LDAP/AD Server
-
Hello, I have been redirected from a support email...
I think my concern is similar to that of other users who need this feature.
Looking on github i found this:
https://github.com/mitchellurgero/cloudron-ldap-proxySecurity Warnings
THIS CAN POTENTIALLY EXPOSE YOUR CLOUDRON'S INTERNAL LDAP SERVER TO THE WORLD. DO NOT USE THIS APP IN PRODUCTION IN ANY WAY!!!!I have not tried it yet, but think that with some precautions it can be implemented...
-
@alexanderkings I haven't finished the step of migrating this to a Cloudron app, but I've been using mole to securely forward ports between networks using SSH Private/Public keys. My Docker implementation is Dockamole.
I'm using it already outside of Cloudron to allow my VPS to scrape metrics generated on my home NAS.
The workflow would require a Server container running on Cloudron and then a Client container running on whatever machine you'd like to access the forwarded port. All services on that machine access the service through the local container and it's forwarded to the server container.
Like I said... I haven't gotten it running on Cloudron yet though.
-
just came here to add my +1 for this. i'm currently looking into cloudron for our tech-focused NPO with over 1000 volunteers and it'd be great to have some (at least basic) LDAP server to integrate with "from the outside". we self-host some more specialized tools (partially other open source tools, partially self-developed) which are not on Cloudron - rightfully so - and it'd be super convenient if we could integrate with Cloudron's LDAP.
The "one login for a lot of services" and permission management (certain apps can only be accessed by certain people) is definitely one of the main attractions of cloudron I see for us and it'd be great if this would be extensible to external apps. This would radically reduce the workload for us full-time employees: right now we have to add volunteers to 5+ different services if we want to properly onboard them. -
@friep2 As a fellow regular user, could I ask you to elaborate a bit on why it would be inappropriate to package up the "open-source / self-developed" apps to run inside Cloudron directly? This is an honest question, I'm quite curious about how different people perceive the limits of Cloudron. I'm sure you have considered many different options for deployment.
-
LDAP to the world would be interesting. I could also see a usecase for something like a SAML provider to redirect apps to a cloudron instance for SSO.
-
Big for this from me. What can we do to get this happening?
First use would be with Unify apps and devices, so Cloudron could be a single source of logins, and single place to decommissions logins too for those moving on.
-
I think the only way this could be better is adding support for custom external apps added to the dashboard (they just link out).
-
Just noting a link to a comment from @luckow on a similar post I made before seeing this one, with some alternative solution links: https://forum.cloudron.io/topic/4933/have-a-cloudron-instance-as-an-ldap-provider/6?_=1618906250553
I think this thread has the right ultimate goal - but that might be something I have to investigate an intermediary solution for if this doesn't get on the roadmap.
-
I wanted to explain a bit why we have not exposed the LDAP: Cloudron has a minimal user database. This is exposed with LDAP protocol for the sake of app authentication. But it's not a real directory server. A real directory server requires storing a LOT more user information (well atleast that's what people expect from a real LDAP server) like say phone numbers, photos etc.
The other aspect is, of course, security. It's not a good idea to expose the LDAP server straight to the internets. We have to make some mechanisms to only allow specific IPs to connect to LDAP server etc. This is easily doable.
Are you ok with living the minimal user database limitation? If so, we can look into it.
-
VPN to Cloudron for LDAP is reasonable.
LDAP should only work for auth'd users, so externally it just needs an interface to do that.
One thing that comes up is that external LDAP users only should exist which means not allowing them to log in to the Cloudron dashboard is a thing.
-
@girish Absolutely, it really is just for having a master User record & Password for all the peripheral apps that support connection and then Cloudron could be a master on & off switch for each too.
@nebulon IF we get this, maybe worth considering making the Surfer user icon configurable, as I'd use some Surfer instances with .htaccess redirects to the 3rd-party apps, in the spirit of Cloudron being the gateway to all.
-
Custom Image installation for UCS for anyone looking into that option:
- https://docs.hetzner.com/robot/dedicated-server/operating-systems/installing-custom-images/
- https://www.univention.com/downloads/download-ucs/
- https://www.univention.com/blog-en/2020/05/register-your-own-account-new-self-service-for-suse-and-ucs/
- https://docs.software-univention.de/quickstart-en.html
-
@robi said in LDAP/AD Server:
VPN to Cloudron for LDAP is reasonable.
I think that would then mean that the external app has to be in the VPN, no?
-
@girish said in LDAP/AD Server:
@robi said in LDAP/AD Server:
VPN to Cloudron for LDAP is reasonable.
I think that would then mean that the external app has to be in the VPN, no?
Kind of.. the app just needs to know to use the VPN interface for that need.
-
For interest, Hetzner will add the ISO to your account "Project(s)" as an available image to mount from, if you just email their support with the ISO url, ie:
Contabo will too - you just need to specify it in the notes on the checkout and add €25 for a Custom build setup in the options.
Having only just discovered this UCS from @luckow 's nice recommendation. I now find myself quite interested in the KVM Apps too:
- https://www.univention.com/products/univention-app-center/app-catalog/kvm/
- https://www.univention.com/products/univention-app-center/app-catalog/uvmm/
We're just setting all this up now, so will report back on any discoveries.
-
@marcusquinn Don't get to excited about the uvmm app. Its discontinued for their next release. But most Univention users are using Proxmox for it anyways.
https://www.univention.com/blog-en/2020/12/ucs-5-0-discontinued-features/
-
@fbartels said in LDAP/AD Server:
Proxmox
Oh, thanks for the headsup. Is that this? https://www.univention.com/products/univention-app-center/app-catalog/sep-sesam/
I only started looking at USC for LDAP services for 3rd party apps to integrate with like Unify. Now I'm down a rabbit hole of what else it can solve
-
@marcusquinn No, this is Proxmox. https://proxmox.com/en/
Sesam is a backup application, not a machine management solution.
-
@marcusquinn Installing Proxmox on an already virtual server to create a ha cluster: yes, i think that would be naive.
Installing Proxmox on real hardware, spread over multiple data centers: that is what it was made for.