Is it possible to authenticate admins in GUI via AD/LDAP?


#1

Hello, everyone!
I want admins that log in DF GUI to be authenticated via my external AD service. I’ve read the blog post here http://blog.dreamfactory.com/dreamfactory-active-directory-authentication-over-ldap, but that is all about API users.
Can I do something like that for GUI log in? I understand that I can rebuild the app so that it send admin auth requests to /system/admin?service=adservice but will it help?

Thanks.


#2

Well, I guess I’ve found a solution.The side effect of this approach that we force AD authentication not only for admins but for all users. But in my case this is actually an additional profit.

  1. We have a local admin in the database.
  2. Create an AD/LDAP service. Let it have “myldap” name.
  3. We create another admin with username like <admin_name>+<service_name>@<ldap_DC>. Having my ldap service Base DN param configured as “DC=demo,DC=local” and having LDAP user “test”, my admin gets “test+myldap@demo.local” username. If you want, you can change the actual email manually in the DB.
  4. Here we need some PHP coding. We restrict logins without “service” request parameter attaching an event handler for DreamFactory\Core\Events\ResourcePreProcess event. We can do that in app/Providers/EventServiceProvider.php. The event handler will check whether request matches /user/session/ and contains “service parameter”. If not the latter it willl throw exception.
  5. Logout from DF. And relogin as the admin we just created, selecting an appropriate LDAP service.
  6. Remove local admin.

Looks like this works fine. Does anyone has any concerns on this approach? @benbusse , may be %)?