• 0 Posts
  • 31 Comments
Joined 1 year ago
cake
Cake day: June 13th, 2023

help-circle
  • Exactly. I don’t know if the AIO image was used and how that all works (I stay away from that and the snap which is just an abomination) but no one should try to selfhost anything for prod unless they know exactly how it works. That and have a staging env. If you’re not up to the task then just pay for some commercial hosting (even if it’s just Nextcloud that is hosted elsewhere.)

    I’ve run the nextcloud image (just docker.io/nextcloud IIRC) pinned for years with k8s and it’s durable and fine. It stays put and I just take the time to update my testing instance, make sure it all works with some cheap smoke tests, then upgrade prod.













  • 0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "displayname" Equality was not found. YOU MUST REINDEX YOUR DATABASE
    0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "name_history" Equality was not found. YOU MUST REINDEX YOUR DATABASE
    0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "jws_es256_private_key" Equality was not found. YOU MUST REINDEX YOUR DATABASE
    

    I had to drop it for a few days. I got that at some point though. It’s all brand new so I wouldn’t know why. Seems a bit rough around the edges so far. I’ll try to reindex and attempt again. I really want this to be the product I use since it’s a nice AIO solution but we’ll see.

    Edit:

    [~]$ podman run --rm -i -t -v kanidm:/data \
        kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml
    error: unrecognized subcommand 'reindex'
    

    Phew boy. Straight from the docs. Same with the vacuum command.

    Looks like the docs need updated to specify the command is kanidm database reindex -c /data/server.toml

    And further upon trying to login…

    300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     handle_request [ 188µs | 0.00% / 100.00% ]
    300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     ┕━ request [ 188µs | 72.94% / 100.00% ] method: GET | uri: /v1/auth/valid | version: HTTP/1.1
    300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        ┝━ handle_auth_valid [ 50.8µs | 25.54% / 27.06% ]
    300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO          ┝━ validate_client_auth_info_to_ident [ 2.85µs | 1.51% ]
    300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN            ┕━ 🚧 [warn]: No client certificate or bearer tokens were supplied
    300e55b7-e30a-42a5-ac3e-ec0e69285605 ERROR         ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1
    300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        ┕━ 🚧 [warn]:  | latency: 204.504µs | status_code: 401 | kopid: "300e55b7-e30a-42a5-ac3e-ec0e69285605" | msg: "client error"
    

    I think I’m gonna have to just nuke it and start fresh but yeah, this is not a great first impression at all.




  • Does this do it all? It seems that it holds all your users like LDAP and can auth that way too. But it can also do simple oidc integrations too? Basically just want to see if it is the all in one. Looks like it does which is why i wonder why you use oauth2-proxy in addition.

    I’ve otherwise been trailing keycloak/authelia as the oidc portion and lldap/freeipa as the ldap Backend that actually holds the users. Would love to simplify if possible.