Conversation
Notices
-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 15-Nov-2022 23:33:56 JST 
silverwizard
Anyone have any advice for a #HomeLab #LDAP server?
I think I am getting to the point that I want my local resources to have SSO
I'd especially appreciate advice on having two endpoints so that I can have failover easily enabled-
Embed this notice
Steve Lord (stevelord@bladerunner.social)'s status on Tuesday, 15-Nov-2022 23:44:11 JST 
Steve Lord
@silverwizard maybe integrate openldap with something like keycloak? It's a bit of a faff but it means you get proper SSO out of it and anything LDAP only can fall back to LDAP.
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 15-Nov-2022 23:49:11 JST
silverwizard
@stevelord not sure what the main use of keycloak in the stack is based on a few seconds of reading. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 16-Nov-2022 00:38:30 JST
silverwizard
@stevelord Oh! Sure that makes sense!
That definitely is a good frontend for if things in my stack don't LDAP - but I think most of them do. But good tip. -
Embed this notice
Steve Lord (stevelord@bladerunner.social)'s status on Wednesday, 16-Nov-2022 00:38:31 JST
Steve Lord
@silverwizard Keycloak handles OIDC, SAML etc. which is the SSO bit. If you don't have services that use those and LDAP is fine, just stick with OpenLDAP.
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 16-Nov-2022 02:37:38 JST
silverwizard
@mattknight Really?! Gitea as author provider eeeeeeh? Considering git.obscuritus.ca that might be useful! -
Embed this notice
Matt Knight (mattknight@mastodon.online)'s status on Wednesday, 16-Nov-2022 02:37:40 JST 
Matt Knight
@silverwizard my very basic system uses Gitea as an auth provider. Works with some services like Drone and Outline. Not sure if that helps at all, but it's simple.
silverwizard likes this. -
Embed this notice
Matt Knight (mattknight@mastodon.online)'s status on Wednesday, 16-Nov-2022 03:01:27 JST
Matt Knight
@silverwizard indeed! Worth exploring if it would satisfy your needs at least, especially if you have an existing instant already running!
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 16-Nov-2022 03:02:04 JST
silverwizard
@mattknight This is why I ask people things! -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 16-Nov-2022 09:53:30 JST
silverwizard
@mhamzahkhan @projectdp I mean, any SSO would be a headache - more than OpenLDAP or anything else?
My headache tolerance is shockingly high to be clear -
Embed this notice
M. Hamzah Khan (mhamzahkhan@intahnet.co.uk)'s status on Wednesday, 16-Nov-2022 09:53:31 JST 
M. Hamzah Khan
@projectdp @silverwizard I'm using #FreeIPA in my #homelab. It works, but it can sometimes be a bit of a headache to maintain.
-
Embed this notice
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple: (projectdp@infosec.exchange)'s status on Wednesday, 16-Nov-2022 09:53:32 JST 
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
@silverwizard @mattknight I haven't tried these but have been meaning to: https://glauth.github.io/ and https://www.freeipa.org/
-
Embed this notice
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple: (projectdp@infosec.exchange)'s status on Wednesday, 16-Nov-2022 10:25:02 JST
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
@mhamzahkhan @silverwizard That's good to hear about Keycloak I do want to try it out. What part about FreeIPA was annoying to maintain?
silverwizard likes this. -
Embed this notice
M. Hamzah Khan (mhamzahkhan@intahnet.co.uk)'s status on Wednesday, 16-Nov-2022 10:25:03 JST
M. Hamzah Khan
@projectdp @silverwizard I'm using Keycloak with FreeIPA at the moment.
I like Keycloak. It just sits there and quietly does its thing with very little TLC from me. ?
silverwizard likes this. -
Embed this notice
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple: (projectdp@infosec.exchange)'s status on Wednesday, 16-Nov-2022 10:25:05 JST
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
@silverwizard @mhamzahkhan You could also look into Keycloak + (Open)LDAP for an SSO option. I'm thinking you could also run FreeIPA LDAP and set up Keycloak with that for a decent SSO setup for your lab.
