I’ve got a couple of feature requests / design questions.
We’ve been using the internally provided authentication but am getting requests for AD integration for a couple of different reasons. I do not want to be an IT administrator adding and removing users from groups myself. I also have a hard time working with IT to create groups for application specific roles so the hybrid model would work best for me. While I could use full AD but then I have to change a bunch of code to make Ignition aware of the AD groups and then manage that and I’d like to avoid that if possible and contain it in the Authentication config.
One problem I have with the hybrid is that it seems to require me to explicitly add every user account and map roles. I would love to be able to specify the group as a user and map Ignition roles to that. Then any user of that group also gets those roles.
I would also like to be able to remove roles from individual groups or users if they are inheriting those through this mechanism.
The next problem I have is LDAP sends passwords in clear text to the AD server. I strongly dislike that and would like to know if there is a LDAPv2 (SSL) or LDAPv3 (TLS) option here or perhaps for the future. I manage the Ignition server and don’t want the ability to capture user passwords because of something like this let alone a third party like a managed server provider after it leaves the machine (through VPN).
Also Single Sign-on for Windows clients would be nice too.