Is there any service that will speak LDAP but just respond with the local UNIX users?
Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.
I noticed that a lot of services support LDAP auth, but I don’t want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).
The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.
(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)
I think you’re missing the point of LDAP then. It’s a centralized directory used for querying information. It’s not necessarily about user information, but can be anything.
What you’re asking for is akin to locally hosting a SQL server that other machines can talk to? Then it’s just a server. Start an LDAP server somewhere, then talk to it. That’s how it works.
If you don’t want a network service for this purpose, then don’t use LDAP. If you want a bunch of users to exist on many machines without having to manually create them, then use LDAP, or a system configuration tool that creates and keeps them all eventually consistent.
What’s wrong with LDAP for users? (I’m trying to think of a negative, and can’t).
Yet another service to maintain. If the server is crashing you can’t log in, so you need backup UNIX users anyways.
You need backup local admin accounts, not Backups for each user.
Which is how enterprise does things. There are local accounts with root access, but the id’s and passwords are tightly controlled.
Then you don’t understand how it works with local auth services.
Would you mind educating us plebs then? I had a similar question to op, and I can assure you, I definitely don’t understand local auth services the way I probably should.
Your local auth services are configured to use LDAP as a source, whatever your local auth mechanism is checks credentials, and then you’re auth’d or not. Some distros have easy to use interfaces to configure this, some don’t, but mostly it’s just configuring pam.d (for Linux), and a caching daemon of some sort to keep locally cached copies of the shadow info so you can auth when the LDAP server can’t be contacted (if you’ve previously authenticated once). You can set up many different authentication sources and backends as well, and set their preferences, restrictions, options…etc.
RHEL/Fedora examples: https://www.redhat.com/sysadmin/pam-authconfig
Debian examples: https://wiki.debian.org/LDAP/PAM
Against which regular user database?
Look into Single Sign-On services (SSO) like Authelia, Authentik, or KeyCloak. Most SSO tools do the sorts of things you’re looking for. Some will talk to the native UNIX user store. I do agree with the others, though: if you’re this far along, then it’s time to spin up LDAP and SSO, but this might be the same tool in your case.
But the problem is that most self-hosted apps don’t integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.
They actually do, i am down the same path recently and installing authelia was the best choice I made. Still working on it.
But most stvies support either basic auth, headers auth, oidc or similar approaches. Very few don’t.
How are you configuring this? I checked for Jellyfin and their are third-party plugins which don’t look too mature, but none of them seem to work with apps. qBittorrent doesn’t support much (actually I may be able to put reverse-proxy auth in front… I’ll look into that) and Metabase locks SSO behind a premium subscription.
IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work
You might use LDAP, but its total overkill.
I have not yet worked jellyfin with authelia, but its more or less the last piece and I don’t really care so far if its left out.
A good reverse proxy with https is mandatory, so start with that one. I mean, from all point of views, not login.
I have all my services behing nginx, then authelia linked to nginx. Some stuff works only with basic auth. Most works with headers anyway, so natively with authelia. Some bitches don’t, so I disable authelia for them. Annoying, but I have only four users so there is not much to keep in sync.
I do use a reverse proxy but for various reasons you can’t just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can’t just slap a proxy in front.
I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.
Are you looking for something like cached credentials?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web SSO Single Sign-On nginx Popular HTTP server
2 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #956 for this sub, first seen 8th Sep 2024, 13:25] [FAQ] [Full list] [Contact] [Source code]
deleted by creator
I use NixOS.
Meaning what?
NixOS makes it very easy to declaratively configure servers. For example the users config to manage UNIX users: https://nixos.org/manual/nixos/stable/options#opt-users.users
That’s not much of an answer, I’m not reading docs because you can’t be bothered. I don’t use NixOS, so if you want to use that as an example, you’ll need to put in the effort to explain how it’s different.
If you don’t want to use LDAP, don’t. Then you get to manage each user account on each device.
To be frank, it seems like you have an adversarial attitude about this, and you think NixOS is the answer. Every one of your responses has been “but” whatever. You don’t seem like you want to understand how to use things, just complain it doesn’t work the way you think it should.
