Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?
-
wrote on Oct 28, 2023, 12:26 AM last edited by
Check https://docs.cloudron.io/user-management/
Search for Directory Server
-
Check https://docs.cloudron.io/user-management/
Search for Directory Server
wrote on Oct 28, 2023, 1:02 AM last edited by jdaviescoates Oct 28, 2023, 11:10 PM@robi said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
Search for Directory Server
You can link directly to that section: https://docs.cloudron.io/user-management/#directory-server
-
wrote on Oct 28, 2023, 8:45 PM last edited by AartJansen Oct 28, 2023, 9:35 PM
ldapsearch from the lan seems unable to find the server. does cloudron have a firewall blocking the port ?
Where I specify the range that can access, is
192.168.1.0/24 an acceptable format ? -
I think that should work (if not use a few static IPs until it's sorted), but the docs could use an improvement with more exact examples of what is acceptable in the code.
@girish can fix that!
wrote on Oct 29, 2023, 12:06 AM last edited by@robi Thanks! I took your advice and allowed a single ip, and it immediately worked.
That will do for me, until someone comes back with the correct notation for an ip range. -
@robi Thanks! I took your advice and allowed a single ip, and it immediately worked.
That will do for me, until someone comes back with the correct notation for an ip range.wrote on Oct 29, 2023, 1:44 AM last edited by@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
-
@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
wrote on Oct 29, 2023, 2:15 AM last edited by@jdaviescoates still working on that. I just have the command
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=admin,ou=system,dc=cloudron" -W -H ldaps://my.domain 636 working from the client workstation -
@AartJansen and out of interest, after you've logged into the machine via LDAP, what happens when you try to login to an app?
@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
after you've logged into the machine via LDAP, what happens when you try to login to an app?
Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.
In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.
-
@jdaviescoates said in Can I use ldap to autheticate a debian (or whatever linux flavour) desktop login?:
after you've logged into the machine via LDAP, what happens when you try to login to an app?
Nothing will happen, as logging in via LDAP only validates your password at login, but does not give you a token that you could use to log into other applications.
In a windows environment this is handled with Kerberos. You log into your desktop via activedirectory (ad for short, a kind of LDAP) and when logging into other applications the application verifies via Kerberos if you are allowed. Previous to Kerberos this was also done with ntlm.
wrote on Oct 29, 2023, 6:27 PM last edited by AartJansen Oct 29, 2023, 6:44 PM@fbartels yes, of course. Haha, how did I forget that? I must be getting old.
I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ? -
@fbartels yes, of course. Haha, how did I forget that? I must be getting old.
I guess if I add kerebos server to the ubuntu / cloudron install, I am effectively going towards unsupported territory, and it wont achieve much?
do the dockerised apps need to be kerebos aware/integrated too ?@AartJansen said in Can I use ldap to authenticate a debian (or whatever linux flavour) desktop login?:
do the dockerised apps need to be kerebos aware/integrated too ?
Kind of. Either the applications need to support it directly or you chain it to something else. There is native support for saml already for quite a while, but also openid can be used nowadays.
If you want to Kerberos compatibility I would rather start there, than trying to extend the (afaik intentionally simple) ldap server of Cloudron. Possible solutions could be https://www.freeipa.org/ or https://www.univention.com.