Install LemonLDAP::NG SSO/IAM on Nethserver

Content moved to the wiki (except the images, which I need to move over at a later time)

  • Still in Nextcloud, go to User management:
    image
    Find any users you want to have admin privileges in Nextcloud, and add them to the admin group. Make sure you add at least one. It will look like this:
8 Likes

reserved for future use

8 Likes

not sure why but my i set the nextcloud username to the same as the admin account on nethserver and logs in fine with admin on nextcloud

ive now managed to setup sso intergration with education perfect same as for nextcloud setup minus the config on nextcloud (as education perfect handle there side they just needed my meta data)
as email is their default user name under exported attributes all i needed was to set both the Variable name and Attribute name as email email

In anticipation of the last two posts on Single sign-on (SSO)/Identity and access management (IAM) for Nethserver being moved here, where I think they’d fit better, I’ll address them here.

On the question of certificates: as I say in the installation instructions, assuming you’re already using the Neth GUI’s facility for a Let’s Encrypt certificate, and you’re using (as most everything on the system really wants you to) the default certificate for everything, it’s easy. In the Cockpit GUI, go to System -> Certificates and click on Let’s Encrypt certificate. This will bring up a window listing all the names currently on the default system cert. Use the Add domain button at the bottom to add the hostnames for the portal and the manager (by default, auth.yourdomain and manager.yourdomain), then click the Request button. The system will request a new certificate, covering all the existing hostnames in addition to the two new ones. It will also renew that cert as necessary, and you shouldn’t need to deal with it again.

If you want to use a separate cert, of course, you’re free to do so, but then its creation or renewal will be your responsibility. If you use certbot to obtain it, you’ll need to set up a daily cronjob to run certbot renew (and make sure --post-hook "/sbin/e-smith/signal-event certificate-update" is part of the command you run to obtain the cert).

On the z-lemonldap-ng-handler.conf file, I hadn’t templated that one or the API .conf file, as I’m not really using them so far–but it looks like the default files are causing some problems. I’ll get an update out shortly to address those.

1 Like

I believe I’ve found the [example.com] issue to be because its referenced In /etc/httpd/conf.d/z-lemonldap-ng-handler.conf

Ive changed the following to correct domain

ErrorDocument 403 http://auth.example.com/lmerror/403

ErrorDocument 404 http://auth.example.com/lmerror/404

ErrorDocument 500 http://auth.example.com/lmerror/500

ErrorDocument 502 http://auth.example.com/lmerror/502

ErrorDocument 503 http://auth.example.com/lmerror/503

<VirtualHost “*:80”>

ServerName reload.example.com

And manager no longer complains of “lemonldap localhost: Error 500 (Can’t connect to auth.example.com:80 (Bad hostname)) OK”

all i need to fix now is getting the certificate to update ive got a work around so far i setup a virtual host with auth.domain.com.au and manager.domain.com.au generate the certificate the go into webserver and disable it that seems to work i just have to do that maybe even setup a cron job to do it before the cert renews then disable it just not as clean as id like

as far as im aware even though it reported an error before i edited the file everything worked fine as for the certificate issue im not to sure why it didnt work on my system as you said your module did indeed setup the virtual host as it was accessible but when i tried adding the auth.domain.com.au and manager.domain.com.au to the lets encrypt request form it would fail saying Validation failed: Challenge failed for this domain(s) auth.domain.com.au,manager.domain.com.au

Can you post (or PM me) the certbot log from that attempt (it’s in /var/log/letsencrypt) from this attempt?

OK, there is some sort of a problem with the httpd conf file where it’s trying to handle the Let’s Encrypt authorizations. I hadn’t encountered it previously because I use DNS validation for all my internal stuff. Not (yet) quite sure why it’s happening, but I can confirm there’s a problem there.

@Shane_Treweek, I just pushed an update to the repo that should fix this issue. I tested it against my own internal ACME CA using HTTP validation, and it was able to obtain the cert. Can you test?

1 Like

Just pushed another update to the repo with some pretty big changes. First, functionally, it now supports Active Directory, both local and remote (tested against Windows Server 2008R2). When using AD, any member of the domain admins group will have access to the manager page to make further changes.

Second, I made a few visual changes to make it look more NethServer-like:


Not sure why the transparency in the logo isn’t working at this point, but no doubt there’s more to be done there.

7 Likes

I’ll test sometime today
Then I’ll try the ad
Ive also been keeping the integration team over at education perfect informed as i think this is a great feature as most current software setups are prohibitively expensive especially in small local schools or group homeschooling and since it works with there software very easily thats definitely a plus

3 Likes

I can confirm the update allows the certificate to be requested successfully on my system
I’m not seeing the visual changes

2 Likes

scratch that i forgot to rerun the script
as for the transparent log its a css problem you just need to remove the background-color: attributes in both styles.css and styles.min.css located in /usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css/

4 Likes

Another update pushed out, it now works with remote LDAP, at least if the remote LDAP server is on Nethserver. I expect this is going to be something that will have more variation than remote AD, so it will probably need tweaking for individual circumstances, particularly if the remote LDAP server is not on a Nethserver system.

As to the logo background, Shane, thanks for the pointer, and it’s actually in the docs:


Update pushed for this as well.

On the logo, I took the logo from the default virtualhost page, and resized it to 400 pixels wide. It still looks pretty big, and I’m thinking of shrinking it further. Any thoughts on that?

3 Likes

I’d say maybe shrink it by 5 or 10% at least so it formats a little smoother for mobile view other than that I think it looks good

2 Likes

For ad setup using nethserver works to log in to the auth page but throws an error when trying to redirect back to nextcloud either a this user is not provisioned or just a the server couldn’t complete your request I’ll have a look at the log files in the morning everything else works either it’s a simple fix or just not compatible with nethserver ad ethier way your making fast progress

3 Likes

To this point, my testing has only been to make sure I can log into the portal, that admin users (username “admin” for LDAP, members of “domain admins” for AD) have access to the manager, and non-admin users don’t. It’s possible there’s an issue with the configuration in my module, but more likely the issue is in my instructions for setup with Nextcloud.

2 Likes

That’s fine I’ll play around with it tomorrow plus I know it works fine for ldap

1 Like