Install LemonLDAP::NG SSO/IAM on Nethserver

I haven’t used it and don’t see much occasion to at the moment. Maybe you could give it a try. OpenID Connect is fairly straightforward to set up; I’d expect you should be able to adapt the instructions I wrote for Proxmox and go from there.

yesterday i came accross this
Authelia - Authentication server providing two-factor and SSO

Yes, I’m somewhat familiar with Authelia. It’s designed to work with reverse proxy software like Traefik (which is going to be an important part of NS8), but it doesn’t appear that it provides the support for standard SSO protocols like OIDC, SAML, or CAS.

I got this working on a clean NethServer SAMBA/AD & Nextcloud instance hosted on TrueNAS, thank you for the HowTo @danb35. I’ll admit I am clueless here starting with trying to understand the protocols (Youtube is helping but bleh) but I was able to plug along and start a foundational knowledge because of this walkthrough.

2 Likes

Glad you got it working. From my observations, it appears that OpenID Connect is the simplest protocol to set up–set up the RP in the web manager, determine the client ID and secret as well as the callback URL, and save. In the client application, enter https://auth.yourdomain as the source, and the client ID and secret you used before. That’s pretty much it. SAML2 configuration’s described in the wiki as well, but it seems a bit more complicated.

I noticed sometimes when login it comes up with error then go to portal login again and it works since i fixed my ad cert

I changed the connection settings in the LemonLDAP-NG manager

and it worked and alot faster havent had any errors now

3 Likes

unfortunately it didn’t stick got errors today about portal so kept everything the same ie port 636 and ldaps://ad.ksatdesign.com.au and user but had to change cert verification back to none

although even without the cert verification it’s still not having the other issues i was having and is still as fast

update:
I was trying a few things and noticed if i add the nsdc-orion.ad.ksatdesign.com.au in the dns of nethserver with it’s ip and add that to lets encrypt the use of cert in manager works with original config with cert set to require lets see if that holds

ive used ldap+tls://ad.ksatdesign.com.au port 389 and certificate set to required now saved and works plus removes errors about io:socket being to old

no errors with trying to login now but in the httpd logs i noticed this

User rejected because VirtualHost "lemonldap-ng.org" has no configuration although not sure what file it’s referenced in

update i think the issue with the error on first boot seems to be the fcgi is timing out to soon while running the scripts first and works the seccond time due to the scripts being finished loading so
ive changed the file /etc/httpd/conf.d/fcgid.conf to

# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at
# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html

   # Use FastCGI to process .fcg .fcgi & .fpl scripts
   AddHandler fcgid-script fcg fcgi fpl
+ FcgidBusyTimeout 3600. 
+ FcgidIOTimeout 3600
   # Sane place to put sockets and shared memory file
   FcgidIPCDir /run/mod_fcgid
   FcgidProcessTableFile /run/mod_fcgid/fcgid_shm

Lets hope that works

ok that seems to solve that issue still getting another one Unchecked runtime.lastError: The message port closed before a response was received. I think this is whats causing the issue on first login

issue turned out to be a chrome extension (in my case ad blocker and monosnap)

solution was to add *.domain.tld/* to add blocker exception list and remove monosnap chrome extension (desktop monosnap works fine without it)

1 Like

looks like the these guys https://www.authelia.com/

Have now added OIDC and Ldap support.

1 Like

Also this should be updated with these:

Single-Sign On - Synapse (matrix-org.github.io)

Looks like OIDC is in beta according to their docs:
image

25 posts were split to a new topic: LemonLDAP::NG and multiple LDAP servers

i am Facing an Installation error

failure: repodata/repomd.xml from lemonldap-ng: [Errno 256] No more mirrors to try.
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
[root@nethserver-ad ~]# /root/lemon_config.sh
-bash: /root/lemon_config.sh: No such file or directory

what could be the problem?

Hi

Your installer-script can’t reach the server https://lemonldap-ng.org - the reason could be either DNS or routing. But I assume DNS, as you can reach that server.

