LDAP Integration

While you use Pincette in the cloud on pincette.net you can still keep authentication and authorization on your premises. This way you don't have to expose your authentication infrastructure to the Internet. You can also manage users and groups internally.

All you need to do is install two free components inside your network. The first one is the authentication and authorization server (AAS). It should be reachable over the Internet through the HTTPS protocol. All it does is implementing a couple of mechanisms that wire your Pincette domain in the cloud to your internal LDAP server, e.g. Active Directory, which remains invisible on the Internet.

The simplest authentication mechanism is basic authentication. When a client issues a request using this method the credentials are checked by Pincette's authenticator by accessing a fixed protected URL on the AAS. The authentication server in turn checks the credentials with the LDAP server. When this succeeds the credentials were fine.

A second mechanism uses OAuth 2.0. When the client issues a request for a protected Pincette resource with no credentials at all, Pincette's authenticator will act as an OAuth 2.0 client to the AAS. It will in fact ask permission to request the user's username, which is a web-service that is incorporated in the AAS. This will trigger a login sequence at the latter. When the username service could be called successfully Pincette's authenticator is certain about the identity of the user. It will then start tracking the user and use the obtained access token to re-verify the user regularly.

A third option is to let the client act as an OAuth 2.0 client to the AAS. It will ask for permission to access Pincette on behalf of the user. Pincette's authenticator will see this through the access token that is sent along with each request. It will verify the token with the AAS.

Pincette supports advanced access control lists. Those are expressed in terms of users and groups. The second free component you have to install inside your network is the LDAP synchronization server. You can give it some base addresses in the directory and it will push all the names of groups and users as well as the membership tree to Pincette. Therefore it needs access to the Internet and read-only access to the LDAP server.