Single sign-on (SSO)/Identity and access management (IAM) for Nethserver

What I’m doing is pulling the properties from the sssd key and using them to configure LemonLDAP. It should work, AFAIK, but I haven’t tested it as yet.

1 Like

indeed, check nethserver-phpldapadmin/root/etc/e-smith/templates/etc/phpldapadmin/config.php/08Settings_of_Ldap_server at ns7 · stephdl/nethserver-phpldapadmin · GitHub

you have an error in template expansion

Mar 22 20:01:24 ns7loc11 systemd: Reloading The Apache HTTP Server.
Mar 22 20:01:24 ns7loc11 httpd: AH00526: Syntax error on line 72 of /etc/httpd/conf.d/z-lemonldap-ng-manager.conf:
Mar 22 20:01:24 ns7loc11 httpd: SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)
Mar 22 20:01:24 ns7loc11 systemd: httpd.service: control process exited, code=exited status=1
Mar 22 20:01:24 ns7loc11 systemd: Reload failed for The Apache HTTP Server.

the default is $pki props are not set, if not set the template does a default to /etc/pki/tls/certs/NSRV.crt and /etc/pki/tls/private/NSRV.key

please check /etc/e-smith/templates/certificate/crt/00crt

why to not simply use use default certificate expansion with

/etc/pki/tls/certs/localhost.crt
/etc/pki/tls/private/localhost.key

I use it for my module, it follows the default certificate

Two reasons, at least:

  • Since I have those properties set, I tend to assume everyone else does, and
  • I want to allow users to specify an independent cert for these vhosts (which is a capability all vhosts should have, IMO).

But clearly I need to handle the case where those properties aren’t set.

1 Like

please ping me once done we could look after samba AD… @+

2 Likes

Should be fixed now, new RPM in the repo.

Here’s another example of how a system like this would be useful–you could control application access by group membership:

1 Like

@stephdl, any chance to take a look at the updated RPM?

1 Like

on my todo

lets debug

I have a template broken, check : https://gist.github.com/stephdl/49a9646d6ac8f333ec913a3aa00b6f9c

You should state to install the module to enable the extra repository, else the first rpm installation will disable it, so either yum install nethserver-lemonldap-ng --enablerepo=lemonldap-ng,lemonldap-ng-extras or create the code to permanently enable them

lets go to fix

I am redirected to http://auth.example.com/ :-?

OK I needed to launch the first time the script of configuration, why to not test a string that we know as default and trigger the script if we find it, like this we could automatize it.

the script /root/lemon_config.sh must end with systemctl reload httpd

indeed no magic rabbit for active directory, will play later, for now I can authenticate with LDAP

README updated for this.

That’s bizarre; I know I’d made that exact fix myself–must have been on a working copy outside of the repo. Fixed.

This will take a little bit of thought. In an earlier draft, I had the sed commands as part of %post in the .spec file, but the request up-topic to have the portal FQDN configurable made that seem inappropriate. For right now, added a more explicit warning to the README.

Not quite sure why that’d be needed (as it doesn’t change any httpd configuration), but easy enough to do. Fixed.

Fixes are pushed to the github repo, new RPM is built, should appear in my repo within a half hour or so.

Guys, I am not sure if this fits here, but did anybody of you have a look at privacyIDEA? They provide a oss solution of a feature-rich 2fa server, that among other things even provide a free oss credentialprovider that would enable windows login with 2fa. One just has to compile it onself with Visual Studio, and I believe that a full integration in nethserver could be a great improvement! I had a look at it and the server was easy to install in centos and configure it to query neth ad. After some tinkering I was able to compile their credentialprovider (but I unfortunatelly had no time to integrate it in our windows 10 clients). In the end the need for 2fa for the windows login was considered nonessential in our case, so I focused on other stuff, but from what I had discovered this could be a really good allinone solution for 2fa so I thought, I’d mention it here just in case someone would like to have a look at it.

That really looks like it has a different, though somewhat-related, purpose. LLNG (and Keycloak, and Gluu, etc.) are SSO/IAM servers. Their purpose is to provide authentication and authorization via standard protocols (SAML, OIDC, CAS, etc), and in the course of so doing, they can implement MFA according to whatever policy you care to implement (perhaps password-only for some applications, TOTP code for others, and a hardware authenticator key for others). From what I can tell based on an admittedly-brief look at privacyIDEA, its purpose is only to provide 2FA, and it looks like it needs explicit application support for PI rather than standard protocols.

Now, if the point is to set up 2FA for a local Windows system, looks like you can do that with a YubiKey:

Not sure about TOTP codes, though.

Edit: the application that really got me looking into this was SSH certificates, which (in the version I’m seeing, anyway) requires OIDC to authenticate:

2 Likes

@Shane_Treweek has written up how to use it for Education Perfect here:

Dear all I find an article, regarding Authentik and its integration with Nextcloud.

Your views on Authentik https://goauthentik.io/

I’ve heard of it, but haven’t looked into it in much depth. Is there a reason you believe Authentik is superior to LLNG?