I have a lot of different services which I self host for me and my family like:
PeerTube
Lemmy
Mastodon
Synology NAS
TTRSS
NextCloud
Matrix
HomeAssistant
etc.
Right now every family member needs to create a user on each of those services and have a different password on them, which is OK when you use a Password Manager, but most of my extended family members don’t. And they often forget their password and stop using the service because they can’t figure out how to reset the password with each and every service.
I would like to try to consolidate all of it with a Single Sign-On (SSO) solution but It’s not obvious to me if there is one which is not overly over engineered for hundreds of thousands of users but small and lightweight, perhaps even easy to set up.
I tried OpenLDAP but Jesus that was very involved.
Personally using Dex, it’s about as lightweight as you can get, it can be configured with a single configuration file on disk, and it runs entirely stateless as well.
It only deals with authentication delegation though, unlike larger systems like Keycloak.
I started trying out FusionAuth and it’s been pretty neat. I off-load my auth to Google because I don’t want yet another username/password nor do I want to be responsible in storing it, but you can certainly use built-in auth if your objective is to stop using external auth. I currently have my Kasm Workspace deployed behind it, so when user lands on Kasm, they get bounced to FusionAuth where there’s a login prompt and Login w/ Google button; when they authenticate (be it through built-in auth or Google in my case), they get bounced back to Kasm Workspace in their account. This was deployed using docker compose, so I just annotate containers I want to protect w/ some labels, traefik handles all the glue work. I really like the way it worked out.
I’d imagine something like Authelia, which gets pushed a lot as well, would be able to offer a similar if not identical workflow.
For Lemmy, at this time, I don’t think it is possible to gate it like that, otherwise inbound federation (i.e.: comment replies to this post) won’t make it into your instance.
I use Authelia with lldap and it’s pretty straightforward to setup. Once Authelia is up and running, it’s quite nice managing users and groups through the lldap interface
I started integrating Authentik lately based on seeing people recommend it.
It has pretty steep learning curve. I had to follow tutorials and even then each integration have its own quirks. I got stuck on integrating my internal e-mail server with ldap provider (via authentik). It’s definitely capable but it’s a project to integrate all services.
Other SSO options are just a tough if not more complex than authentik. If you use docker and are self hosting, this is a great option. Provides basically every SSO option to connect all your services, especially if you combine it with a good reverse proxy like traefik to provide SSO to simple webapps.
If you are setting up a self hosted infrastructure and have some experience, I highly recommend checking out techno Tim’s “ssl everywhere” video for wild card ssl with traefik and then combine that with authentik for SSO with both local only and internet accessible apps.
+1 for Authentik! It definitely has a steep learning curve, but once you get comfortable with it, it’s really versatile. The integration docs have tons of walkthroughs for setting up Authentik with different apps which is epecially helpful when getting started.
Might not be quite what you want, but if you just need to block all access to everything unless logged in, then integrating a hosted SSO into your ingress is a simple, low management option.
I’ve been using an old trafeik setup with Google’s SSO, whitelisting certain accounts, and had no problems with it for years.
Keycloak is decent. It has its own built in user database, or it can connect to an “upstream” idp like AD, GitHub, google, fb, basically anything that speaks openid or SAML. Then, it can act as an idp to each service you run. It is a bit of a chore to configure, but compared to other SSO servers it’s pretty good (looking at you shibboleth)
Following since I’m new to Lemmy and not sure how to or even if I can save a post. I too am looking for something. I spun up authentik but was quickly overwhelmed with what to do after that, lol. I made it as far as logging in then got…lost no matter what tutorials I tried to follow.
I’ve found Zitadel to be the best open source Oauth2 provider. It also supports terraform for a fully IaC approach to declaring your users and their permissions.
I can only support that. This is what I am running for my small business as well and it’s been super smooth for roughly a year now!
Especially self service and auto-registering based on domain names turned out to be really nice features (for a business).
