Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?
-
Would it make using the apps (that make use of the same LDAP) smoother (ie no prompt) using the existing credential used at login, is that possible?
-
Well theres two questions I guess...
#1 Can LDAP authenticate a user login for a desktop OS ?
#2 Can that login "token" be passed onto the other hosted apps that support the LDAP so that the user can then just open their nextcloud (as an example). or mail app, like you can with windows active directory / ms exchange .
I expect the answer is #1 yes, #2 no. -
Check https://docs.cloudron.io/user-management/
Search for Directory Server
-
Check https://docs.cloudron.io/user-management/
Search for Directory Server
@robi said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
Search for Directory Server
You can link directly to that section: https://docs.cloudron.io/user-management/#directory-server
-
ldapsearch from the lan seems unable to find the server. does cloudron have a firewall blocking the port ?
Where I specify the range that can access, is
192.168.1.0/24 an acceptable format ? -
I think that should work (if not use a few static IPs until it's sorted), but the docs could use an improvement with more exact examples of what is acceptable in the code.
@girish can fix that!
-
@robi Thanks! I took your advice and allowed a single ip, and it immediately worked.
That will do for me, until someone comes back with the correct notation for an ip range.@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
-
@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
@jdaviescoates still working on that. I just have the command
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -W -H ldaps://my.domain 636 working from the client workstation -
@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
after you've logged into the machine via LDAP, what happens when you try to login to an app?
Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.
In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.
-
@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
after you've logged into the machine via LDAP, what happens when you try to login to an app?
Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.
In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.
@fbartels yes, of course. Haha, how did I forget that? I must be getting old.
I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ? -
@fbartels yes, of course. Haha, how did I forget that? I must be getting old.
I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ?@AartJansen said in Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?:
do the dockerised apps need to be kerebos aware/integrated too ?
Kind of. Either the applications need to support it directly or you chain it to something else. There is native support for saml already for quite a while, but also openid can be used nowadays.
If you want to Kerberos compatibility I would rather start there, than trying to extend the (afaik intentionally simple) ldap server of Cloudron. Possible solutions could be https://www.freeipa.org/ or https://www.univention.com.
