how to connect to a cloudron ldap via federation?
-
@andreasdueren some of those LDAP settings look wrong. See https://docs.cloudron.io/user-directory/#configuring-clients . The Bind dialog looks OK (it uses the admin DN) but the user search is not correct . I tried to put some more info in the doc link, let me know if those work.
@girish said in how to connect to a cloudron ldap via federation?:
That works, but now I need to figure out what the Bind DN is to list all users, not just admins.
user,users,personetc. don't seem to be correct. -
The directory server implementation for listing/searching users is at https://git.cloudron.io/platform/box/-/blob/master/src/directoryserver.js?ref_type=heads#L217 so basically all users are at
ou=users,dc=cloudronJust to clarify, you're saying, this should work? Because it's only returning the system admins (me)
-
Does the "Test authentication" button say OK btw? In your screenshot, what is the user filter (if the ui provides this)?
But even with read only it fails
-
But even with read only it fails
-
Did you get this working ?
Is the app setup out of box to federate to the Cloudron LDAP?
I want to use this as the IDP (proxy) for NetBird since that’s officially supported / documented in the NetBird docs (va attempting to use cloudron OIDC directly which I haven’t been able to fully wrap my head around).
I’m open to either. Though, of course , Keycloak is a common IDP and supported by many things out of the box. And since cloudron doesn’t really have fine grained admin permissions , Keycloak could be a way for me to delegate (for non cloudron apps) admin permissions.
-
Did you get this working ?
Is the app setup out of box to federate to the Cloudron LDAP?
I want to use this as the IDP (proxy) for NetBird since that’s officially supported / documented in the NetBird docs (va attempting to use cloudron OIDC directly which I haven’t been able to fully wrap my head around).
I’m open to either. Though, of course , Keycloak is a common IDP and supported by many things out of the box. And since cloudron doesn’t really have fine grained admin permissions , Keycloak could be a way for me to delegate (for non cloudron apps) admin permissions.
@charlesnw nope, had to postpone working on it.
-
To circle back on this...
I deployed Keycloak from the app store. I created a new (local) admin user and deleted the temp one (as per the instructions out of the box).
I then used the "Login with Cloudron" button and was able to login to Keycloak (as the non admin user from Cloudron directory) and my Cloudron user shows up in Keycloak .
I would be very interested in developing/documenting a tight integration/best practices between Cloudron/Keycloak as a way to greatly extend/enhance Cloudron user management. Setting up various tenants, self service enabling signups in those tenants etc. For example, building user on-boarding / approval workflows (where you bring on a new team member and they need to be provisioned into groups). Right now, only Cloudron Superadmins have the ability to manage groups, and that isn't a privilege I want to hand out
I originally planned to have Claude build me a web app and utilize the Cloudron API to build that functionality (and was going to AGPLv3 it). However, perhaps, with Keycloak we don't have to fully re-invent the wheel?
IAM is a VERY important requirement/feature to compete with AWS/Azure. It's the next thing my board wants to see as we move through go-live with Cloudron across our various projects/entities.
Who would be the key people I would need to work with to get this built out/tested/integrated/streamlined?
I realize that Cloudron (as I understand it) isn't currently positioned/targeting "enterprise" or those who may use AWS/Azure. I am happy todo the light/medium/(some) heavy lift work to help get it to where I need it to be. I am a founder/CTO of a company that is in the ramp up/growth phase. I steadfastly refuse to use the "big cloud" and Cloudron has been amazing at eliminating about 90% of system admin duties in a reliable way.