In my homelab I just enjoy having a nice ui.
I tried OpenLDAP but Jesus that was very involved.
OpenLDAP is easy :) Once you understand LDAP concepts.
Check this and read through the tasks/ directory (particularly openldap.yml and populate.yml. It sets up everything needed for an LDAP authentication service (if you don’t use ansible you can still read what the tasks do and you should get a pretty good understanding of what’s needed, if not let me know).
In short you need:
slapd (the OpenLDAP server)
set up a base LDAP directory structure (OUs/Organizational Units, I only use 3 OUs: system, users and groups)
an admin user in the LDAP directory (mine is admin directly at the base of the LDAP directory)
(optional but recommended) a so-called bind user in the LDAP directory (unvprivileged account that can only list/read users/groups) (mine is bind under the system OU)
(optional) groups to map users to their roles (e.g. only users in access_jellyfin are allowed to login to jellyfin)
actual user accounts, member of one or more groups if needed
When you login to an application/service configured to use the LDAP authentication backend, it connects to the LDAP directory using the bind user credentials, and checks that the user exists (depending on how you configured the application either by name, uid, email…) , that the password you provided matches the hash stored in the LDAP directory, optionally that the user is part of the required groups. Then it allows or denies access.
There’s not much else to it:
you can also do without the bind account but I wouldn’t recommend it (either configure your applications to use the admin user in which case they have admin access to the LDAP directory… not good. Or allow anonymous read-only access to the LDAP directory - also not ideal).
slapd stores its configuration (admin user/password, log level…) inside the LDAP directory itself as attributes of a special entity (cn=config), so to access or modify it you have to use LDIF files and the ldapadd/ldapmodify commands, or use a convenient wrapper like the ansible modules tools used above.
once this is set up, you can forget LDIF files and use a web interface to manage contents of the LDAP directory.
OUs and groups are different and do not serve the same purpose, OUs are just hierarchical levels (like folders) inside your LDAP tree. groups can contain multiple users/users can have multiple groups so they’re like “labels” without a notion of hierarchy. You can do without OUs and stash everything at the top level of the directory, but it’s messy.
users (or other entities) have several attributes (common name, firstname, lastname, email, uid, password, description… it can contain anything really, it’s just a directory service)
LDAP is hierarchical by nature, so user with Common Name (CN) jane.doe in OU users in the directory for domain example.org has the Distinguished Name (DC) cn=jane.doe,ou=users,dc=example,dc=org. Think of it like /path/to/file.
to look for a particular object you use filters which are just a search syntax to match specific entities (object classes) (users are inetOrgPersons, groups are posixGroups…) and attributes (uid, cn, email, phonenumber…). Usually applications that support LDAP come with predefined filters to look for users in specific groups, etc.
I’d suggest something like Keycloak or earning the wizard robe and beard by buckling down and learning OpenLDAP. The biggest suggestion that I have though is to have a disaster recovery plan for even your auth system goes down. Don’t be like Facebook and lock yourself out without any hope of regaining entry (or, if you’re a fan of Russian Roulette, do).
I’m still trying to cover up with a good one to allow more self-hosting. Probably a SHTF security key kept in a safe that can be used with physical access.
My “plan” is to SSH in and figure out what’s wrong.
The problem here being that you have a circular dependency:
SSH auth requires OpenLDAP/Keycloak
SSH access is required to fix broken OpenLDAP/Keycloak
My SSH auth uses SSH keys stored in
authorized_keys, but I see your point. For me, OpenLDAP will be letting users in to the various services and SSH is outside that. I suppose SFTP could be something I want, but I’d be tempted to put a new sshd inside a container and have it more restricted than the system one.
I think the backup key idea is definitely the most broadly applicable, but there’s physical/KVM for a more old school access route.
That makes sense. I like the idea of combining physical key with physical/KVM access so that there is no password auth (at least, not without a second factor).
