LemonLDAP::NG and multiple LDAP servers

reminds me of a scene from back to the future 2 were the main character is showing off playing a pinball machine and 2 kids look at him and say “you mean you have to use your hands thats like a baby’s toy’”

1 Like

I’m still waiting for someone to put a telekinetic keyboard on the market…
Throw in a 3D telekinetic mouse, and we’re getting there.

Upgrading the human being to be telekinetic-capable might be a touch more difficult, along the lines of: you can make something “idiot-proof”. But who defines what level is “Idiot” and what to do with those who don’t even make the Amoeba level? :slight_smile:

1 Like

Plus 1 for technomancer implants

1 Like

Add in the Option to have these really nice Steam-Punk styled… :slight_smile:

1 Like

Well, that escalated quickly. I’ve split this discussion off into its own topic, as it doesn’t really seem to have anything to do with the installation.

Martin, your questions are getting into some advanced usage of LLNG, and you’d probably be better off asking through their support channels. I’m not aware of a way to set separate passwords for separate LDAP servers, though it’s possible I’m just missing it.

It sounds like your objective is to authenticate to one set of resources using one LDAP server, and to another set using another LDAP server–is that correct? If it is, I’m not sure LLNG can do that, but again I’d suggest their support channels: LemonLDAP::NG - Contact

Sure, and ldap+tls uses 389 by default–and both can use different ports if needed or desired. Why that would be done is really beside the point (but aside from “security through obscurity”, at least one other possible reason would be port conflicts–perhaps you’re running more than one LDAP server–possibly with different software–on the same machine). But the lengthy and somewhat heated digression about port usage is irrelevant; Shane correctly answered that the port number can be specified in the server host URI (as it can in pretty much any URI).

Nonsense, as you know perfectly well. Yes, pages that are intended to be open to the public are almost always on ports 80/443 (even then, I’ve seen exceptions, though rare). But internal stuff can, and routinely does, run on all kinds of ports, for a variety of reasons–one being, as you’ve mentioned, a form of “security through obscurity”; one being that it makes firewall configuration easier, so that you can control access to different applications by different IP/network ranges; one being that it’s a different piece of software, so it can’t use the same port being used by another piece of software; one being that the software in question doesn’t (and doesn’t want to) run as root, so it can’t bind to a <1024 port–doubtless there are other reasons as well.

Not sure what you’re saying here, or why you think it’s relevant.

Huh? The further I read, the more bizarre this gets. No, it has nothing to do with the ports; it’s all about virtual hosts and (if TLS is in play) SNI. You can serve hundreds–or thousands–of domains on the same IP, and same ports, that way. Sure, they probably use a different port for their admin pages and such, but that really isn’t relevant.

I guess you’ve just changed the definition of web page to something that’s only accessed over ports 80/443. If that’s the case, you do you, but your insistence on this as an absolute seems a little odd.

1 Like

We are talking about hosted webpages, ie PUBLIC…

What you are talking about are institutitional or organizational stuff, and there you can do as needed. For public access, uing other ports than 80 and 443 just defeats the purpose of a public web page…

This is a classic example of "Home / Amateur usage. If it’s professional, you can “afford” 2 IPs…

A SC Justice just doesn’t “do” a normal divorce case… :slight_smile:

And: Martin here IS looking for something to offer as a professional service (commercial).

This:
“most hotspots only allow these two ports.”
is only relevant for “public” webpages.

Otherwise, it did get a “bit” lengthy, and very Off topic. So splitting was the right thing…

My 2 cents
Andy

But it does raise kind of an interesting question. It’s trivial to host multiple pages/sites/domains on a single IP, even if they’re hosted with different software, by way of virtual hosts, SNI, and reverse proxies. But I don’t know if there’s LDAP proxy software that works like, say, HAProxy–so that a connection attempt to ldaps://ldap.domain1.tld gets transparently routed to one server, while ldaps://ldap.domain2.tld goes to a different one.

But in any event, while there may be a variety of issues with Martin’s plan, port numbers aren’t one of them.

@danb35

Hi Dan!

There are commercial “Load Balancers” available, some with quite a lot of options, aka bells & whistles…

Some are specialized for AD / LDAP, others are specialized eg for RDP (Microsoft RDP Gateway was the old name)…

But one thing is still valid across all software: Not all were created equal…

Really good Load Balancers in this league tend to have the kind of price tag suitable eg for a Amazon / Google / Apple / DOD kind of budget…

:slight_smile:

My 2 cents
Andy

yes, this is the case, using 2 separate sets of ldap/AD credentials to authenticate using the same LLNG instance.

and true this conversation became way too controversial.

Overall, as the world progresses, and as systems get build, life increases in complexity, there comes the need to try and deal with these complexities, in a manner than makes sense to us, but maybe not the case for others.

One would for example ask, why would anyone need or require a home lab. or why would anyone need to self host email, or even why do you need nextcloud. so everyone’s needs and use cases are unique, and they make sense in their own perspectives.

We have complex tools and complex systems that make our life easier, but add to the complexities.
a while back, software used to be built without Git. our first software we built, we never knew git existed. but after knowing about git, later on we came to know something called CI/CD. which required another tool

later on, we had other complexities. while people use horku, for example, there are also free and opensource versions that do the same exact thing at a fraction the cost, even if they were to be paid. similar to firebase.

while i might require those tools, since i build softwares and offer MSP services. others do not necessarily require.
there is a reason why a compnay like okta exists, there is a reason we have password managers nowadays. i alone have over 200 logins that i need to be away of. including my own personal, my family as well as clients. so its all a matter of perspective.

the world really has gotten complex.

1 Like

Well, as I said, whether (and how) to do this, and for that matter if it’s even possible, are going to be questions for the LLNG support channels. But there are a couple of questions that you’ll need to consider:

  • In what way, or under what circumstances, is the second (or third, or n th) LDAP server contacted?
    • Is it only if the first one can’t be reached at all (i.e., as a backup)?
    • Is it only in the event of an authentication failure on the first?
    • Are any credentials tried against any configured servers, and authentication is successful if any one of them succeeds?
    • Or is it something else?
    • Can this be configured in the LLNG configuration?

The docs say, “They will be tested in the specified order,” which kind of makes it sound like the third sub-bullet is the case.

  • In what way do you want to use the two (or more) LDAP servers?
    • Do you just want to pool the users together, so that anyone on server1, server2, or server3 could authenticate to whatever resource you’re dealing with?
      • This looks like what what LLNG would do by default, from how I read the docs
      • So what happens when you have user fred on each of server1 and server3? Which user gets logged in? It looks like it’s fred@server1. So how can fred@server3 log in?
    • Do you want users from server1 to have access to a different set of resources than users on server2?
      • If the resources in question are on different virtual hosts, this could probably be managed using LLNG’s access rules for each virtual host–as long as server1 and server2 send some unique attribute so you can identify which users belong to which, it sounds like it should be possible.

In short, I suspect what you’re trying to do is likely possible, but you’re going to need to give some more care to framing the question, and ask the experts–I’ve played with LLNG a bit, and I’ve been able to make it do what I want so far, but I’m far from an expert with it.

2 Likes

I finally got a solution to this problem, and Zitadel is able to handle this flawlessly., authentik as well with some few hacks… I think LLNG is designed for One Ldap endpoint thus far.