LDAP & Discord
This document describes the process of bootstrapping users into our LDAP server via Discord. The creation of accounts is entirely automated and controlled by King Arthur.
Bootstrapping
- A user gains a role in Discord that requires LDAP access.
- King Arthur detects this role change and notifies the user to start the bootstrapping process.
- The user visits the
#ldapchannel and clicks the generate button, they are issued with a temporary password. - The user logs into Keycloak using their issued
@pydis.wtfaddress and the temporary password. - The user is prompted to change their password and update their profile, including email forwarding preferences.
As a sequence diagram, the process looks something like this:
sequenceDiagram
actor U as User
participant KA as King Arthur
participant KC as Keycloak
participant FIPA as FreeIPA
U->>KA: Gains LDAP enrolled role
KA->>U: Notifies user
U->>KA: Clicks generate in LDAP channel
KA->>FIPA: Creates user with temporary password
KA->>U: Issues temporary password
U->>KC: Logs in
KC->>U: Prompts for password change
U->>KC: Changes password
U->>KC: Updates profile
KC->>FIPA: Updates userSelf-Service Password Reset
Users can reset their LDAP password at any time by visiting the #ldap channel
in Discord and clicking the reset button. This will issue them with a new
temporary password in the same way the bootstrapping process does.
Continuous Synchronization
King Arthur continuously synchronizes user data between Discord and LDAP. This adds and removes users from group memberships as necessary.
If a user no longer has a role which requires LDAP access, King Arthur will deactivate their LDAP account.
The LDAP synchronization process runs every 10 minutes, or whenever a role change is detected on a staff account.
You can view what King Arthur is attempting to synchronize by running the M-x
ldap sync command, which will return a diff of users to add, remove, or update.