On the contrary, that’s directly in the scope of the IAM solution–it can set access rules for each application, such that only the appropriate users have access to any given application.
I think my interest was more along the lines of a redundant cluster, something like hotsync on steroids–or maybe even an arrangement where two systems would be “live” replicas and could load-balance. Sounds like that may be down the road, if at all.
I agree it adds a layer of complexity, and it isn’t a trivial one. OTOH, it’s a significant boost to security (applications can’t leak credentials, as they never have them) and application capabilities (want YubiKey support in Roundcube? No problem!). And I believe it can also act as an LDAP proxy, though I haven’t really looked into that so far.
For this to be as useful as possible, we’d want to have as many of our applications as possible “speak” some sort of SSO protocol, and the real question for me is whatever is going to become the new server manager/admin GUI. Understanding it’s early, what’s the intent with that? Write something custom, a la Nethgui? Adapt an existing project (like Cockpit)? If the latter, which (if any) candidates are being considered?
That would be a good alternative, though you’re then limited to DNS providers with APIs–though Cloudflare continues to be an excellent option in that regard. I’d posted this request the other day:
It was motivated by the way CyberPanel and Mail-in-a-Box handle DNS–they both expect to be configured as the authoritative DNS servers for their domain, and they then automatically create the required records. In the case of MiaB, that’s over 50 records for a single domain (I posted the list in the topic linked above). There’s no way we’d trust an admin to get all these right, but if we’re serving them ourselves, no problem. I hadn’t considered integration with an outside DNS host, but that could accomplish much the same thing.