I'm still looking into options myself. There are a bunch of ways to do the internet-to-homelab proxying with solid SSO and security throughout and I haven't found out what works for me the best quite yet. Part of it is doing proper implementation of ZeroTrust principles throughout the entire process.
silverwizard likes this. -
Embed this notice
M. Hamzah Khan (mhamzahkhan@intahnet.co.uk)'s status on Wednesday, 16-Nov-2022 10:26:14 JST
M. Hamzah Khan
@silverwizard I don't want to make it sound like it's not a stable product.
It definitely is. I've used it in a number of larger companies I've worked at. But for a homelab environment, in my experience, it's not something that can just be setup and left to run in the background. It needs a lot of caressing (and monitoring) ?
silverwizard likes this. -
Embed this notice
M. Hamzah Khan (mhamzahkhan@intahnet.co.uk)'s status on Wednesday, 16-Nov-2022 10:26:15 JST
M. Hamzah Khan
@silverwizard It's more of a headache than just OpenLDAP. FreeIPA has a lot of different components. It does LDAP, Kerberos, PKI, and DNS.
I currently have my FreeIPA domain set up with 3 IPA replicas. I've had instances where I had to resolve LDAP replication issues or certificates and tokens for FreeIPAs internal services not renewing correctly.
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 16-Nov-2022 10:26:44 JST
silverwizard
@mhamzahkhan @projectdp Cool thanks both so much! -
Embed this notice
M. Hamzah Khan (mhamzahkhan@intahnet.co.uk)'s status on Wednesday, 16-Nov-2022 10:27:44 JST
M. Hamzah Khan
@projectdp FreeIPA does a lot of certificate and Kerberos ticket renewals automatically in the background for its own internal services. I've had a few problems when those renewals occur, which required manual intervention.
But the biggest one I've had is LDAP replication conflicts. I'm fairly certain that this is because the VPN connection between my IPA replicas is a bit crap, but I've also experienced this issue at work before as well.
silverwizard likes this. -
Embed this notice
Balaji Dutt (balaji@social.linux.pizza)'s status on Wednesday, 16-Nov-2022 21:56:42 JST 
Balaji Dutt
@silverwizard Authentik aims to be a one stop solution as it comes with LDAP built in plus OIDC. That said it's fairly unproven in larger deployments so the code isn't battle tested unlike say FreeIPA. Lots of folks use it in #homelab and are happy with it. Personally I've got FreeIPA setup and will be deploying authentik later.
silverwizard likes this. -
Embed this notice
Nikolay Volosatov ? (bamx23@mstdn.bx23.net)'s status on Wednesday, 16-Nov-2022 21:57:09 JST 
Nikolay Volosatov ?
@silverwizard it's not an LDAP, but have you looked at Authelia? Authentication happens on the reverse proxy side. I even disabled auth for some of my services in favor of auth headers provided by the Authelia middleware in Traefik. I.e. Grafana works with them.
silverwizard likes this. -
Embed this notice
Seth Grover :heart_cyber: :terminal: :d20: (mmguero@infosec.exchange)'s status on Wednesday, 16-Nov-2022 21:57:34 JST 
Seth Grover :heart_cyber: :terminal: :d20:
@silverwizard for my somewhat simple setup I used #openldap for a while but it was honestly overkill. I found #glauth and that has fit the bill nicely for me. I don't have any experience with HA/failover for it though.
silverwizard likes this. -
Embed this notice
ismirnov@sysad.ninja's status on Tuesday, 22-Nov-2022 08:22:33 JST 
ismirnov
@silverwizard From what I've seen online, people seem to be running FreeIPA (https://www.freeipa.org/page/Main_Page). Deploy either on proxmox or using their docker image
silverwizard likes this. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 22-Nov-2022 08:22:33 JST
silverwizard
@ismirnov Yeah this seems super Linux centric, but thanks for the tip, maybe it'll run more portably than that
-
Embed this notice
All GNU social JP content and data are available under the