On another note in regards to the guide issue with nextcloud I came across this https://help.nextcloud.com/t/ldap-users-show-as-sid-and-not-user-name/26153 haven’t tested yet
Makes it look like I could make Nextcloud (without LLNG) behave like Nextcloud with LLNG by doing something like this:
I tend to think that would be a win, but it still leaves the question of what to do about servers with existing data.
2 Likes
I think its now time to begin installing this solution.
wish me a smooth ride
2 Likes
4 Likes
I’ve just pushed another update to the repo, this adds the option to lock down access to the manager to local networks only. To take advantage of this, run config setprop lemonldap access private followed by signal-event nethserver-lemonldap-ng-update.
4 Likes
hello @danb35 do youthink, using this SSO Mapping Providers - Synapse (matrix-org.github.io)
if it is possible to make use of LemonLDAP on our MAtrix-SYnapse
can i give you access to my testing matrix-synapse server(if you dont have one) you configure then add the config instuctions on the other instructions wiki youve already created
or you could alternative deploy your own Matrix - synapse - Howto - NethServer Community
and connect
I haven’t used it and don’t see much occasion to at the moment. Maybe you could give it a try. OpenID Connect is fairly straightforward to set up; I’d expect you should be able to adapt the instructions I wrote for Proxmox and go from there.
Yes, I’m somewhat familiar with Authelia. It’s designed to work with reverse proxy software like Traefik (which is going to be an important part of NS8), but it doesn’t appear that it provides the support for standard SSO protocols like OIDC, SAML, or CAS.
I got this working on a clean NethServer SAMBA/AD & Nextcloud instance hosted on TrueNAS, thank you for the HowTo @danb35. I’ll admit I am clueless here starting with trying to understand the protocols (Youtube is helping but bleh) but I was able to plug along and start a foundational knowledge because of this walkthrough.
2 Likes
Glad you got it working. From my observations, it appears that OpenID Connect is the simplest protocol to set up–set up the RP in the web manager, determine the client ID and secret as well as the callback URL, and save. In the client application, enter https://auth.yourdomain as the source, and the client ID and secret you used before. That’s pretty much it. SAML2 configuration’s described in the wiki as well, but it seems a bit more complicated.
I noticed sometimes when login it comes up with error then go to portal login again and it works since i fixed my ad cert
I changed the connection settings in the LemonLDAP-NG manager
and it worked and alot faster havent had any errors now
3 Likes
unfortunately it didn’t stick got errors today about portal so kept everything the same ie port 636 and ldaps://ad.ksatdesign.com.au and user but had to change cert verification back to none
although even without the cert verification it’s still not having the other issues i was having and is still as fast
update:
I was trying a few things and noticed if i add the nsdc-orion.ad.ksatdesign.com.au in the dns of nethserver with it’s ip and add that to lets encrypt the use of cert in manager works with original config with cert set to require lets see if that holds
ive used ldap+tls://ad.ksatdesign.com.au port 389 and certificate set to required now saved and works plus removes errors about io:socket being to old
no errors with trying to login now but in the httpd logs i noticed this
User rejected because VirtualHost "lemonldap-ng.org" has no configuration although not sure what file it’s referenced in
update i think the issue with the error on first boot seems to be the fcgi is timing out to soon while running the scripts first and works the seccond time due to the scripts being finished loading so
ive changed the file /etc/httpd/conf.d/fcgid.conf to
# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at
# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
# Use FastCGI to process .fcg .fcgi & .fpl scripts
AddHandler fcgid-script fcg fcgi fpl
+ FcgidBusyTimeout 3600.
+ FcgidIOTimeout 3600
# Sane place to put sockets and shared memory file
FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
Lets hope that works
ok that seems to solve that issue still getting another one Unchecked runtime.lastError: The message port closed before a response was received. I think this is whats causing the issue on first login
issue turned out to be a chrome extension (in my case ad blocker and monosnap)
solution was to add *.domain.tld/* to add blocker exception list and remove monosnap chrome extension (desktop monosnap works fine without it)
1 Like
