So I saw traccar supports both, LDAP and OIDC/SSO, however from the documentation I can't understand if you can use both, LDAP as user backend and OIDC only as IP, or not.
The reason why you'd want to do such a thing is because the OIDC implementation of traccar, like many others, works like this (quoted from documentation): If a user is found with a matching email , they are authenticated, if not a new user is created . That means deleted accounts won't be removed from traccar, infact traccar won't ever know an account was deleted. That is not traccars fault, afaik deleting accounts is not part of OIDC, because that's not what it was made for, the idea behind OIDC is that u only have to sign in once to access all your services. And at that OIDC does a great job. User Management is something we have other protocols to take care of, like LDAP. And by combining the two, you get good user management trough LDAP and SSO trough OIDC, which then works only as identity provider.
Sometimes that is possible, sometimes not, I don't think there is a standard that describes how the two are supposed to be used together, that's left to the developers that implement them. (In nextcloud for example, you connect LDAP, log in to ur account in nextcloud and add openID as a social login)
The reason why I think this could work in traccar too is, that the same quote from before also says this:
If a user is found with a matching email, they are authenticated, if not a new user is created
Meaning if the authentication is handled like this and not with some special id's like in nextcloud, it should be possible to have ldap as user backend and OIDC for authentification, because the emails are easy to check against each other, without a special configuration to let OIDC know that there is an LDAP user backend and the other way around (I don't know if this is the best way to do this, but it definitly would work in theory).
So my question mainly is this, can I do this, can I use LDAP as user backend and OIDC as identity provider?
Also, if you think this is a bad idea, please tell me why u think so and if it's a good idea but not implemented or possible, is there a way to get there?
And if it's possible, can I disable automatic account creation trough OIDC if there is no account matching the email?
Traccar never creates any users in LDAP or OID. Both LDAP and OID are basically used for the same thing, so it doesn't make sense to use them together, at least the way it's implemented currently. In either case Traccar creates an internal user account in the system. It cannot use external database for user management, if that's what you're trying to achieve, but I'm not 100% I understand what you're trying to do.
I understood that traccar links the users to ldap or OIDC users but still creates them internally, but when using LDAP, will a user that's no longer found on the LDAP server not be deleted or something in traccar?
Because that's why I want to use LDAP for user management, even when the backend is the internal one in traccar.
That's what the idea was ^^
Traccar won't delete anything automatically, but if the user is deleted in LDAP or OIDC, you won't be able to login obviously. So the behavior is the same for both.
So I saw traccar supports both, LDAP and OIDC/SSO, however from the documentation I can't understand if you can use both, LDAP as user backend and OIDC only as IP, or not.
The reason why you'd want to do such a thing is because the OIDC implementation of traccar, like many others, works like this (quoted from documentation): If a user is found with a matching email , they are authenticated, if not a new user is created . That means deleted accounts won't be removed from traccar, infact traccar won't ever know an account was deleted. That is not traccars fault, afaik deleting accounts is not part of OIDC, because that's not what it was made for, the idea behind OIDC is that u only have to sign in once to access all your services. And at that OIDC does a great job. User Management is something we have other protocols to take care of, like LDAP. And by combining the two, you get good user management trough LDAP and SSO trough OIDC, which then works only as identity provider.
Sometimes that is possible, sometimes not, I don't think there is a standard that describes how the two are supposed to be used together, that's left to the developers that implement them. (In nextcloud for example, you connect LDAP, log in to ur account in nextcloud and add openID as a social login)
The reason why I think this could work in traccar too is, that the same quote from before also says this:
If a user is found with a matching email, they are authenticated, if not a new user is created
Meaning if the authentication is handled like this and not with some special id's like in nextcloud, it should be possible to have ldap as user backend and OIDC for authentification, because the emails are easy to check against each other, without a special configuration to let OIDC know that there is an LDAP user backend and the other way around (I don't know if this is the best way to do this, but it definitly would work in theory).
So my question mainly is this, can I do this, can I use LDAP as user backend and OIDC as identity provider?
Also, if you think this is a bad idea, please tell me why u think so and if it's a good idea but not implemented or possible, is there a way to get there?
And if it's possible, can I disable automatic account creation trough OIDC if there is no account matching the email?