pi-hole/api

LDAP authentication

cyberb opened this issue · 3 comments

cyberb commented

I would like to add an LDAP authentication.
Few questions:

  1. Is auth key currently hashed on client side (react)? If true do you plan to replace it with plaintext + https option? I do not think it is possible to do client sode hashing with ldap.
  2. Is there an option secure the whole website and not just a few pages?
  3. Why do you keep web and api projects separate? It does not seem to simplify branch development model as it usualy covers both.
  4. Is it OK if I add login field to the web ui if ldap is enabled?
AzureMarker commented
  1. As there is no HTTPS connection available, the password is kept a secret by hashing it (twice) before communicating with the API. This however makes the hashed password effectively the API password. HTTPS is required to make this communication secure, but our thought was that HTTPS is not needed for most home installs. If someone needs HTTPS, then they can add it manually (see the guide). The new web interface can be proxyed to provide HTTPS support.
  2. Each page's authentication level is manually determined, as well as the corresponding API methods. If this is made dynamic, would you also want to dynamically change the API methods' authentication levels?
  3. All of our projects are kept in separate repositories. We have not yet found a need for a monorepo, but it's still a possibility.
  4. Can you give some more details on this?
cyberb commented

Ldap needs user/password combination, but currently web offers only password field.

I am planning to add a simple ldap config to api.toml with address and bind_dn. Then if ldap is enabled web may show a user/password and not hash password in js.

AzureMarker commented

That sounds fine. Thanks for your interest in contributing!