Same. I still use Kerberos, but I use kinit manually when I want to authenticate. It does force me to type the password more often but the benefits outweigh that.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Personally using Dex, it’s about as lightweight as you can get, it can be configured with a single configuration file on disk, and it runs entirely stateless as well.
It only deals with authentication delegation though, unlike larger systems like Keycloak.
https://github.com/lldap/lldap is nice and easy.
I started trying out FusionAuth and it’s been pretty neat. I off-load my auth to Google because I don’t want yet another username/password nor do I want to be responsible in storing it, but you can certainly use built-in auth if your objective is to stop using external auth. I currently have my Kasm Workspace deployed behind it, so when user lands on Kasm, they get bounced to FusionAuth where there’s a login prompt and Login w/ Google button; when they authenticate (be it through built-in auth or Google in my case), they get bounced back to Kasm Workspace in their account. This was deployed using docker compose, so I just annotate containers I want to protect w/ some labels, traefik handles all the glue work. I really like the way it worked out.
I’d imagine something like Authelia, which gets pushed a lot as well, would be able to offer a similar if not identical workflow.
For Lemmy, at this time, I don’t think it is possible to gate it like that, otherwise inbound federation (i.e.: comment replies to this post) won’t make it into your instance.
At the moment I only use lldap. I’ll probably add Authelia at some point …
I use Authelia with lldap and it’s pretty straightforward to setup. Once Authelia is up and running, it’s quite nice managing users and groups through the lldap interface
I use keycloak. Pretty steep learning curve, but once properly set up, it can do pretty much anything.
But if you’re in a pinch, NextCloud can act as an OIDC auth provider out of the box.
Damn, what does Nextcloud NOT do ?
What. That’s amazing!
Oh, I did not know that, I’ll have a look, thanks!
Here is the documentation, pretty bare though: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html
I started integrating Authentik lately based on seeing people recommend it. It has pretty steep learning curve. I had to follow tutorials and even then each integration have its own quirks. I got stuck on integrating my internal e-mail server with ldap provider (via authentik). It’s definitely capable but it’s a project to integrate all services.
Other SSO options are just a tough if not more complex than authentik. If you use docker and are self hosting, this is a great option. Provides basically every SSO option to connect all your services, especially if you combine it with a good reverse proxy like traefik to provide SSO to simple webapps.
If you are setting up a self hosted infrastructure and have some experience, I highly recommend checking out techno Tim’s “ssl everywhere” video for wild card ssl with traefik and then combine that with authentik for SSO with both local only and internet accessible apps.
+1 for Authentik! It definitely has a steep learning curve, but once you get comfortable with it, it’s really versatile. The integration docs have tons of walkthroughs for setting up Authentik with different apps which is epecially helpful when getting started.
I really like Authentik after using keycloak for quite a while.
How would you compare it ?
Might not be quite what you want, but if you just need to block all access to everything unless logged in, then integrating a hosted SSO into your ingress is a simple, low management option.
I’ve been using an old trafeik setup with Google’s SSO, whitelisting certain accounts, and had no problems with it for years.
Keycloak is decent. It has its own built in user database, or it can connect to an “upstream” idp like AD, GitHub, google, fb, basically anything that speaks openid or SAML. Then, it can act as an idp to each service you run. It is a bit of a chore to configure, but compared to other SSO servers it’s pretty good (looking at you shibboleth)
Lol, our main initiative at work right now is migrating our on prem auth to keycloak.
After about a year of using Keycloak for some #dayjob side projects, I literally just stood it up in my homelab.
It does have a learning curve, but it supports OIDC and SAML - those two should get most internal services covered.
Back end can federate with AD or LDAP - for the real stinkers who refuse to support SSO. (Looking at you Netbox)
Following since I’m new to Lemmy and not sure how to or even if I can save a post. I too am looking for something. I spun up authentik but was quickly overwhelmed with what to do after that, lol. I made it as far as logging in then got…lost no matter what tutorials I tried to follow.
