Skip to main content


Anyone have any advice for a #HomeLab #LDAP server?

I think I am getting to the point that I want my local resources to have SSO

I'd especially appreciate advice on having two endpoints so that I can have failover easily enabled

Unknown parent

silverwizard
not sure what the main use of keycloak in the stack is based on a few seconds of reading.
Unknown parent

silverwizard

Oh! Sure that makes sense!

That definitely is a good frontend for if things in my stack don't LDAP - but I think most of them do. But good tip.

in reply to silverwizard

my very basic system uses Gitea as an auth provider. Works with some services like Drone and Outline. Not sure if that helps at all, but it's simple.
in reply to Matt Knight

Really?! Gitea as author provider eeeeeeh? Considering git.obscuritus.ca that might be useful!
in reply to silverwizard

indeed! Worth exploring if it would satisfy your needs at least, especially if you have an existing instant already running!
in reply to M. Hamzah Khan

I mean, any SSO would be a headache - more than OpenLDAP or anything else?

My headache tolerance is shockingly high to be clear

in reply to silverwizard

It's more of a headache than just OpenLDAP. FreeIPA has a lot of different components. It does LDAP, Kerberos, PKI, and DNS.

I currently have my FreeIPA domain set up with 3 IPA replicas. I've had instances where I had to resolve LDAP replication issues or certificates and tokens for FreeIPAs internal services not renewing correctly.

in reply to M. Hamzah Khan

I don't want to make it sound like it's not a stable product.

It definitely is. I've used it in a number of larger companies I've worked at. But for a homelab environment, in my experience, it's not something that can just be setup and left to run in the background. It needs a lot of caressing (and monitoring) 😂

in reply to silverwizard

You could also look into Keycloak + (Open)LDAP for an SSO option. I'm thinking you could also run FreeIPA LDAP and set up Keycloak with that for a decent SSO setup for your lab.

I'm still looking into options myself. There are a bunch of ways to do the internet-to-homelab proxying with solid SSO and security throughout and I haven't found out what works for me the best quite yet. Part of it is doing proper implementation of ZeroTrust principles throughout the entire process.

in reply to p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

I'm using Keycloak with FreeIPA at the moment.

I like Keycloak. It just sits there and quietly does its thing with very little TLC from me. 😂

in reply to M. Hamzah Khan

That's good to hear about Keycloak I do want to try it out. What part about FreeIPA was annoying to maintain?
in reply to p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

FreeIPA does a lot of certificate and Kerberos ticket renewals automatically in the background for its own internal services. I've had a few problems when those renewals occur, which required manual intervention.

But the biggest one I've had is LDAP replication conflicts. I'm fairly certain that this is because the VPN connection between my IPA replicas is a bit crap, but I've also experienced this issue at work before as well.

in reply to M. Hamzah Khan

Sounds like you have an interesting setup. It would be cool to see your setup if you're willing to share. I should get to work on my FreeIPA instance!

I was looking at testing boringproxy to see if I like the capabilities. I saw and didn't like the token setup for the admin panel but I'm hoping it's pretty secure and nice for the tunnel back to the homelab. Hoping to avoid some of the auth sync issues if possible as well.

in reply to silverwizard

for my somewhat simple setup I used #openldap for a while but it was honestly overkill. I found #glauth and that has fit the bill nicely for me. I don't have any experience with HA/failover for it though.
in reply to silverwizard

it's not an LDAP, but have you looked at Authelia? Authentication happens on the reverse proxy side. I even disabled auth for some of my services in favor of auth headers provided by the Authelia middleware in Traefik. I.e. Grafana works with them.
in reply to silverwizard

Authentik aims to be a one stop solution as it comes with LDAP built in plus OIDC. That said it's fairly unproven in larger deployments so the code isn't battle tested unlike say FreeIPA. Lots of folks use it in #homelab and are happy with it. Personally I've got FreeIPA setup and will be deploying authentik later.
Unknown parent

silverwizard
Yeah this seems super Linux centric, but thanks for the tip, maybe it'll run more portably than that