It's more of a headache than just OpenLDAP. FreeIPA has a lot of different components. It does LDAP, Kerberos, PKI, and DNS.
I currently have my FreeIPA domain set up with 3 IPA replicas. I've had instances where I had to resolve LDAP replication issues or certificates and tokens for FreeIPAs internal services not renewing correctly.
I don't want to make it sound like it's not a stable product.
It definitely is. I've used it in a number of larger companies I've worked at. But for a homelab environment, in my experience, it's not something that can just be setup and left to run in the background. It needs a lot of caressing (and monitoring) 😂
You could also look into Keycloak + (Open)LDAP for an SSO option. I'm thinking you could also run FreeIPA LDAP and set up Keycloak with that for a decent SSO setup for your lab.
I'm still looking into options myself. There are a bunch of ways to do the internet-to-homelab proxying with solid SSO and security throughout and I haven't found out what works for me the best quite yet. Part of it is doing proper implementation of ZeroTrust principles throughout the entire process.
FreeIPA does a lot of certificate and Kerberos ticket renewals automatically in the background for its own internal services. I've had a few problems when those renewals occur, which required manual intervention.
But the biggest one I've had is LDAP replication conflicts. I'm fairly certain that this is because the VPN connection between my IPA replicas is a bit crap, but I've also experienced this issue at work before as well.
Sounds like you have an interesting setup. It would be cool to see your setup if you're willing to share. I should get to work on my FreeIPA instance!
I was looking at testing boringproxy to see if I like the capabilities. I saw and didn't like the token setup for the admin panel but I'm hoping it's pretty secure and nice for the tunnel back to the homelab. Hoping to avoid some of the auth sync issues if possible as well.
for my somewhat simple setup I used #openldap for a while but it was honestly overkill. I found #glauth and that has fit the bill nicely for me. I don't have any experience with HA/failover for it though.
it's not an LDAP, but have you looked at Authelia? Authentication happens on the reverse proxy side. I even disabled auth for some of my services in favor of auth headers provided by the Authelia middleware in Traefik. I.e. Grafana works with them.
Authentik aims to be a one stop solution as it comes with LDAP built in plus OIDC. That said it's fairly unproven in larger deployments so the code isn't battle tested unlike say FreeIPA. Lots of folks use it in #homelab and are happy with it. Personally I've got FreeIPA setup and will be deploying authentik later.
silverwizard
silverwizard
That definitely is a good frontend for if things in my stack don't LDAP - but I think most of them do. But good tip.
Matt Knight
•silverwizard likes this.
silverwizard
Matt Knight
•silverwizard likes this.
silverwizard
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
•GLAuth
glauth.github.ioM. Hamzah Khan
•silverwizard
My headache tolerance is shockingly high to be clear
M. Hamzah Khan
•I currently have my FreeIPA domain set up with 3 IPA replicas. I've had instances where I had to resolve LDAP replication issues or certificates and tokens for FreeIPAs internal services not renewing correctly.
silverwizard likes this.
M. Hamzah Khan
•It definitely is. I've used it in a number of larger companies I've worked at. But for a homelab environment, in my experience, it's not something that can just be setup and left to run in the background. It needs a lot of caressing (and monitoring) 😂
silverwizard likes this.
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
•I'm still looking into options myself. There are a bunch of ways to do the internet-to-homelab proxying with solid SSO and security throughout and I haven't found out what works for me the best quite yet. Part of it is doing proper implementation of ZeroTrust principles throughout the entire process.
silverwizard likes this.
M. Hamzah Khan
•I like Keycloak. It just sits there and quietly does its thing with very little TLC from me. 😂
silverwizard likes this.
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
•silverwizard likes this.
silverwizard
M. Hamzah Khan
•But the biggest one I've had is LDAP replication conflicts. I'm fairly certain that this is because the VPN connection between my IPA replicas is a bit crap, but I've also experienced this issue at work before as well.
silverwizard likes this.
p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp :verifiedpurple:
•I was looking at testing boringproxy to see if I like the capabilities. I saw and didn't like the token setup for the admin panel but I'm hoping it's pretty secure and nice for the tunnel back to the homelab. Hoping to avoid some of the auth sync issues if possible as well.
Seth Grover :heart_cyber: :d20: :forest: :blinkingcursor:
•silverwizard likes this.
Mikałaj Vałasataŭ 🥤
•silverwizard likes this.
Balaji Dutt
•silverwizard likes this.
silverwizard