Selfhosted @lemmy.world kevincox @lemmy.ml 2mo ago

LDAP to UNIX user proxy

Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don't want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

33 comments

I think you're missing the point of LDAP then. It's a centralized directory used for querying information. It's not necessarily about user information, but can be anything.

What you're asking for is akin to locally hosting a SQL server that other machines can talk to? Then it's just a server. Start an LDAP server somewhere, then talk to it. That's how it works.

If you don't want a network service for this purpose, then don't use LDAP. If you want a bunch of users to exist on many machines without having to manually create them, then use LDAP, or a system configuration tool that creates and keeps them all eventually consistent.
- Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I'm not really interested in storing other data.
  
  I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase ... I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I'm not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn't a goal).
  
  Then it's the same situation. Find a box, setup an LDAP service, populate it, and you're good to go. That's it.
What's wrong with LDAP for users? (I'm trying to think of a negative, and can't).
- Yet another service to maintain. If the server is crashing you can't log in, so you need backup UNIX users anyways.
  
  You need backup local admin accounts, not Backups for each user.
  
  Which is how enterprise does things. There are local accounts with root access, but the id's and passwords are tightly controlled.
  
  Then you don't understand how it works with local auth services.
Against which regular user database?
Look into Single Sign-On services (SSO) like Authelia, Authentik, or KeyCloak. Most SSO tools do the sorts of things you’re looking for. Some will talk to the native UNIX user store. I do agree with the others, though: if you’re this far along, then it’s time to spin up LDAP and SSO, but this might be the same tool in your case.
- But the problem is that most self-hosted apps don't integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.
  
  They actually do, i am down the same path recently and installing authelia was the best choice I made. Still working on it.
  
  But most stvies support either basic auth, headers auth, oidc or similar approaches. Very few don't.
Yes

However, it is better just to move all users to ldap
So based on what you've said in the comments, I am guessing you are managing all your users with Nixos, in the Nixos config, and want to share these users to other services?

Yeah, I don't even know sharing Unix users is possible. EDIT: It seems to be based on comments below.

But what I do know is possible, is for Unix/Linux to get it's users from LDAP. Even sudo is able to read from LDAP, and use LDAP groups to authorize users as being able to sudo.

Setting these up on Nixos is trivial. You can use the users.ldap set of options on Nixos to configure authentication against an external LDAP user. Then, you can configure sudo

After all of that, you could declaratively configure an LDAP server using Nixos, including setting up users. For example, it looks like you can configure users and groups fro the kanidm ldap server

Or you could have a config file for the openldap server

RE: Manage auth at the reverse proxy: If you use Authentik as your LDAP server, it can reverse proxy services and auth users at that step. A common setup I've seen is to run another reverse proxy in front of authentik, and then just point that reverse proxy at authentik, and then use authentik to reverse proxy just the services you want behind a login page.
There is the passwd LDAP backend, not sure if it works for full auth though.
Are you looking for something like cached credentials?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters

HTTP Hypertext Transfer Protocol, the Web

SSO Single Sign-On

nginx Popular HTTP server

2 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

[Thread #956 for this sub, first seen 8th Sep 2024, 13:25] [FAQ] [Full list] [Contact] [Source code]
- Missed LDAP, bot.

Fewer Letters	More Letters
HTTP	Hypertext Transfer Protocol, the Web
SSO	Single Sign-On
nginx	Popular HTTP server

33 comments