LDAP/AD Server
-
@marcusquinn said in LDAP/AD Server:
@fbartels Thanks - so far UCS is a long way from intuitive. I feel like I got invited around for dinner and pointed at the kitchen while everyone else already ate.
A bit off topic but I love your analogies
-
@fbartels I keep trying to forget my Windows years but it seems the rest of the world is still there
We'll keep plugging away at this. Considering all we're looking for is just one master LDAP server. It seems a ripe opportunity for Cloudron to be that. Having a whole other VPS, OS & Platform for a single feature is kinda inefficient, but then the other options all look like vendor-lockin options.
-
@infogulch to be fair i did not look too much into the process of wrapping up apps in cloudron. if it's quite easy and flexible that could be an alternative for us
Still, sometimes i guess it's just easier / more convenient to keep things separated and integrate via LDAP. E.g. in cases where you might not want to give people access to the cloudron server (which i suppose they'd need to deploy the app).
-
uff just having read the whole thread: i didn't want to open up a Pandoras box with my comment for anyone, especially @marcusquinn. Thanks for looking into it!!
it's definitely more a nice-to-have feature for our organisation, so its absence won't keep me from pursuing cloudron -
@friep2 haha, someone has to be the lucky person to start any thread.
Just happens to be one I need to get to a "once and for all" solution now as it's a PITA without, nothing more frustrating than time wasted that doesn't need to be.
Making progress with the UCS setup alternative, and will try and post a step-by-step guide once we've gathered all those good pointers and followed it all through to working.
-
OK, so we have Cloudron and Univention Corporate Server (UCS) connected and seemingly working.
A couple of questions:
- "Automatically create users when they login to Cloudron" - is this just creating Cloudron Users when someone tries to login that has a USC login/pass but not yet a Cloudron User?
- Is there any way to sync Cloudron Users upstream to UCS?
- Does this support SSO?
-
- It's only creates users in Cloudron, if the user exists in UCS. This is where the self-service platform comes in.
- No. (not in my understanding of the external LDAP connection from Cloudron side).
- good question If you've tried it out, please share your wisdom with us.
Attention:
- The allowed characters for UCS & Cloudron users are different. You can create UCS users which never allowed to login into Cloudron because of the character limitations in Cloudron. https://docs.cloudron.io/user-management/#valid-usernames
Sorry I never managed a kind of policy to disallow special characters on UCS. - The email address which Cloudron needs (without an email, the user doesn't exist) is labeled
primary email address
on UCS side.
-
@marcusquinn said in LDAP/AD Server:
Does this support SSO?
That is why I suggested to run UCS in your local network. You could SSO with Kerberos from your workstation and then be directly signed into configured saml and oidc applications (and Kerberos of course as well). This only has two downsides:
- their sso clashes with their lets encrypt app, which requires manual work after the first certificate has been retrieved.
- this all does not touch Cloudron anymore, except you mod applications on Cloudron for one of the above auth methods
-
Thank you both @luckow & @fbartels I feel this thread is a useful repo for gathering all the experience and getting this it's own Cloudron documentation.
We'll add anything we've learned and steps along the way to get whatever we can working.
Something I'm not sure that anyone knew before was that both Hetzner and Contabo will offer access to the custom ISO to install from if you ask them nicely and send them the correct public link to it.
Hetzner I know we can create a Network within, I've not needed to try that with Contabo yet though.
I've also learned about Proxmox, and that could be worthy of it's own dedicated how-to thread and documentation here, given the utility it can offer self-hosting on bare metal on premises or leased.
The community experience here is priceless!
-
Replying here since this is the largest collection of ldap specific topics on this forum.
My cloudron installation is around longer than the cloudron external ldap support. When configuring an external ldap users with a conflicting username (same username already exists on cloudron) get skipped on synchronisation. Which is generally a good thing. But I still wanted to transfer password management for some of these users to my ldap.
This can be done by running the following command from the shell of the cloudron host (only change
the-user-i-want-to-change
to the actual user):mysql -uroot -ppassword -e 'update users set source="ldap" where username="the-user-i-want-to-change";'
-
@girish said in LDAP/AD Server:
@robi said in LDAP/AD Server:
VPN to Cloudron for LDAP is reasonable.
I think that would then mean that the external app has to be in the VPN, no?
I'll be releasing my VPN Client for Cloudron over summer if that helps.
-
@fbartels Top post. Thank you.
One (maybe) last question: do you have a solution for the different allowed characters in UCS and Cloudron usernames? My idea is to have some kind of profile with only allowed characters on the UCS side. See https://docs.cloudron.io/user-management/#valid-usernames for characters allowed in Cloudron. -
Thanks @luckow
Yes, I have seen the question that @BrutalBirdie posted at https://help.univention.com/t/restrict-username-allowed-characters/17280 as well. But no, I am not aware of a way to limit characters with the ucs self registration.
-
-
Not sure if it was already mentioned here, but there is https://github.com/mitchellurgero/cloudron-ldap-proxy by @murgero. It's downside is however that the connection is not encrypted.
A potential improvement over this would be to have a small app, that generates a custom ssl ca and serves its root cert over a small webserver. Then you use the same ca to provide a certificate to stunnel, which simply passes through the otherwise internal Cloudron ldap.
Then at least the communication would be secured, but it may still be an idea to limit who can actually reach that port through your firewall.
As a custom build this is quite easily doable, as an official app its probably too special.
-
@fbartels Thank you kindly! @vladimir-d is working on this issues, and we may try pulling in extra help too.
All ideas are welcome as we are heads-deep in plugging the knock-on consequences if these still unsolved things.
I wish I could find the time to show more people what they will get back from us in development investment, but I can't do any of these things while blocker issues have become day & night urgencies.
-
It looks like my friends at Aporeto.com got acquired by PaloAlto Networks. They have an OSS projects called Trireme - https://github.com/aporeto-inc
Trireme, an open-source library curated by Aporeto to provide cryptographic isolation for cloud-native applications. Trireme-lib is a Zero-Trust networking library that makes it possible to setup security policies and segment applications by enforcing end-to-end authentication and authorization without the need for complex control planes or IP/port-centric ACLs and east-west firewalls.
Trireme-lib supports both containers and Linux processes as well user-based activation, and it allows security policy enforcement between any of these entities.
A good tool for Cloudron as well as securing LDAP across machines.
-
At my place of work we developed a small golang ldap server some months ago. I have spent some time this weekend packaging this project up for cloudron and also have included an openid connect provider.
The ldap server is really simple, it basically takes an existing ldif as input and serves this out to any authenticated user. It does not even allow modifying items through e.g. ldapmodify, but requires the ldif on disk to be changed.
LDAP and OpenID Connect Provider are part of the https://libregraph.github.io/ project.
If someone is interested in trying out the app please send me a direct message.
-
@robi said in LDAP/AD Server:
It looks like my friends at Aporeto.com got acquired by PaloAlto Networks. They have an OSS projects called Trireme - https://github.com/aporeto-inc
I think this needs to be revisited for Cloudron 7+ to easily manage which app can talk to which by policy. /cc @staff
-