Centralized user management #51

Open
opened 2023-11-23 20:20:20 +02:00 by inex · 5 comments
Owner

This issue created to track our work and exploration on the topic of SSO.

Key protocols

  • LDAP
  • OAuth
  • OpenID Connect
  • SAML

Software candidates

Services protocol compatibility

Service LDAP SAML OAuth2 OpenID PAM
Nextcloud + + ? ?
Email + +
Vaultwarden +
Gitea + + + +
Pleroma + +
Mastodon + + + + +
This issue created to track our work and exploration on the topic of SSO. # Key protocols - LDAP - OAuth - OpenID Connect - SAML # Software candidates - [Keycloak](https://www.keycloak.org) — Java, there is a Nix module. - [OpenLDAP](https://www.openldap.org) — There is a Nix module. - [Ory](https://www.ory.sh) — Go, not properly packaged in Nix. - [Casdoor](https://casdoor.org) — Go, not packaged. - [authentik](https://goauthentik.io) — not packaged. - [Authelia](https://www.authelia.com) — Go, there is a Nix module. - [ZITADEL](https://zitadel.com) — Not packaged. # Services protocol compatibility | Service | LDAP | SAML | OAuth2 | OpenID | PAM | | ----------- | ---- | ---- | ------ | ------ | --- | | Nextcloud | + | + | ? | ? | | | Email | + | | | | + | | Vaultwarden | + | | | | | | Gitea | + | | + | + | + | | Pleroma | + | | + | | | | Mastodon | + | + | + | + | + |
inex added the
enhancement
label 2023-11-23 20:20:20 +02:00
Author
Owner

Authelia is lightweight and may use the list of users provided by the YAML file, so we may use more-or-less in a declarative way.

However, it is a reverse-proxy companion. It only supports session cookies, OpenID Connect and trusted headers.

The solutions like Keycloak and authentik provide a wide range of protocols but eat a lot of ram.

Authelia is lightweight and may use the list of users provided by the YAML file, so we may use more-or-less in a declarative way. However, it is a reverse-proxy companion. It only supports session cookies, OpenID Connect and trusted headers. The solutions like Keycloak and authentik provide a wide range of protocols but eat a lot of ram.

I think that in comparison it is also worth considering 2fa sso support. For example rfc6232 (totp) or fido2 (priority)

I think that in comparison it is also worth considering 2fa sso support. For example rfc6232 (totp) or fido2 (priority)
alexoundos self-assigned this 2024-04-17 21:03:32 +03:00
Member

For user management LDAP is necessary.

For SSO we usually need to use HTTP headers/cookies to inform the backend application of the user's authenticated state.

Authelia supports OpenID (and OAuth2), but not SAML (yet). In case backend application doesn't support OpenID (e.g. Jitsi), custom solutions might be possible, but can be also challenging to make application recognize the username of the authenticated user.
Authelia supports both TOTP and FIDO2.

For user management LDAP is necessary. For SSO we usually need to use HTTP headers/cookies to inform the backend application of the user's authenticated state. Authelia supports OpenID (and OAuth2), but not SAML (yet). In case backend application doesn't support OpenID (e.g. Jitsi), custom solutions might be possible, but can be also challenging to make application recognize the username of the authenticated user. Authelia supports both TOTP and FIDO2.
inex added this to the SelfPrivacy single sign on project 2024-06-19 16:45:01 +03:00
Member

get LDAP part of dovecot configuration:

$ cat /run/dovecot2/dovecot-ldap.conf.ext

using openldap package (nix shell nixpkgs#openldap)

Search for users by mail address:

$ ldapsearch -x -H ldap://localhost:3890 -b "ou=people,dc=kutaka,dc=xyz" -D "uid=mail,ou=people,dc=kutaka,dc=xyz" -w SOME_PASSWORD "(&(objectClass=mailAccount)(mail=a1@kutaka.xyz))"

Example output:

# extended LDIF
#
# LDAPv3
# base <ou=people,dc=kutaka,dc=xyz> with scope subtree
# filter: (&(objectClass=mailAccount)(mail=a1@kutaka.xyz))
# requesting: ALL
#

# a1, people, kutaka.xyz
dn: uid=a1,ou=people,dc=kutaka,dc=xyz
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: mailAccount
objectclass: person
uid: a1
mail: a1@kutaka.xyz
givenname: B
sn: C
cn: A
createtimestamp: 2024-04-24T02:51:47.264288694+00:00
entryuuid: 2eb4c717-301c-3479-b80c-e25df7d8b73e

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

monitor LLDAP systemd service logs in realtime:

# journalctl -u lldap.service  -f
## useful LDAP related commands ### get LDAP part of dovecot configuration: ```console $ cat /run/dovecot2/dovecot-ldap.conf.ext ``` ### using `openldap` package (`nix shell nixpkgs#openldap`) Search for users by mail address: ```console $ ldapsearch -x -H ldap://localhost:3890 -b "ou=people,dc=kutaka,dc=xyz" -D "uid=mail,ou=people,dc=kutaka,dc=xyz" -w SOME_PASSWORD "(&(objectClass=mailAccount)(mail=a1@kutaka.xyz))" ``` Example output: ``` # extended LDIF # # LDAPv3 # base <ou=people,dc=kutaka,dc=xyz> with scope subtree # filter: (&(objectClass=mailAccount)(mail=a1@kutaka.xyz)) # requesting: ALL # # a1, people, kutaka.xyz dn: uid=a1,ou=people,dc=kutaka,dc=xyz objectclass: inetOrgPerson objectclass: posixAccount objectclass: mailAccount objectclass: person uid: a1 mail: a1@kutaka.xyz givenname: B sn: C cn: A createtimestamp: 2024-04-24T02:51:47.264288694+00:00 entryuuid: 2eb4c717-301c-3479-b80c-e25df7d8b73e # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` ### monitor LLDAP systemd service logs in realtime: ```console # journalctl -u lldap.service -f ```
Member

IMAP (dovecot) login test (assuming username is the same as email address):

$ doveadm auth test a1@kutaka.xyz
IMAP (dovecot) login test (assuming username is the same as email address): ``` $ doveadm auth test a1@kutaka.xyz ```
Sign in to join this conversation.
No milestone
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy-nixos-config#51
No description provided.