I have a lot of different services which I self host for me and my family like:
- PeerTube
- Lemmy
- Mastodon
- Synology NAS
- TTRSS
- NextCloud
- Matrix
- HomeAssistant
- etc.
Right now every family member needs to create a user on each of those services and have a different password on them, which is OK when you use a Password Manager, but most of my extended family members don’t. And they often forget their password and stop using the service because they can’t figure out how to reset the password with each and every service.
I would like to try to consolidate all of it with a Single Sign-On (SSO) solution but It’s not obvious to me if there is one which is not overly over engineered for hundreds of thousands of users but small and lightweight, perhaps even easy to set up.
I tried OpenLDAP but Jesus that was very involved.
vegetaaaaaaa@lemmy.world 1 year ago
OpenLDAP is easy :) Once you understand LDAP concepts.
Check this and read through the
tasks/
directory (particularlyopenldap.yml
andpopulate.yml
. It sets up everything needed for an LDAP authentication service (if you don’t use ansible you can still read what the tasks do and you should get a pretty good understanding of what’s needed, if not let me know).In short you need:
slapd
(the OpenLDAP server)system
,users
andgroups
)admin
under thesystem
OU)bind
user in the LDAP directory (unvprivileged account that can only list users/groups) (mine isbind
under thesystem
OU)PosixGroup
) to map users to their roles (e.g. only users inaccess_jellyfin
are allowed to login to jellyfin)When you login to an application/service configured to use the LDAP authentication backend, it connects to the LDAP directory using the
bind
user credentials, and check that the user exists/check that the password you provided matches the hash stored in the LDAP directory. Additionally it can check that the user is part of the required groups. Then it allows or denies access.There’s not much else to it:
bind
account but I wouldn’t recommend it (either configure your applications to use theadmin
user in which case they have admin access to the LDAP directory… not good. Or allow anonymous read-only access to the LDAP directory - also not ideal).slapd
stores its configuration inside the LDAP directory itself, so to access or modify it you have to use LDIF files and theldapadd/ldapmodify
commands, or use a convenient wrapper like the ansible modules used above.jane.doe
in OUUsers
in the directory for domainexample.org
has the Distinguished Name (DC)cn=jane.doe,ou=Users,dc=example,dc=org