LDAP Authentication
Summary
I think support for LDAP-based authentication in addition to the existing OpenID layer can be achieved.
Rationale:
- Many research institutions already maintain centralized user directories using LDAP (e.g., via Active Directory or OpenLDAP), allowing for easier integration with institutional identity management.
- LDAP support would enable smoother onboarding for internal lab members without requiring them to create or manage additional accounts.
- In restricted environments (e.g., air-gapped networks), LDAP is often the only available authentication mechanism, whereas OpenID may require external connectivity.
This addition would streamline user management and enhance compatibility with institutional systems.
TODOs:
There are key design and implementation decisions that must be addressed before LDAP can be supported:
Users & Synchronisation
-
Define a translation/mapping layer between LDAP users/groups and internal roles or ACLs. -
Support nested or dynamic group resolution (if used in LDAP). -
Specify what happens to linked data/resources when users or groups are removed or renamed i.e. conflict resolution
Authentication Flow
-
Decide how login method selection (OpenID vs LDAP) is exposed in the UI.
Security & Auditing
-
Create auditing/logging for ldap flow mechanisms with existing standards.