looks like the these guys https://www.authelia.com/
Have now added OIDC and Ldap support.
1 Like
Also this should be updated with these:
Looks like OIDC is in beta according to their docs:
25 posts were split to a new topic: LemonLDAP::NG and multiple LDAP servers
i am Facing an Installation error
failure: repodata/repomd.xml from lemonldap-ng: [Errno 256] No more mirrors to try.
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
[root@nethserver-ad ~]# /root/lemon_config.sh
-bash: /root/lemon_config.sh: No such file or directory
what could be the problem?
Hi
Your installer-script canât reach the server https://lemonldap-ng.org - the reason could be either DNS or routing. But I assume DNS, as you can reach that server.
Can you ping google with FQDN? www.google.com ?
yes, i am able to ping google
Itâs more accurate to say that yum isnât downloading, at least, the complete/correct repomd.xml file, and if youâd shown a few more lines of the messages, it might be more obvious why. Letâs make sure the repo file has the correct contentsâwhat are the complete contents of /etc/yum.repos.d/lemonldap-ng.repo?
complete message
Loaded plugins: changelog, fastestmirror, langpacks, nethserver_events
nethserver-danb35-1.1.0-1.ns7.noarch.rpm | 55 kB 00:00:00
Examining /var/tmp/yum-root-igh_Yq/nethserver-danb35-1.1.0-1.ns7.noarch.rpm: nethserver-danb35-1.1.0-1.ns7.noarch
/var/tmp/yum-root-igh_Yq/nethserver-danb35-1.1.0-1.ns7.noarch.rpm: does not update installed package.
Error: Nothing to do
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1694 100 1694 0 0 5162 0 --:--:-- --:--:-- --:--:-- 5164
Loaded plugins: changelog, fastestmirror, langpacks, nethserver_events
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 21 kB 00:00:00
* ce-base: mirror.freethought-internet.co.uk
* ce-extras: mirror.freethought-internet.co.uk
* ce-sclo-rh: mirror.freethought-internet.co.uk
* ce-sclo-sclo: mirror.freethought-internet.co.uk
* ce-updates: mirror.freethought-internet.co.uk
* epel: mirror.freethought-internet.co.uk
* nethforge: nethserver.de-labrusse.fr
* nethserver-base: nethserver.de-labrusse.fr
* nethserver-updates: nethserver.de-labrusse.fr
ce-base/7/x86_64/signature | 811 B 00:00:00
ce-base/7/x86_64/signature | 3.6 kB 00:00:00 !!!
ce-extras/7/x86_64/signature | 811 B 00:00:00
ce-extras/7/x86_64/signature | 2.9 kB 00:00:00 !!!
ce-sclo-rh | 3.0 kB 00:00:00
ce-sclo-sclo | 3.0 kB 00:00:00
ce-updates/7/x86_64/signature | 811 B 00:00:00
ce-updates/7/x86_64/signature | 2.9 kB 00:00:00 !!!
danb35/7/signature | 230 B 00:00:00
danb35/7/signature | 2.9 kB 00:00:00 !!!
lemonldap-ng | 13 kB 00:00:00
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
Trying other mirror.
One of the configured repositories failed (LemonLDAP::NG packages),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=lemonldap-ng ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable lemonldap-ng
or
subscription-manager repos --disable=lemonldap-ng
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=lemonldap-ng.skip_if_unavailable=true
failure: repodata/repomd.xml from lemonldap-ng: [Errno 256] No more mirrors to try.
https://lemonldap-ng.org/redhat/stable//noarch/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for lemonldap-ng: Damaged repomd.xml file
./LemonLDAP-NG.sh: line 25: /root/lemon_config.sh: No such file or directory
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable//noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
/etc/yum.repos.d/lemonldap-ng.repo
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable//noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
should be
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
as your running into the error that your server cannot connect to https://lemonldap-ng.org/redhat/stable//noarch
not sure why it did that but if you replace the contents in /etc/yum.repos.d/lemonldap-ng.repo with
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/stable/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
and run yum -y update
you should be able to the issue
curl https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 > /etc/pki/rpm-gpg/RPM-GPG-KEY-OW2 && yum -y install nethserver-lemonldap-ng --enablerepo=lemonldap-ng,lemonldap-ng-extras && ~/lemon_config.sh
that should install it
seems to have installed, as i can access the manager interface
but this came up, not sure it has no effect or not.
Complete!
