NS8 LDAP instance as an external LDAP service (URI)

LayLow · March 19, 2024, 2:24am

Hi,

Can any LDAP instance on a NS8 cluster act as an external LDAP service to other apps, both cluster apps and external apps?

TIA

Andy_Wismer · March 19, 2024, 5:53am

Same as with AD, as both AD / LDAP uses the same ports: only the first one on a node can be accessible with ports from “outside”. More or less “logical” for NS8…

My 2 cents
Andy

davidep · March 19, 2024, 7:05am

No it cannot. It is a planned feature though.

oneitonitram · March 19, 2024, 8:12am

@davidep so could this be the reason why the Authentik App in ns8 is unable to connect to ldap?

LayLow · March 19, 2024, 6:21pm

I am afraid so, for this moment.

LayLow · March 19, 2024, 6:26pm

Thanks, is there a card for it pls?

oneitonitram · March 19, 2024, 6:48pm

ok then, looking forward to a resolution soon,

Meanwhile, we have a zitadel App in the works, atleast it implements the ldap configs in the env variables, so possibly able to implement ldap with it similar to how other apps work,

however it is also a multi tenant system, so need to figure out how to best implement that part.

Will share more details once available.

<side note
We actually need it for a solution we are building internally with surrealDB, which also implemented authentication with provider in the scope. Nifty stuff.

Now just waiting for Penpot 2.0 release, then we can build the interface in weeks as opposed to months. loving Opensource, Also considering making the project Opensource as well. who knows…

dnutan · March 19, 2024, 8:42pm

Could be this one?

oneitonitram · March 19, 2024, 9:30pm

i suspect it is, but in this case we are more interested for within the cluster or even the Node

LayLow · March 19, 2024, 9:36pm

It is… Thanks!

Un-shamefully poking @giacomo a bit

LayLow · March 19, 2024, 9:38pm

I guess the description of the card is correct, from OUTSIDE the VPN

giacomo · March 20, 2024, 8:14am

It’s that one

We would need it, if you want to import NS8 LDAP users inside NethSecurity to ease roadwarrior OpenVPN configuration.

You can already access LDAP within the node.

oneitonitram · March 20, 2024, 8:19am

must there be modifications to the App running on the Node, or there is no need for special access modifications

giacomo · March 20, 2024, 8:39am

You need to access the LDAP poxy instance ad the right port.
An example:

github.com

NethServer/ns8-nextcloud/blob/main/imageroot/bin/setup-ldap

#!/usr/bin/env python3

#
# Copyright (C) 2021 Nethesis S.r.l.
# http://www.nethesis.it - nethserver@nethesis.it
#
# This script is part of NethServer.
#
# NethServer is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License,
# or any later version.
#
# NethServer is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with NethServer.  If not, see COPYING.

This file has been truncated. show original

More info here: User domains | NS8 dev manual

oneitonitram · March 20, 2024, 8:42am

my question was, must all apps installed in Ns8, implement that configuration code to make it viable to commuicate with the ldap?

Equally, an app like authentik, does not implement env variables for ldap config so how should the mapping be handled.

Could you kindly take a look at the authentik app and advice.

LayLow · March 20, 2024, 3:06pm

Any request from anywhere for that matter, so not just apps installed on a cluster-node but also other LDAP requesst coming from e.g. another application server on the LAN or even WAN.

oneitonitram · March 20, 2024, 3:08pm

i am more interested in normal podman run isntalls ldap just working, without the need of building them as an App

davidep · March 20, 2024, 5:45pm

If you want to connect from a cluster node, without implementing the LDAP discovery procedure like Giacomo already pointed out, you can copy the LDAP connection settings from the Domains and Users page.

Does it answer your question?

oneitonitram · March 20, 2024, 6:54pm

Checkout the Authenkik thread discussions. It doesn’t seem to work as expected.

I was to find time and implement a simple app that I know works fetching ldap users and test to prove wrong my hypothesis, haven’t yet…

LayLow · March 20, 2024, 7:44pm

Thanks, but not really. ‘we’ tried the 10.x.x.x:port but no luck. The LDAP discovery procedure is for development I guess? I was expecting (shame on me) to be able to enter a valid LDAP URI, proper credentials and done… Actually what it says on the feature card.

I am confused.