Hi - Would it be possible to have AD authentication for Pihole. I’d like users to be able to log-in with their AD user/pass and perform whatever changes and changes should be logged. If you need a test AD server, I can spin a lab pihole and AD server. I use pihole at home (I have an AD server) but I also think this will benefit enterprise users. I tried taking a stab at it myself, but i’m not the best at programming
What are the benefits you expect from such an implementation?
You might have seen that we don’t support multiple users at this time and we, technically, cannot support different blocking for different clients. Hence, I don’t think that logging in on a per-user basis is a good idea as it might give the wrong suggestion that changes applied here only affect the current user while they actually affect anyone using this Pi-hole!
I think this is a good argument against such an implementation and for, either, a central management, or a shared login password where everyone is aware of the shared settings nature.
Yeah. I’m aware, but if you were to support lets say LDAP/AD auth, put your shoes in a sysadmins job. If someone whitelists something or blacklists something that shouldn’t be blacklisted, you’d want to know who that person is and hold them accountable. But, I also see where you’re coming from. I would think a simple popup with a message noting that this is “network” wide would cover that issue. Also, you wouldn’t want pihole open to everyone, you’d need basically a AD group that has permissions. Throwing things out here like co-sysadmins, network engineers, helpdesks, etc.
Edit: Have you heard of the AAA? Authentication, Authorization, and Accounting? Good companies follow this model to the T and with AD/LDAP auth with group search and logging you would cover all 3. Found this that explains it good: https://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting
Oh, Also…I do have a working piece of code for AD auth and group search that works well with PHP. I just couldn’t figure out how the form submission was done in the code and where to store the AD stuff. Let me know if you want it…would be glad to send it to you.