LDAP/AD Server

? Offline

LDAP to the world would be interesting. I could also see a usecase for something like a SAML provider to redirect apps to a cloudron instance for SSO.

marcusquinn

Big for this from me. What can we do to get this happening?

First use would be with Unify apps and devices, so Cloudron could be a single source of logins, and single place to decommissions logins too for those moving on.

? Offline

I think the only way this could be better is adding support for custom external apps added to the dashboard (they just link out).

marcusquinn

Just noting a link to a comment from @luckow on a similar post I made before seeing this one, with some alternative solution links: https://forum.cloudron.io/topic/4933/have-a-cloudron-instance-as-an-ldap-provider/6?_=1618906250553

I think this thread has the right ultimate goal - but that might be something I have to investigate an intermediary solution for if this doesn't get on the roadmap.

girish

I wanted to explain a bit why we have not exposed the LDAP: Cloudron has a minimal user database. This is exposed with LDAP protocol for the sake of app authentication. But it's not a real directory server. A real directory server requires storing a LOT more user information (well atleast that's what people expect from a real LDAP server) like say phone numbers, photos etc.

The other aspect is, of course, security. It's not a good idea to expose the LDAP server straight to the internets. We have to make some mechanisms to only allow specific IPs to connect to LDAP server etc. This is easily doable.

Are you ok with living the minimal user database limitation? If so, we can look into it.

robi

VPN to Cloudron for LDAP is reasonable.

LDAP should only work for auth'd users, so externally it just needs an interface to do that.

One thing that comes up is that external LDAP users only should exist which means not allowing them to log in to the Cloudron dashboard is a thing.

marcusquinn

@girish Absolutely, it really is just for having a master User record & Password for all the peripheral apps that support connection and then Cloudron could be a master on & off switch for each too.

@nebulon IF we get this, maybe worth considering making the Surfer user icon configurable, as I'd use some Surfer instances with .htaccess redirects to the 3rd-party apps, in the spirit of Cloudron being the gateway to all.

marcusquinn

Custom Image installation for UCS for anyone looking into that option:

girish

@robi said in LDAP/AD Server:

VPN to Cloudron for LDAP is reasonable.

I think that would then mean that the external app has to be in the VPN, no?

robi

@girish said in LDAP/AD Server:

@robi said in LDAP/AD Server:

VPN to Cloudron for LDAP is reasonable.

I think that would then mean that the external app has to be in the VPN, no?

Kind of.. the app just needs to know to use the VPN interface for that need.

marcusquinn

For interest, Hetzner will add the ISO to your account "Project(s)" as an available image to mount from, if you just email their support with the ISO url, ie:

https://updates.software-univention.de/download/images/UCS-Installation-amd64.iso

Contabo will too - you just need to specify it in the notes on the checkout and add €25 for a Custom build setup in the options.

Having only just discovered this UCS from @luckow 's nice recommendation. I now find myself quite interested in the KVM Apps too:

We're just setting all this up now, so will report back on any discoveries.

fbartels

@marcusquinn Don't get to excited about the uvmm app. Its discontinued for their next release. But most Univention users are using Proxmox for it anyways.

https://www.univention.com/blog-en/2020/12/ucs-5-0-discontinued-features/

marcusquinn

@fbartels said in LDAP/AD Server:

Proxmox

Oh, thanks for the headsup. Is that this? https://www.univention.com/products/univention-app-center/app-catalog/sep-sesam/

I only started looking at USC for LDAP services for 3rd party apps to integrate with like Unify. Now I'm down a rabbit hole of what else it can solve

fbartels

@marcusquinn No, this is Proxmox. https://proxmox.com/en/

Sesam is a backup application, not a machine management solution.

marcusquinn

@fbartels Nice! You like it?

Would it be naive thinking to try building a HA cluster based on multiple VPS instances across multiple providers?

fbartels

@marcusquinn Installing Proxmox on an already virtual server to create a ha cluster: yes, i think that would be naive.

Installing Proxmox on real hardware, spread over multiple data centers: that is what it was made for.

marcusquinn

@fbartels Cool - for performance, certainly agreed.

I was just thinking for testing purposes, I like to have a sandbox / staging version of everything we do, so not much point firing up 4 x bare metal racks with setup charges and minimum contracts just for that.

I guess the only way, as with everything is just try it and see what happens.

Back to the original thing with the need for LDAP. Do you or @luckow have any pointers on how we get UCS to see the outside world?

Looks like we need to expose port 636 but not found where yet. Anything else to be aware of?

fbartels

@marcusquinn personally i would try to connect to port 7636 instead as this is where their openldap is always listening (if you install their samba 4 ad mode, then samba would be listening at 636 instead).

Ucs has a firewall locally where these ports may need to be allowed for outside access, although on my test system they are generally open Soni don't think there is a default rule in place to close it down.

Then i would create a machine account for the cloudron host and use this account for the cloudron sided configuration.

marcusquinn

@fbartels Thanks, I'm running completely blind on this as I've not really found any documentation that gives any certainty on what's necessary or not, as one imagines every field has a reason and necessary action to create and highlight each value at the UCS end.

https://docs.cloudron.io/user-management/#external-ldap

fbartels

@marcusquinn I can imagine that the fields do not make much sense, if one has not really worked with ldap before.

Something like the following should work:

Server URL: ldaps://$your-univention-fqdn:7636
[x] Accept Self-signed certificate (since the univention ldap has a certificate from the ca on the univention system, better would of course be to import the univention ca on the cloudron host)
Base DN: cn=users,dc=your-univention,dc=fqdn
Filter: (objectClass=inetOrgPerson)
Username Field: uid

For the bind user I would again recommend to create a machine account on UCS. This is done from their management ui -> devices -> computers.
Click "add" select "Computer: Linux" as type and give the entry a name (for example "Cloudron"). After the item has been created open it and go to "Advanced settings" and unfold the "Account" entry. Here you can specify a password for your user.

Bind DN/Username (optional):  cn=Cloudron,cn=computers,dc=your-univention,dc=fqdn
Bind Password (optional): your choosen password

Now you can click on save on Cloudron and hit that sync button. If all worked out you should now see your ucs users (like their default administrator user) in the user list of your cloudron. These external entries have then a small addressbook picture behind their name to differentiate them from the native Cloudron users.

@nebulon feel free to use the above in your instructions at https://docs.cloudron.io/user-management/#external-ldap

edit: since were on the topic. I am using the following settings to sync groups as well:

Group Base DN: cn=groups,dc=your-univention,dc=fqdn
Group Filter: (objectClass=univentionGroup)
Groupname Field: cn

This then also gets some internal groups like "computers" and "printer-admins", but that does not bother me much.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

LDAP/AD Server