Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

LDAP and Multitency limitations #3669


User avatar
0
felipeseho created

Hi There,

I would like to know the reason for the incompatibility using LDAP and MultiTenancy together, I'm asking because I founded the above comment in the code.

        //Enable LDAP authentication (It can be enabled only if MultiTenancy is disabled!)
        //Configuration.Modules.MiddlewareLdap().Enable(typeof(AppLdapAuthenticationSource));

Thanks


4 Answer(s)
  • User Avatar
    0
    felipeseho created

    My app needs both features working together.

  • User Avatar
    0
    alper created
    Support Team

    hi

    Active directory and multitenant structure is not available with the current architecture.

    The reason is simple; <ins>Currently there's 1 ldap setting.</ins> When ldap is active, you cannot make use of ldap for all tenants. And if you want to use it for the host login, this is not avaliable with the current codebase as well.

    So most companies doesn't open ldap to internet. When you serve your website as multitenant app, it's hard to connect customer's ldap over the internet.

  • User Avatar
    0
    ervingayle created

    My experience is different on this topic. For those customers building a multi-tenant solution in some cases an organization may not want to leverage SSO/federation capabilities such as Google, etc for authenticating users even if they leverage those platforms already. There is certainly value and a need to provide a multi-tenant LDAP supported option. You are correct that customers will not blatantly expose their AD/LDAP to the public internet. This is why Azure and Amazon alike have implemented p2p VPN and other services to allow their existing policies around account management and server management to also apply to the cloud and for those cloud hosted services to use a common identity used by the organization.

    I agree that the host account does not need to be an LDAP account. It should be a local user account identity.

    There are other technologies like Bitium, Otka and Onelogin that exist precisely to address this problem in a way that does not require VPN. However, for us as AspNet Zero customers, I believe that this will be a BIG feature if it can be implemented.

    I for one would be happy to test. I have many use cases and organizations to validate the use case.

  • User Avatar
    0
    alper created
    Support Team

    hi again

    I noted down this topic to evaluate in feature meetings.

    <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/issues/369">https://github.com/aspnetzero/aspnet-ze ... issues/369</a>