README: Add more details and a screenshot

This commit is contained in:
Valentin Tolmer 2021-10-15 22:09:17 +09:00 committed by nitnelave
parent 3df3a96d46
commit a43364a70f
3 changed files with 27 additions and 6 deletions

View file

@ -19,3 +19,4 @@ lldap_config.toml
server_key server_key
users.db* users.db*
.gitignore .gitignore
screenshot.png

View file

@ -1,12 +1,17 @@
# lldap - Light LDAP implementation for authentication # lldap - Light LDAP implementation for authentication
WARNING: This project is still WIP, it's still missing core functionality. For WARNING: This project is still in alpha, with the basic core functionality
updates, follow [@nitnelave1](https://twitter.com/nitnelave1). implemented but still very rough. For updates, follow
[@nitnelave1](https://twitter.com/nitnelave1) or join our [Discord
server](https://discord.gg/h5PEdRMNyP)!
This project is an lightweight authentication server that provides an This project is an lightweight authentication server that provides an
opinionated, simplified LDAP interface for authentication: clients that can opinionated, simplified LDAP interface for authentication: clients that can
only speak LDAP protocol can talk to it and use it as an authentication server. only speak LDAP protocol can talk to it and use it as an authentication server.
![Screenshot of the user list page](screenshot.png)
The goal is _not_ to provide a full LDAP server; if you're interested in that, The goal is _not_ to provide a full LDAP server; if you're interested in that,
check out OpenLDAP. This server is made to be: check out OpenLDAP. This server is made to be:
* simple to setup (no messing around with `slapd`) * simple to setup (no messing around with `slapd`)
@ -20,12 +25,13 @@ authentication.
## Architecture ## Architecture
The server is entirely written in Rust, using [actix](https://actix.rs) and The server is entirely written in Rust, using [actix](https://actix.rs) for the
[yew](https://yew.rs) for the frontend. backend and [yew](https://yew.rs) for the frontend.
Backend: Backend:
* Listens on a port for LDAP protocol. * Listens on a port for LDAP protocol.
* Only a small, read-only subset of the LDAP protocol is supported. * Only a small, read-only subset of the LDAP protocol is supported.
* An extension to allow resetting the password through LDAP will be added.
* Listens on another port for HTTP traffic. * Listens on another port for HTTP traffic.
* The authentication API, based on JWTs, is under "/auth". * The authentication API, based on JWTs, is under "/auth".
* The user management API is a GraphQL API under "/api/graphql". The schema * The user management API is a GraphQL API under "/api/graphql". The schema
@ -54,6 +60,9 @@ Data storage:
interface between front and back-end. In particular, it contains the OPAQUE interface between front and back-end. In particular, it contains the OPAQUE
structures and the JWT format. structures and the JWT format.
* `app/`: The frontend. * `app/`: The frontend.
* `src/components`: The elements containing the business and display logic of
the various pages and their components.
* `src/infra`: Various tools and utilities.
* `server/`: The backend. * `server/`: The backend.
* `src/domain/`: Domain-specific logic: users, groups, checking passwords... * `src/domain/`: Domain-specific logic: users, groups, checking passwords...
* `src/infra/`: API, both GraphQL and LDAP * `src/infra/`: API, both GraphQL and LDAP
@ -67,7 +76,13 @@ storage. They are hashed using a secret provided in the configuration (which
can be given as environment variable or command line argument as well): this can be given as environment variable or command line argument as well): this
should be kept secret and shouldn't change (it would invalidate all passwords). should be kept secret and shouldn't change (it would invalidate all passwords).
TODO: Add client-side password hashing. Authentication is done via the OPAQUE protocol, meaning that the passwords are
never sent to the server, but instead the client proves that they know the
correct password (zero-knowledge proof). This is likely overkill, especially
considered that the LDAP interface requires sending the password to the server,
but it's one less potential flaw (especially since the LDAP interface can be
restricted to an internal docker-only network while the web app is exposed to
the Internet).
### JWTs and refresh tokens ### JWTs and refresh tokens
@ -99,7 +114,12 @@ Contributions are welcome! Just fork and open a PR. Or just file a bug.
We don't have a code of conduct, just be respectful and remember that it's just We don't have a code of conduct, just be respectful and remember that it's just
normal people doing this for free on their free time. normal people doing this for free on their free time.
Make sure that you run `cargo fmt` from the root before creating the PR. Make sure that you run `cargo fmt` from the root before creating the PR. And if
you change the GraphQL interface, you'll need to regenerate the schema by
running `./export_schema.sh`.
Join our [Discord server](https://discord.gg/h5PEdRMNyP) if you have any
questions!
### Setup ### Setup

BIN
screenshot.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 47 KiB