Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Thu, 31 Jul 2025 15:57:55 GMT

charlesnw — Thu, 31 Jul 2025 15:57:55 GMT

I would strongly recommend Univention as the authentication back end. I used that in the past (pre cloudron) for LDAP auth for everything. I migrated all my apps / data to Cloudron/OpenID/Oauth and am now re-deploying Univention for desktop auth.

Desktop users of my company will only need two passwords (cloudron/univention) but with Cloudron SSO, and they can stay (essentially) perm logged in with cookies, it's not a big deal. Only artists/engineers etc doing heavy desktop work will need Univention logins.

One other option I'm exploring is having Linux auth to keycloak...

https://github.com/kha7iq/kc-ssh-pam

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Mon, 30 Oct 2023 12:02:33 GMT

fbartels — Mon, 30 Oct 2023 12:02:33 GMT

@AartJansen said in Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?:

do the dockerised apps need to be kerebos aware/integrated too ?

Kind of. Either the applications need to support it directly or you chain it to something else. There is native support for saml already for quite a while, but also openid can be used nowadays.

If you want to Kerberos compatibility I would rather start there, than trying to extend the (afaik intentionally simple) ldap server of Cloudron. Possible solutions could be https://www.freeipa.org/ or https://www.univention.com.

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sun, 29 Oct 2023 18:44:02 GMT

AartJansen — Sun, 29 Oct 2023 18:44:02 GMT

@fbartels yes, of course. Haha, how did I forget that? I must be getting old.

I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ?

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sun, 29 Oct 2023 08:16:46 GMT

fbartels — Sun, 29 Oct 2023 08:16:46 GMT

@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:

after you've logged into the machine via LDAP, what happens when you try to login to an app?

Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.

In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sun, 29 Oct 2023 02:15:12 GMT

AartJansen — Sun, 29 Oct 2023 02:15:12 GMT

@jdaviescoates still working on that. I just have the command
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -W -H ldaps://my.domain 636 working from the client workstation

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sun, 29 Oct 2023 01:44:45 GMT

jdaviescoates — Sun, 29 Oct 2023 01:44:45 GMT

@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sun, 29 Oct 2023 00:06:02 GMT

AartJansen — Sun, 29 Oct 2023 00:06:02 GMT

@robi Thanks! I took your advice and allowed a single ip, and it immediately worked.
That will do for me, until someone comes back with the correct notation for an ip range.

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sat, 28 Oct 2023 23:34:30 GMT

robi — Sat, 28 Oct 2023 23:34:30 GMT

I think that should work (if not use a few static IPs until it's sorted), but the docs could use an improvement with more exact examples of what is acceptable in the code.

@girish can fix that!

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sat, 28 Oct 2023 21:35:50 GMT

AartJansen — Sat, 28 Oct 2023 21:35:50 GMT

ldapsearch from the lan seems unable to find the server. does cloudron have a firewall blocking the port ?
Where I specify the range that can access, is
192.168.1.0/24 an acceptable format ?

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sat, 28 Oct 2023 23:10:53 GMT

jdaviescoates — Sat, 28 Oct 2023 23:10:53 GMT

@robi said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:

Search for Directory Server

You can link directly to that section: https://docs.cloudron.io/user-management/#directory-server

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Sat, 28 Oct 2023 00:26:05 GMT

robi — Sat, 28 Oct 2023 00:26:05 GMT

Check https://docs.cloudron.io/user-management/

Search for Directory Server

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Fri, 27 Oct 2023 22:24:22 GMT

AartJansen — Fri, 27 Oct 2023 22:24:22 GMT

Well theres two questions I guess...
#1 Can LDAP authenticate a user login for a desktop OS ?
#2 Can that login "token" be passed onto the other hosted apps that support the LDAP so that the user can then just open their nextcloud (as an example). or mail app, like you can with windows active directory / ms exchange .
I expect the answer is #1 yes, #2 no.

Reply to Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login? on Fri, 27 Oct 2023 10:06:39 GMT

girish — Fri, 27 Oct 2023 10:06:39 GMT

I probably miss something but the title of the post and content of post seem completely unrelated. Or am I not understanding?