Saved under number 2
[Fri Mar 18 03:10:58 2022] [LLNG:9052] [error] Apply configuration for localhost: error 500 (read timeout)
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 3
[Fri Mar 18 03:11:05 2022] [LLNG:11006] [error] Apply configuration for localhost: error 500 (read timeout)
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 4
[Fri Mar 18 03:11:12 2022] [LLNG:11040] [error] Apply configuration for localhost: error 500 (read timeout)
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 5
[Fri Mar 18 03:11:19 2022] [LLNG:11068] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
{
'message' => 'Portal URL should end with a /'
}
];
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 6
[Fri Mar 18 03:11:26 2022] [LLNG:11095] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
{
'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
}
];
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 7
[Fri Mar 18 03:11:32 2022] [LLNG:11132] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
{
'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
}
];
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 8
[Fri Mar 18 03:11:39 2022] [LLNG:11157] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
{
'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
}
];
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
Saved under number 9
[Fri Mar 18 03:11:46 2022] [LLNG:11196] [error] Apply configuration for localhost: error 500 (read timeout)
Warnings: [
{
'message' => 'Your version of IO::Socket::IP is too old to enforce connection timeouts on ldaps:// URLs. Use ldap+tls:// instead'
}
];
Status : [
{
'localhost' => 'Error 500 (read timeout)'
}
];
ignore that it will be fixed when you configure the server
1 Like
Iâve added a new install script; you can now install LLNG by running a single command: curl https://raw.githubusercontent.com/danb35/nethserver-lemonldap-ng/master/install-llng.sh | sh
Be aware that this runs the lemon_config.sh script with all the defaults, so if you want to customize it, you should follow the previous instructions. The Wiki and GitHub README have been updated to reflect this.
4 Likes
@danb35 How do you map these 2 attributes correctly in nextcloud, making use of LLNG
i cant edit them in NC, and there are not being pulled form what entered in cockpit on phpldapadmin
Iâve got the mapping set correctly in mine take a look at my manager
Iâve updated the Nethserver Module LemonLDAP-NG wiki to add Zabbix SAML login intergration instructions and updated the nextcloud section to enable signing
and updated the instructions for zammad for extra security
3 Likes
As you all are aware, I have spent a Chunk load of time researching and working out SSO implementations for NS8.
WHile I avoided LLNG for NS8 due to complexities in its Implementation in a dockerized environment, I might have worked out a way I can achive to get this working In NS8, thereby Making it easy for Users of this tool to Seamless migrate into NS8.
@danb35 What database Option did you use for LLNG in NS7 kindly, this is important to know which versions to Have implemented in NS8, for purposes of data migration.
I do not want to get into complex DB migrations for a tool I understand not much about.
I am tracking the Implementation Discussions here LemonLdapNg · Issue #4 · geniusdynamics/dev · GitHub
and when we have something workable for NS8, A New Discussion of LLNG for NS8
As I configure it with my module, it doesnât use a database. It connects to whatever accounts provider your server is configured to use, either OpenLDAP or Active Directory (local or remote).
Ok, thank you for the Feedback. Then this will be retained as well for NS8, to make a migration path easier and possible.
So this is the Plan.
Implement LLNG as a NS8 App, that readily integrates with whatever account provider the user uses, Either Ldap or AD.
For those Using NS7 and LLNG, a migration should be as simple as Migrate existing Ldap server, Install NS8 LLNG, copy the config files to new LLG, and youre good to go. (maybe we could automate using the migration Module as well)
Since LLNG onl Support OIDC, CAS and SAML, Anyone that requires any other Authentication Method, would be welcomed to Implement Authentik and or Zitadel.
These 2, Would communicate with LLNG via SAML, and other apps to be authenticated, could be implemented in either the 2.
For Most Core NS8 Apps, LLNG could be Auto Implemented to Integrate with them, ENV variables for OIDC and SAML as available for most apps we have implemented, and those already implemented in NS8, and if we can fetch the parameters from LLNG, then we can pre-apply them to the apps, if SSO provider is chosen as LLNG
For those with Complex integrations that require some sort of bridging and branching, Zitadel might work for them, but the Premise is, those Would not be diretly integrated with NS8.
This will not prevent anyone in need of directly connecting authentik or Ziradel with LDap, they are free to do so.
the next chapter will be to Implement Traefik level SSO, for some apps.
I think with these, we can finally Nail the Numerous SSO discussions we have on the community forums. what do you think?
1 Like