kanidm/ldap3

Web-based Active Directory Console

Closed this issue · 4 comments

We are currently looking at this project as a potential starting point for a web-based Active Directory console, compiling Rust to WebAssembly, and building a Web UI on top. This crate is interesting because it doesn't have a dependency on tokio for the reusable parts, which is a common problem for in-browser WASM.

There are various improvements and changes we'd need to make, beginning with SPNEGO authentication (NTLM/Kerberos) using sspi-rs. As for other improvements, it would likely be to implement the Microsoft Active Directory LDAP variant and custom extensions.

For our use case, we only care about Active Directory, which may not be the goal of this project. Would you be interested in such contributions, even if they would be focused solely on Active Directory? We're unsure if we'd be better off trying to get all of our changes merged upstream, or if we should create something something solely meant for Active Directory using this project as a basis.

Either way, let us know your preference!

I'd be happy for you to add this if you wanted :)

The way the library is designed is meant to be for both server + client, so it's probably worth the time to implement both sides of this so we can also do some internal testing of the proto in a reflexive manner.

Worth also pointing out, that for sspi-rs you likely need to be aware of and consider https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848 for future :)

Thanks, we'll plan our work to be based on this project with the intent of upstreaming our improvements for Active Directory integration then! 💪

As for the recent NTLM deprecation announcement from Microsoft and the related Kerberos extensions, we are well aware, and we intend to implement them when a Windows 11 Preview build becomes available. We'll be attending the webinar, but I already asked Steve Syfuhs a couple of questions. It's not yet known if and when it would make it to Windows Server, and how far back it would be backported.

For now, our solution has been to implement a KDC proxy - sspi-rs as a client supports it, and we've implemented a KDC proxy server in Devolutions Gateway. This is how we've managed to get cross-platform Kerberos that works everywhere in the various Kerberized protocols we've implemented (RDP, WinRM, LDAP, etc)

I look forward to reviewing your contributions, thanks so much!