User management
fedilink

Hey everyone,

How do you do user management, I have a small handful of users that want one password for physical machines and for web apps. I was looking at KanIDM but I was wondering what other people use?

Edit: I would like to only use one piece of software if possible.

tun
link
fedilink
English
151Y

The Single Sign-On Multi-Factor portal for web apps

https://github.com/authelia/authelia

P'undrak
link
fedilink
English
41Y

I use it for quite a few of my services, it’s ready effective! And not that hard to set up, though I haven’t tried to make it work with an LDAP service yes.

@seang96@spgrn.com
link
fedilink
English
01Y

I got it set up with LDAP and a web front end to configure LDAP users. Works really nice. If only my services supported with with it.

Neo
link
fedilink
English
21Y

I would recommend keycloak. I can basically do everything related to webapps authentication (OIDC, 2FA, etc)… except working as an LDAP/AD server, which typically used to enable login to physical machine using the network account. But, it has built-in LDAP provider support, which mean you can use OpenLDAP to host the accounts of your users (so they can use LDAP authentication on their own machine), and point keycloak to that OpenLDAP instance to allow your users to login to your webapps using their OpenLDAP account.

Keycloak is nice, but probably overkill for what OP needs. Keep it simple.

surfrock66
link
fedilink
English
3
edit-2
1Y

I don’t have the exactly solution for you, but I went through this a while ago and came up with using openLDAP for this. It’s not tidy at all, but it was a tremendous learning experience, and I documented it in 2 blog posts which may be interesting to you; I doubt you’ll want to do what I did, but it was informative and has worked flawlessly since. I documented some of the flaws I found in options I considered at the time:

https://www.surfrock66.com/my-experience-guide-setting-up-openldap-for-pc-webapp-authentication-on-ubuntu-20-04/

https://www.surfrock66.com/openldap-kerberos-and-sasl-my-experience-in-the-homelab/

@notabot@lemm.ee
link
fedilink
English
41Y

I use an LDAP server, as it’s pretty much designed for exactly this task. You can tell PAM to authenticate and authorise from it to manage logins to the physical machines, and web apps typically either have a straightforward way to use LDAP, or support ‘external’ auth, with your web server handling the authentication and authorisation for it.

OpenLDAP is a solid, easily self hosted server. If you like working from the shell it has everything you need. If you prefer a GUI there are a variety of desktop and web based management frontends available.

@lal309@lemmy.world
link
fedilink
English
21Y

I’ve been toying with the idea of standing it up. Any recommendations for the GUI side?

@notabot@lemm.ee
link
fedilink
English
11Y

I confess I normally work from the command line, but I have set up LDAPAdmim for projects where others needed to manage the directory, and it worked pretty well.

@lal309@lemmy.world
link
fedilink
English
11Y

I got ya. Took a quick look at that link and it looks like the client is Windows specific which is frowned upon and permanently blacklisted in this house!!!

Still, I appreciate the reply

@notabot@lemm.ee
link
fedilink
English
11Y

That’s what comes of late night posting, I’d meant to link you to PHPLDAPAdmin, not LDAPAdmin! It’s written in PHP, which isn’t lovely, but it does it’s job.

@vegetaaaaaaa@lemmy.world
link
fedilink
English
2
edit-2
1Y

I use openLDAP + LDAP Account Manager and Self-service password. Deployed/managed through this ansible role

@lal309@lemmy.world
link
fedilink
English
11Y

Well…. you just blocked off my calendar for the weekend!

poVoq
link
fedilink
English
81Y

https://github.com/lldap/lldap

Is ideal for small self-hosters.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 124 users / day
  • 419 users / week
  • 1.16K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.68K Posts
  • 74.2K Comments
  • Modlog