implement LDAP on my private pod which is running till this day but the code can’t be updated because it breaks it.

Why isn’t LDAP auth on the roadmap for Diaspora? Mind you, I don’t know ruby but I got my pod to authenticate via LDAP and grab the users picture from the directory also. I almost got it working again with and I’ll eventually succeed, it’s a lot of for work something that frankly should already be there. I can’t/won’t open my pod up for registrations without LDAP authentication

Diaspora would be running in a lot of schools, companies and large user environments. Even Media Goblin has LDAP support via python-ldap; it’s just what you expect. Diaspora adoption and code contributions would definitely sky rocket if ldap authentication were there.

At this late date in the project, why is it not implemented yet? Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?



Note: This discussion was imported from Loomio. Click here to view the original discussion.

LDAP is great, just as you said. But most developers here don’t have the environment or the experience to create a connection to the active directory. LDAP is definitely a feature for companies, universities, schools and other organisations. The current userbase of diaspora is driven by freedom-lovers. So LDAP support would open diaspora up for a new kind of diaspora-users and developers, but the current developers are having enough to do with different stuff like federation-fixing.

Hi Bryan.

Most importantly do you guys not think that LDAP authentication and third part authentication support is critical?

I can’t speak for others but no, I don’t think it’s critical in the slightest. Sure it’s a “nice to have” feature but to my knowledge yours is the only ever request for LDAP support within Diaspora.

In terms of road map, a feature with such little demand would probably not even make it on to the road map.

I understand where you’re coming from, we run message forums on our corporate network here for thousands of users via LDAP and frankly, I’d be lost without it, but in terms of Diaspora I just don’t see the demand for it (in terms of actual requests).

If you’ve been able to get LDAP auth working with D* in the past that’s one hell of an achievement and you’re to be congratulated for it - even more so if you can get it working with 0.3.0.x - how about a blog post detailing your experiences and what’s required to accomplish the support?

I’m said developer and I still stand to the point.

There’s no core contributor using LDAP, if we implement support for it in the core code we’d need an environment to verify it still works as the development goes on. This is simply not existent. We dropped other deployment specifics and methods for this very reason, one example being Capistrano support. Even OpenShift support is maintained in a separate repository by me.

In my almost four years contributing to diaspora I’ve seen three or four requests for LDAP support. Implementing LDAP support actually isn’t much effort for an somewhat experienced Rails developer, given that there are plugins for our authentication framework. As said we just don’t have a test environment for it nor does any of the core members have personal motivation to maintain it. If it really is a that much needed feature, why don’t we have a steady contributor maintaining it?

Therefore I also don’t see that high potential in the additional user base you see.

@bryan if you have made it for your own pod - why not contribute it to diaspora* upstream? We’re all contributing in our spare time and extra developers are always welcome.

I’m sure a well made LDAP authentication implementation would be welcome if someone did it. As Jonne said, no one has, so it doesn’t exist.

I’d only welcome it upstream if you can guarantee to also maintain it upstream though, I’m repeating myself, but nobody currently contributing to upstream does so it’ll go stale and will just be dropped then.

Is there any possibility to modularize authentication?
If it’s decoupled of the core Diaspora* sourcecode, it will be easier for external developer to add whatever authentication scheme they want (openid, ldap, kerberos, CAS…

It’s already pretty much decoupled, we use Devise which is an authentication framework for Rails, there are several plugins to it and yes there’s one for ldap.

Perhaps @bryan could open-source his LDAP implementation so other podmins could install it, and other developers could contribute to it. Maybe it could be made as some kind of plugin.

That’s what I said, I see maintaining such functionality in a fork as the solution, as I do for OpenShift support for example.

@macieklozinski my so called “implementation” is not closed source; also it’s not nice to insinuate such a selfish act. It was an awful hack that I just so happened to get working. I repeat…I do not know Ruby nor did I really attempt to learn it while I made it work.

So this you can’t quite call an implementation or a “solution”. It was a fix, which worked back when the code was at commit 4006c1502edd04cd4f7e4b48dc2c1681f96437e0, ie March 2012

Me having to argue the point about this being in the core of D* is like having to convince a hotdog vendor to sell buns with the hotdogs!

Yet, I am currently trying again and I’ll get it to work, but perhaps not before I have deadlines that I’d like to have my pod up by. Once I get it working again I’ll make sure to post it somewhere. That doesn’t mean that everyone will just be able to use it seamlessly as I hoped but at least it can be referenced.


Sorry, @bryan. I didn’t know that your solution was already open source.

Fun fact: In fact to add some lines into a AGPL-code will always be an open source changeset because of the strong copyleft of (A)GPL.

I totally agree with Bryan. LDAP Authentication way past due!

FWIW: Libertree implemented LDAP auth upon request. It’s neither difficult, nor a maintenance burden (I personally don’t use LDAP on my server). For keeping it working there are tests and there are usually no changes done to the authentication code that would break this.

There are very simple to use LDAP servers out there such as 389 Directory Server.

Libertree isn’t using devise for auth but you are free to check out our code and take whatever you like.

I’d vote for merging LDAP in BUT someone needs to do the code. Endlessly requesting someone to do it will not make it happen :slight_smile:

Could this be a part of a bigger project ? I mean : let people have different ways to authentificate ? E.g : would a Mozilla Persona authentification mecanism be difficult or exhausting to maintain ?

Previous discussion about Persona

Ah ! Sry ! Didn’t know !

@augier no need to be sorry :smiley: Just pointing that there is already discussion about it :slight_smile: