It’s super complicated I know but I swear I would pay out the roof if we could have a centralized 2fa implementation that touches each of the core NS apps (Nextcloud/Webtop/SOGo/Mattermost and such) within NS itself.
Thank you for your work. It’s super easy for me to forget the tremendous leaps NS has made these past few years with security.
you are dreaming about SSO (single signed on) but dreaming is cheap 
This could be added from a module side and pushed by admin however I am not sure from the core base
Would community sponsored funding help make this a reality within Nethserver?
I have a lot of my modules that are supposed to work with lemonldap
https://lemonldap-ng.org/documentation/latest/applications.html
Maybe integrate pirivacyIDEA?
SSO is a so sharp double edged knife…
am tryingg to understand what exactly lemonldap is and how it can be used.
Can someone with abit more experience with it shade some more light into it with me?
An authentication portail for all your applications, when the user is authenticated in lemonldap he doesn’t need to authenticate in each applications
Since the password comes from the ldap of the account provider, if it is changed, you doens’t need to change it in each application
The example you know is with google, once authenticated you do not need to authenticate in gmail, duo, youtube etc etc
wow, nice tool.
Now this will help a great deal in a project i was working on, based on Nethserver…
I have done a huge part of the research for the same, done a huge amount of testing, and was required to work on some testing here and there. to get things going.
I am open to the idea of implementing something like lmonldap on Nethserver, and i am open to provide any assistance if necessary.
Tell me.
Can this be used with non LDAP aware applications? For instance, if an (web)application uses a local mysql database for authentication, can this sync the password used in Samba4 Accountprovider with the mysql auth?
Exactly, for instance lemonldap can authenticate wordpress for example. I know it is possible also with a basic authentication, in short lemonldap is a reverse proxy also and send some http headers with the password and the username.
Of coursr each application authentication must be developed, it is a huge work
Ok, the magic wonder starts to deploy. Time to be the firefighter for burning needs for more tools.
SSO is a nice tool. IF it works, when it works.
But look at your keychain. Then, consider all your keys, all your keychains.
You’ll love to have only ONE MAGICAL KEY and carry with you only that for opening house door, rear door, garage door, office door, closet, car, motorbike, RV, quad, secret lounge, suitcase, softcase, cellphone, bike lock, door lock, hdd bay, server closet, rack door…
Sooo practical…
But… take more time.
I know that passwords are not physical keys, but in any case have the same password for whole your world is considered insecure. SSO is… have the same password for all the services hosted into a “world” around NethServer.
Not only… If LDAP goes down for any reason, all LDAP related services will take a “i don’t know” nap, until you solve the issue. So a SSO is a way to make a bit unreliable the setup, until at least a dual redundant setup for LDAP, just like the most recent AD by Redmond.
As for the firewall rules, the IDS/IPS, the IPFilter list: be sure on what you’re doing, try to know every weakness of the system before start a project on SSO.
Because if one service is broken, all services will be shut down at the same time
Hi
LemonLDAP CAN use several BackEnds, mitigating a bit the LDAP down problem.
But, as typical human, a lot of people would use the same username / password on LemonLDAP as they use on NON-LemonLDAP based Applications, like say FB or Google/Gmail.
This makes the security even less, but that’s not a problem with SSO, but rather human nature…
Delegation of permissions, like asking the neighbor to help, is a non issue for SSO. Simply create a key with only a simple permission on one, or maybe two locks. Done! Single use, or time lock does the rest…
SSO can make good sense, in a clearly defined environment.
But this also means certain “best practices” mechanisms are in place, like enforced Password changes, a certain Password history length etc…
Also, stuff like snapshots / backups of the server, high availability or fast recovery of a down system.
LDAP is per se replicatable, but afaik not yet possible with NethServer, much less officially with SambaAD…
Multi-Master is not only MS AD as a latecomer to the party. Novell’s NDS, later eDirectory was LDAP compatible and proven with 100’000 users - and fully Multi-Master capable, and this already before 2000! LDAP itself has been Multi-Master capable for goodness knows how long.
My 2 cents
Andy
I think it is/should be key to not share your account. If there is a need for someone external to have an account, make sure you create guest accounts for those users with for instance otp to log in.
Would this be an option? https://www.linotp.org/
Hi Robb!
Comparing LemonLDAP with LinOTP:
Both are OpenSource and available to download/install on local in-house servers-
One emphasizes Authentification from almost any source, is extremly scalable and also provides 2FA.
The other emphasizes 2FA, and talkes about “Legacy 2FA”, while also allowing for authentifiaction using different methods.
Now, Smartphones aren’t THAT old, the first Smartphone is still the iPhone Gen1, appearing in 2007 on the market. That’s 13 years old. So 2FA isn’t that old. And all 2FA still require a Smartphone, even if it’s a 2FA-NG (Next Generation).
A rose by any other name, to quote a famous brit!
Even though I’m aware of the fact that 2FA can increase security for log-ins, I’m not a great fan of it. I tend to dump my iPhone on the charger as soon as I get home or in the office, and not like to use it when not on the road.
Besides this Forum here, I’m not into any form of social media - I do not like Ad financed stuff…
And I do not need my smartphone in my fingers all the time.
My Bank forced my to use my Smartphone for eBanking, when they stopped using the RASkey. I really preferred RSA and waited until the last day, when I realized that all banks were doing the same, and I still needed to do my payments.
I still havn’t activated 2FA on my iCloud account (This would stop my Home Assistant from getting data from my phone. The used Python library does not (nor will it ever) support 2FA for iCloud… 
I admit to not using 2FA on my Home NethServer…
If a client requires 2FA, I’ll install and activate 2FA for them. But for myself?..
My 2 cents
Andy
Maybe my understanding is incorrect, but otp (one-time-password) seems to me different than 2fa (2-factor-authentication). And they have different purposes.
Especially if you need to grant an outsider access to one or more services on your LAN, otp seems to me the way to go. It grants a (guest) account 1 time access to the services you define for that (guest)account and as soon it logs out, the password is not re-usable.
IMO, what @pike mentions are very valid points. I am, as always going the pragmatic route, looking for solutions solving these concerns. The trick is to think of every single possible scenario and have an adequate solution for that. Handing over credentials is not something to do lightly and IMO should be avoided. I think always using different accounts for different people is a basic rule for every sysadmin. Never share accounts. If necessary share (parts of) services with others, with or without write/change permissions. For instance calendar or even mail to be maintained by a secretary.
@stephdl true it is alot of work because it is something that would need to be implemented at each application level, but then again, i think it will be one of the best function for this system,
Been working on some business solutions, based on Nethserver, the one key component i needed to complete the project seamlessly is this function.
Also, jus tto understand.
Does lemonldap have SAML authentication, for functionality like keycloack, privacyidea and gluu?
Keycloack is a redhat project === lemonldap
However redhat always try to push his standard but it is not what the people uses
Look podman vs docker