Allow to use WebService as another user (aka sudo webservice)
Allow to use WebService as another user (aka sudo webservice)
Actual behavior
To use WebService, you must login as a FD user (with user and password). This requires for an application to own the user password to be able to call FD webservice, which is not always possible (using SSO) and can also be a security issue.
Expected behavior
We should have an option allowing to authenticate to webservice with a technical account and pass the identity of the user for whom we need to call the webservice, in order to benefit from FD ACL model.
Step by step description of new behaviour
- Protect the WebService endpoint with AuthBasic, for example in Apache:
<Location /fusiondirectory/jsonrpc.php>
AuthType basic
AuthName "FD WebServices"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap-server1 ldap-server2/ou=dsa,dc=example,dc=com?cn?one?"
AuthLDAPBindDN cn=fusiondirectory,ou=dsa,dc=example,dc=com
AuthLDAPBindPassword secret
Require ldap-user account1 account2
</Location>
- Have an option to be able to call LOGIN WebService without the user password. Here is a proof of concept patch:
# diff /usr/share/fusiondirectory/html/jsonrpc.php /usr/share/fusiondirectory/html/jsonrpc.php.orig
93,99c93
< $conf_allow_nopasswd = 1; // TODO create configuration parameter
< if ( $pwd === NULL and $conf_allow_nopasswd ) {
< $ui = ldap_get_user($user);
< $ui->loadACL();
< } else {
< $ui = ldap_login_user($user, $pwd);
< }
---
> $ui = ldap_login_user($user, $pwd);
Benefits
It would allow a better integration in Web applications using the WebServices.
Let me know if you are interested by a Pull Request for this feature.