This is something I’d really like to do, especially after learning that SIPB (MIT’s OCF equivalent) has done this.
While I don’t expect deploying Mastodon itself to be difficult, we need to figure out a way to handle user login authentication. Here’s a survey of the different methods I’ve seen used at the OCF:
- Apache’s Kerberos integration (RT does this)
- nginx’s auth_pam module (Discourse and Marathon admin use this)
password_matches command, which calls out to the
kinit (Kerberos) command (ocfweb uses this).
The first two use HTTP authentication, which I’d expect to not work well with Mastodon, which wants to show its own username/password forms. The last one probably wouldn’t work either since we can’t use ocflib.
This requires some more investigation into Mastodon’s options for auth (I found this thread). We might need to use their LDAP integration, which means we will have to figure out how to set that up on our end. LDAP auth is notoriously difficult. I only have some low-confidence ideas for how to get it to work. We might need another thread for discussing that.
(EDIT from much later: I finally figured out how to get LDAP integration working, so it should be possible to use Mastodon’s LDAP support)