Well, I have access to local LDAP and benefits that you state (mixing
users/groups) are in place but:
1. I would like to provide users with SSO funcionalities for web interface
2. I would like to authenticate other users that come from federation
3. I would like to avoid storing SSO credentials locally
4. I don't want to mess with another authentication mechanism (LDAP) if
not necessary
I believe that password/token solution for sync clients for users that
are using any of external auth mechanisms would be a good choice.
Yes, it's a two passwords problem, but minority of my users will use
sync-client and you don't configure sync-client every day..
And in addition, I think there should be a configuration option to allow
or not the usage of local passwords for web interface when external
authentication is enabled.
Regarding point 3. - sync-client password in
~/.local/share/data/ownCloud/owncloud.cfg is base64 encoded.
# echo -n 'QmFkIGd1eXMgY2FuIHJlYWQgbXkgcGFzc3dvcmQhIDop' | base64 -d
Regards,
--
alen
On 06/26/2013 02:22 PM, Tornóci László wrote:
Most of my users are employees of my university. We also have a
federated auth system like you, but the federation just provides a
"where are you from" service, and the IdP-s are local. Since I provide
the local IdP service as well, it is not a problem to access the LDAP
too. LDAP auth also gives you LDAP groups, quota management etc.
The nice thing about this is that OC allows you to mix locally defined
users and users defined in LDAP. You can define local groups alongside
of groups defined in LDAP too. So I define users who are not in my
LDAP dir as local OC users, and this works quite well.
However, if you want to provide OC service to lots of people who are
in the federation, but not in the local LDAP (or simply there is no
way to access the local LDAP - but that is silly), you are in trouble.
I would probably write a web front end to set up local OC users based
on the federated authentication data, and would let my users to pick
their own passwords stored in oc_users. And I would not use SAML auth
in OC at all. Otherwise you will have loads of problems because people
may have two different passwords to access different services in OC.
An alternative possibility to automatically mail the generated
password to your users. But this also leads to the 2 passwords problem.
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