Can you ping google with FQDN? www.google.com ?

yes, i am able to ping google

It’s more accurate to say that yum isn’t downloading, at least, the complete/correct repomd.xml file, and if you’d shown a few more lines of the messages, it might be more obvious why. Let’s make sure the repo file has the correct contents–what are the complete contents of /etc/yum.repos.d/lemonldap-ng.repo?

complete message

Loaded plugins: changelog, fastestmirror, langpacks, nethserver_events
nethserver-danb35-1.1.0-1.ns7.noarch.rpm                                                        |  55 kB  00:00:00
Examining /var/tmp/yum-root-igh_Yq/nethserver-danb35-1.1.0-1.ns7.noarch.rpm: nethserver-danb35-1.1.0-1.ns7.noarch
/var/tmp/yum-root-igh_Yq/nethserver-danb35-1.1.0-1.ns7.noarch.rpm: does not update installed package.
Error: Nothing to do
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1694  100  1694    0     0   5162      0 --:--:-- --:--:-- --:--:--  5164
Loaded plugins: changelog, fastestmirror, langpacks, nethserver_events
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                            |  21 kB  00:00:00
 * ce-base: mirror.freethought-internet.co.uk
 * ce-extras: mirror.freethought-internet.co.uk
 * ce-sclo-rh: mirror.freethought-internet.co.uk
 * ce-sclo-sclo: mirror.freethought-internet.co.uk
 * ce-updates: mirror.freethought-internet.co.uk
 * epel: mirror.freethought-internet.co.uk
 * nethforge: nethserver.de-labrusse.fr
 * nethserver-base: nethserver.de-labrusse.fr
 * nethserver-updates: nethserver.de-labrusse.fr
ce-base/7/x86_64/signature                                                                      |  811 B  00:00:00
ce-base/7/x86_64/signature                                                                      | 3.6 kB  00:00:00 !!!
ce-extras/7/x86_64/signature                                                                    |  811 B  00:00:00
ce-extras/7/x86_64/signature                                                                    | 2.9 kB  00:00:00 !!!
ce-sclo-rh                                                                                      | 3.0 kB  00:00:00
ce-sclo-sclo                                                                                    | 3.0 kB  00:00:00
ce-updates/7/x86_64/signature                                                                   |  811 B  00:00:00
ce-updates/7/x86_64/signature                                                                   | 2.9 kB  00:00:00 !!!
danb35/7/signature                                                                              |  230 B  00:00:00
danb35/7/signature                                                                              | 2.9 kB  00:00:00 !!!
lemonldap-ng                                                                                    |  13 kB  00:00:00
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
Trying other mirror.


 One of the configured repositories failed (LemonLDAP::NG packages),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=lemonldap-ng ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable lemonldap-ng
        or
            subscription-manager repos --disable=lemonldap-ng

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=lemonldap-ng.skip_if_unavailable=true

failure: repodata/repomd.xml from lemonldap-ng: [Errno 256] No more mirrors to try.
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
./LemonLDAP-NG.sh: line 25: /root/lemon_config.sh: No such file or directory
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable//noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

/etc/yum.repos.d/lemonldap-ng.repo

[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable//noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

should be

[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

as your running into the error that your server cannot connect to https://lemonldap-ng.org/redhat/stable//noarch
not sure why it did that but if you replace the contents in /etc/yum.repos.d/lemonldap-ng.repo with

[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2

and run yum -y update

you should be able to the issue

curl https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 > /etc/pki/rpm-gpg/RPM-GPG-KEY-OW2 && yum -y install nethserver-lemonldap-ng --enablerepo=lemonldap-ng,lemonldap-ng-extras && ~/lemon_config.sh

that should install it

seems to have installed, as i can access the manager interface

but this came up, not sure it has no effect or not.

Complete!
Saved under number 2
[Fri Mar 18 03:10:58 2022] [LLNG:9052] [error] Apply configuration for localhost: error 500 (read timeout)
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 3
[Fri Mar 18 03:11:05 2022] [LLNG:11006] [error] Apply configuration for localhost: error 500 (read timeout)
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 4
[Fri Mar 18 03:11:12 2022] [LLNG:11040] [error] Apply configuration for localhost: error 500 (read timeout)
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 5
[Fri Mar 18 03:11:19 2022] [LLNG:11068] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
          {
            'message' => 'Portal URL should end with a /'
          }
        ];
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 6
[Fri Mar 18 03:11:26 2022] [LLNG:11095] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
          {
            'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
          }
        ];
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 7
[Fri Mar 18 03:11:32 2022] [LLNG:11132] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
          {
            'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
          }
        ];
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 8
[Fri Mar 18 03:11:39 2022] [LLNG:11157] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
          {
            'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
          }
        ];
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];
Saved under number 9
[Fri Mar 18 03:11:46 2022] [LLNG:11196] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
          {
            'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
          }
        ];
Status  : [
          {
            'localhost' => 'Error 500 (read timeout)'
          }
        ];