How to query project users belonging to a certain role
Hi,
I'm trying to write a Zitadel backend for the Apricot project (An LDAP proxy for OIDC backends), but I'm running into some API limitations that I am hoping you could potentially assist with.
I am making a couple (unqualified) assumptions about both Zitadel and LDAP (as I'm inexperienced with both, please let me know if I'm completely off chart here):
1. A Zitadel user will map 1:1 to an LDAP user.
2. A Zitadel Project Role will map 1:1 to an LDAP group.
The way I've set up the proxy is that it runs on a per project basis, as that is the only way you can connect users with (customizable) roles. It also makes sense, to me, as it eliminates collisions between multiple projects sharing role names.
I am running into 2 main issues:
1. I need a numerical ID per role that is stable. I thought about using the
2. I need a way to find all users belonging to a role for the given project. Ideally there would be a query where I could say give me all the project members belonging to this role. I might have overlooked it, but I can't seem to find this query.
I'd appreciate any and all help to solve this. I really want to use Zitadel instead of Authentik or KeyCloak, but I also really need an LDAP interface. I can see from a discussion on GH that it is something you are considering, but lack the manpower to solve, so maybe this could be a happy middle ground for those who, like me, need it for certain services.
Vb,
Christian
I'm trying to write a Zitadel backend for the Apricot project (An LDAP proxy for OIDC backends), but I'm running into some API limitations that I am hoping you could potentially assist with.
I am making a couple (unqualified) assumptions about both Zitadel and LDAP (as I'm inexperienced with both, please let me know if I'm completely off chart here):
1. A Zitadel user will map 1:1 to an LDAP user.
2. A Zitadel Project Role will map 1:1 to an LDAP group.
The way I've set up the proxy is that it runs on a per project basis, as that is the only way you can connect users with (customizable) roles. It also makes sense, to me, as it eliminates collisions between multiple projects sharing role names.
I am running into 2 main issues:
1. I need a numerical ID per role that is stable. I thought about using the
creationDate timestamp, but not does it not fit in the unsigned 32 bit maximum size per gidNumber, but I assume it also is not unique if you create the roles in bulk mode.2. I need a way to find all users belonging to a role for the given project. Ideally there would be a query where I could say give me all the project members belonging to this role. I might have overlooked it, but I can't seem to find this query.
I'd appreciate any and all help to solve this. I really want to use Zitadel instead of Authentik or KeyCloak, but I also really need an LDAP interface. I can see from a discussion on GH that it is something you are considering, but lack the manpower to solve, so maybe this could be a happy middle ground for those who, like me, need it for certain services.
Vb,
Christian
GitHub
An OpenID Connect LDAP proxy. Contribute to alan-turing-institute/apricot development by creating an account on GitHub.