You can star comments or posts to save them, it might be under the
⋮menu. You can view your saved posts in your profile.https://cosmos-cloud.io/
Maybe try this ? Looks to be focused on simplicity and ease of use.
I use Pomerium! https://www.pomerium.com/docs
I’ve found Zitadel to be the best open source Oauth2 provider. It also supports terraform for a fully IaC approach to declaring your users and their permissions.
I can only support that. This is what I am running for my small business as well and it’s been super smooth for roughly a year now! Especially self service and auto-registering based on domain names turned out to be really nice features (for a business). In my homelab I just enjoy having a nice ui.
https://github.com/zitadel/zitadel
https://zitadel.com/
I came from Authentik which was nice too but nowhere as feature rich as zitadel.
OpenLDAP is easy :) Once you understand LDAP concepts.
Check this and read through the
tasks/directory (particularlyopenldap.ymlandpopulate.yml. It sets up everything needed for an LDAP authentication service (if you don’t use ansible you can still read what the tasks do and you should get a pretty good understanding of what’s needed, if not let me know).In short you need:
slapd(the OpenLDAP server)system,usersandgroups)admindirectly at the base of the LDAP directory)binduser in the LDAP directory (unvprivileged account that can only list/read users/groups) (mine isbindunder thesystemOU)access_jellyfinare allowed to login to jellyfin)When you login to an application/service configured to use the LDAP authentication backend, it connects to the LDAP directory using the
binduser credentials, and checks that the user exists (depending on how you configured the application either by name, uid, email…) , that the password you provided matches the hash stored in the LDAP directory, optionally that the user is part of the required groups. Then it allows or denies access.There’s not much else to it:
bindaccount but I wouldn’t recommend it (either configure your applications to use theadminuser in which case they have admin access to the LDAP directory… not good. Or allow anonymous read-only access to the LDAP directory - also not ideal).slapdstores its configuration (admin user/password, log level…) inside the LDAP directory itself as attributes of a special entity (cn=config), so to access or modify it you have to use LDIF files and theldapadd/ldapmodifycommands, or use a convenient wrapper like the ansible modules tools used above.jane.doein OUusersin the directory for domainexample.orghas the Distinguished Name (DC)cn=jane.doe,ou=users,dc=example,dc=org. Think of it like/path/to/file.inetOrgPersons, groups areposixGroups…) and attributes (uid,cn,email,phonenumber…). Usually applications that support LDAP come with predefined filters to look for users in specific groups, etc.I’d suggest something like Keycloak or earning the wizard robe and beard by buckling down and learning OpenLDAP. The biggest suggestion that I have though is to have a disaster recovery plan for even your auth system goes down. Don’t be like Facebook and lock yourself out without any hope of regaining entry (or, if you’re a fan of Russian Roulette, do).
What’s your DR plan? My “plan” is to SSH in and figure out what’s wrong.
I’m still trying to cover up with a good one to allow more self-hosting. Probably a SHTF security key kept in a safe that can be used with physical access.
The problem here being that you have a circular dependency:
My SSH auth uses SSH keys stored in authorized_keys, but I see your point. For me, OpenLDAP will be letting users in to the various services and SSH is outside that. I suppose SFTP could be something I want, but I’d be tempted to put a new sshd inside a container and have it more restricted than the system one.
I think the backup key idea is definitely the most broadly applicable, but there’s physical/KVM for a more old school access route.
That makes sense. I like the idea of combining physical key with physical/KVM access so that there is no password auth (at least, not without a second factor).
I used plain Kerberos. I stopped, because sometimes I don’t want to be logged in automatically. Privacy and multi-account systems get more difficult.
Same. I still use Kerberos, but I use kinit manually when I want to authenticate. It does force me to type the password more often but the benefits outweigh that.
I use Keycloak and OpenLDAP, but if I was setting it up again I’d probably just use Authentik