Skip to main content

Anyone have any advice for a #HomeLab #LDAP server?

I think I am getting to the point that I want my local resources to have SSO

I'd especially appreciate advice on having two endpoints so that I can have failover easily enabled

#homelab #ldap
Unknown parent

silverwizard
silverwizard
not sure what the main use of keycloak in the stack is based on a few seconds of reading.
Unknown parent

silverwizard
silverwizard

Oh! Sure that makes sense!

That definitely is a good frontend for if things in my stack don't LDAP - but I think most of them do. But good tip.

in reply to silverwizard

Matt Knight
Matt Knight
my very basic system uses Gitea as an auth provider. Works with some services like Drone and Outline. Not sure if that helps at all, but it's simple.
in reply to Matt Knight

silverwizard
silverwizard
Really?! Gitea as author provider eeeeeeh? Considering git.obscuritus.ca that might be useful!
in reply to silverwizard

Matt Knight
Matt Knight
indeed! Worth exploring if it would satisfy your needs at least, especially if you have an existing instant already running!
in reply to M. Hamzah Khan

silverwizard
silverwizard

I mean, any SSO would be a headache - more than OpenLDAP or anything else?

My headache tolerance is shockingly high to be clear

in reply to silverwizard

M. Hamzah Khan
M. Hamzah Khan

It's more of a headache than just OpenLDAP. FreeIPA has a lot of different components. It does LDAP, Kerberos, PKI, and DNS.

I currently have my FreeIPA domain set up with 3 IPA replicas. I've had instances where I had to resolve LDAP replication issues or certificates and tokens for FreeIPAs internal services not renewing correctly.

in reply to M. Hamzah Khan

M. Hamzah Khan
M. Hamzah Khan

I don't want to make it sound like it's not a stable product.

It definitely is. I've used it in a number of larger companies I've worked at. But for a homelab environment, in my experience, it's not something that can just be setup and left to run in the background. It needs a lot of caressing (and monitoring) 😂

in reply to silverwizard

p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

You could also look into Keycloak + (Open)LDAP for an SSO option. I'm thinking you could also run FreeIPA LDAP and set up Keycloak with that for a decent SSO setup for your lab.

I'm still looking into options myself. There are a bunch of ways to do the internet-to-homelab proxying with solid SSO and security throughout and I haven't found out what works for me the best quite yet. Part of it is doing proper implementation of ZeroTrust principles throughout the entire process.

in reply to p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

M. Hamzah Khan
M. Hamzah Khan

I'm using Keycloak with FreeIPA at the moment.

I like Keycloak. It just sits there and quietly does its thing with very little TLC from me. 😂

in reply to M. Hamzah Khan

p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp
That's good to hear about Keycloak I do want to try it out. What part about FreeIPA was annoying to maintain?
in reply to p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

M. Hamzah Khan
M. Hamzah Khan

FreeIPA does a lot of certificate and Kerberos ticket renewals automatically in the background for its own internal services. I've had a few problems when those renewals occur, which required manual intervention.

But the biggest one I've had is LDAP replication conflicts. I'm fairly certain that this is because the VPN connection between my IPA replicas is a bit crap, but I've also experienced this issue at work before as well.

in reply to M. Hamzah Khan

p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp

Sounds like you have an interesting setup. It would be cool to see your setup if you're willing to share. I should get to work on my FreeIPA instance!

I was looking at testing boringproxy to see if I like the capabilities. I saw and didn't like the token setup for the admin panel but I'm hoping it's pretty secure and nice for the tunnel back to the homelab. Hoping to avoid some of the auth sync issues if possible as well.

in reply to silverwizard

Seth Grover
Seth Grover
for my somewhat simple setup I used #openldap for a while but it was honestly overkill. I found #glauth and that has fit the bill nicely for me. I don't have any experience with HA/failover for it though.
#openldap #glauth
in reply to silverwizard

Mikałaj Vałasataŭ 🥤
Mikałaj Vałasataŭ 🥤
it's not an LDAP, but have you looked at Authelia? Authentication happens on the reverse proxy side. I even disabled auth for some of my services in favor of auth headers provided by the Authelia middleware in Traefik. I.e. Grafana works with them.
in reply to silverwizard

Balaji Dutt
Balaji Dutt
Authentik aims to be a one stop solution as it comes with LDAP built in plus OIDC. That said it's fairly unproven in larger deployments so the code isn't battle tested unlike say FreeIPA. Lots of folks use it in #homelab and are happy with it. Personally I've got FreeIPA setup and will be deploying authentik later.
#homelab
Unknown parent

silverwizard
silverwizard
Yeah this seems super Linux centric, but thanks for the tip, maybe it'll run more portably than that