Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?

jdaviescoates

@robi said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:

Search for Directory Server

You can link directly to that section: https://docs.cloudron.io/user-management/#directory-server

AartJansen

ldapsearch from the lan seems unable to find the server. does cloudron have a firewall blocking the port ?
Where I specify the range that can access, is
192.168.1.0/24 an acceptable format ?

robi

I think that should work (if not use a few static IPs until it's sorted), but the docs could use an improvement with more exact examples of what is acceptable in the code.

@girish can fix that!

AartJansen

@robi Thanks! I took your advice and allowed a single ip, and it immediately worked.
That will do for me, until someone comes back with the correct notation for an ip range.

jdaviescoates

@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?

AartJansen

@jdaviescoates still working on that. I just have the command
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -W -H ldaps://my.domain 636 working from the client workstation

fbartels

@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:

after you've logged into the machine via LDAP, what happens when you try to login to an app?

Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.

In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.

AartJansen

@fbartels yes, of course. Haha, how did I forget that? I must be getting old.

I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ?

fbartels

@AartJansen said in Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?:

do the dockerised apps need to be kerebos aware/integrated too ?

Kind of. Either the applications need to support it directly or you chain it to something else. There is native support for saml already for quite a while, but also openid can be used nowadays.

If you want to Kerberos compatibility I would rather start there, than trying to extend the (afaik intentionally simple) ldap server of Cloudron. Possible solutions could be https://www.freeipa.org/ or https://www.univention.com.

charlesnw

I would strongly recommend Univention as the authentication back end. I used that in the past (pre cloudron) for LDAP auth for everything. I migrated all my apps / data to Cloudron/OpenID/Oauth and am now re-deploying Univention for desktop auth.

Desktop users of my company will only need two passwords (cloudron/univention) but with Cloudron SSO, and they can stay (essentially) perm logged in with cookies, it's not a big deal. Only artists/engineers etc doing heavy desktop work will need Univention logins.

One other option I'm exploring is having Linux auth to keycloak...

https://github.com/kha7iq/kc-ssh-pam

Hilt3323

Yes, it's possible to authenticate desktop logins using LDAP on Debian or other Linux distributions. Using PAM (Pluggable Authentication Modules), the system can be configured to use LDAP credentials for login, and this can be extended to other services as well.