Install LemonLDAP::NG SSO/IAM on Nethserver

Not sure if ram would be the issue maybe there’s a way to cluster them ? I’ll admit I haven’t used open stack before what model are they?

Just pushed out another update. This one adds logic to lemon_config.sh to warn if you’ve already made changes to the LLNG configuration (as shown by the presence of a lmConf-2.json file), and give the opportunity to cancel. But it will still make the specified changes if you ask it to.

Edit: and another fix to the exported variables when it’s set for local OpenLDAP authentication.

2 Likes

Quick question I’m trying to use reverse proxy to point to another nethserver server on the network with a nextcloud instance if I point it to a static page on a separate server it works but if it redirects like in the case of nextcloud it keeps redirecting to the auth page with bad gateway I’ve looked over the lemon ldap- documentation but I can’t find a reference to it (or at least anything that stands out to me)

Nevermind i found the answer staring me in the face under the lldapng manager under virtual hosts you add the web address and create a rule with Regular expression=^/public/ Rule=skip

On another note in regards to the guide issue with nextcloud I came across this https://help.nextcloud.com/t/ldap-users-show-as-sid-and-not-user-name/26153 haven’t tested yet

Makes it look like I could make Nextcloud (without LLNG) behave like Nextcloud with LLNG by doing something like this:

I tend to think that would be a win, but it still leaves the question of what to do about servers with existing data.

2 Likes

I think its now time to begin installing this solution.
wish me a smooth ride

2 Likes

image

4 Likes

I’ve just pushed another update to the repo, this adds the option to lock down access to the manager to local networks only. To take advantage of this, run config setprop lemonldap access private followed by signal-event nethserver-lemonldap-ng-update.

4 Likes

hello @danb35 do youthink, using this SSO Mapping Providers - Synapse (matrix-org.github.io)

if it is possible to make use of LemonLDAP on our MAtrix-SYnapse

Looks like it should be; see: https://matrix-org.github.io/synapse/v1.41/openid.html

can i give you access to my testing matrix-synapse server(if you dont have one) you configure then add the config instuctions on the other instructions wiki youve already created

or you could alternative deploy your own Matrix - synapse - Howto - NethServer Community
and connect

I haven’t used it and don’t see much occasion to at the moment. Maybe you could give it a try. OpenID Connect is fairly straightforward to set up; I’d expect you should be able to adapt the instructions I wrote for Proxmox and go from there.

yesterday i came accross this
Authelia - Authentication server providing two-factor and SSO

Yes, I’m somewhat familiar with Authelia. It’s designed to work with reverse proxy software like Traefik (which is going to be an important part of NS8), but it doesn’t appear that it provides the support for standard SSO protocols like OIDC, SAML, or CAS.

I got this working on a clean NethServer SAMBA/AD & Nextcloud instance hosted on TrueNAS, thank you for the HowTo @danb35. I’ll admit I am clueless here starting with trying to understand the protocols (Youtube is helping but bleh) but I was able to plug along and start a foundational knowledge because of this walkthrough.

2 Likes

Glad you got it working. From my observations, it appears that OpenID Connect is the simplest protocol to set up–set up the RP in the web manager, determine the client ID and secret as well as the callback URL, and save. In the client application, enter https://auth.yourdomain as the source, and the client ID and secret you used before. That’s pretty much it. SAML2 configuration’s described in the wiki as well, but it seems a bit more complicated.

I noticed sometimes when login it comes up with error then go to portal login again and it works since i fixed my ad cert

I changed the connection settings in the LemonLDAP-NG manager

and it worked and alot faster havent had any errors now

3 Likes

unfortunately it didn’t stick got errors today about portal so kept everything the same ie port 636 and ldaps://ad.ksatdesign.com.au and user but had to change cert verification back to none

although even without the cert verification it’s still not having the other issues i was having and is still as fast

update:
I was trying a few things and noticed if i add the nsdc-orion.ad.ksatdesign.com.au in the dns of nethserver with it’s ip and add that to lets encrypt the use of cert in manager works with original config with cert set to require lets see if that holds

ive used ldap+tls://ad.ksatdesign.com.au port 389 and certificate set to required now saved and works plus removes errors about io:socket being to old

no errors with trying to login now but in the httpd logs i noticed this

User rejected because VirtualHost "lemonldap-ng.org" has no configuration although not sure what file it’s referenced in

update i think the issue with the error on first boot seems to be the fcgi is timing out to soon while running the scripts first and works the seccond time due to the scripts being finished loading so
ive changed the file /etc/httpd/conf.d/fcgid.conf to

# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at
# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html

   # Use FastCGI to process .fcg .fcgi & .fpl scripts
   AddHandler fcgid-script fcg fcgi fpl
+ FcgidBusyTimeout 3600. 
+ FcgidIOTimeout 3600
   # Sane place to put sockets and shared memory file
   FcgidIPCDir /run/mod_fcgid
   FcgidProcessTableFile /run/mod_fcgid/fcgid_shm

Lets hope that works

ok that seems to solve that issue still getting another one Unchecked runtime.lastError: The message port closed before a response was received. I think this is whats causing the issue on first login

issue turned out to be a chrome extension (in my case ad blocker and monosnap)

solution was to add *.domain.tld/* to add blocker exception list and remove monosnap chrome extension (desktop monosnap works fine without it)

1 Like