External/secondary authentication

mculibk

Is there any possibility to have some sort of “external” (or additional) authentication in Kopano?

For example…
Kopano is configured to use LDAP as user “source” so it will primarily check/authenticate user requests against the LDAP - ok.
But I would like it to have some additional/alternative “method/source” to authenticate users - like a DB or maybe OpenID or something similar.

So, during authentication, first the primary “source” is checked and then the other(s).

The idea is to have some sort of “backup” password (just for email) or non-expiring mail password (or with different password policy than defined in ldap/AD).

Regards,

fbartels

@mculibk said in External/secondary authentication:

maybe OpenID or something similar.

While WebApp recently gained the possibility to login via openid, there is no real possibility to use any other passwords, than the one your user backend provides.

If you want a second factor, then there is a third party 2fa plugin for WebApp or you could work with ssl client auth in the browser.

mculibk

@fbartels said in External/secondary authentication:

While WebApp recently gained the possibility to login via openid, there is no real possibility to use any other passwords, than the one your user backend provides.

If you want a second factor, then there is a third party 2fa plugin for WebApp or you could work with ssl client auth in the browser.

Hmm… no… it should work for any access method (webapp, imap, pop, z-push…).
Do you know if this authentication part (functions, APIs) is done all in one place (library, kopano component…) or is scattered all around various modules (web-app, gateway, imap…) and each would need to be modified?

In other words… how hard would it be to “safely” add something similar?

Regards,
M.Culibrk

fbartels

@mculibk I would say you would need to implement your own user backend then. The current backends (db, ldap, Unix) are just plugins as well.