Simple guide to self hosted authentication?

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨andy47@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

I’d like to set up my identity and authentication service for my self hosted applications but it is not a beginner friendly subject.

I’m aware of the various tools available; authentik, authelia, LLDAP, keycloak, etc and see lots of useful discussions on them which is great.

But I can’t seem to find a beginner friendly introduction to setting up one or more of these tools that helps me understand the core concepts at the same time. Does such a thing exist?

I’d like to try out LLDAP and Authelia on my home lab and then possibly roll this out to my production services.

But every tutorial I’ve come across seems to assume a fair amount of knowledge that I don’t think I have.

For instance if I deploy LLDAP what should I use as my base DN? And how can I seperate a homelab directory from a seperate production directory?

Any pointers gratefully received.

source

Comments

Sort:hotnew top

cooopsspace@infosec.pub ⁨1⁩ ⁨year⁩ ago
Simplest would be Authelia and Swag.

Swag comes with prewritten config files and all you really need to do is uncomment a few lines and make sure it’s pointed to your service.

Linuxserver.io guides are good for this.

I ended up landing on Keycloak and I believe I set mine up using the ansible script, again it’s a matter of plugging in some details.

source
- andy47@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Thanks for the pointer, I’ll check it out. I don’t think I’ve come across SWAG before, and a web search comes up with lots of references to sleeping bags (I’m in Australia - outbackreview.com.au/best-swags-australia/). Could you provide pointers and/or a homepage? Thanks in advance.
  
  source
  - andy47@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Ok, I found this - linuxserver.io/…/2020-08-26-setting-up-authelia.
    
    Which, if I’m reading it correctly tells me that SWAG (Secure Web Application Gateway) is essentially a web server, reverse proxy with lets encrypt support. It doesn’t seem to do any authentication.
    
    Authelia is a component of an identity and authentication solution that provides single sign on and 2FA but, crucially, does not include a user directory, by default it uses a YAML file but can be connected to an LDAP server - www.authelia.com/overview/…/first-factor/
    
    Which I think goes towards the point in my original post - none of this is simple so I’d like a nice explanation that helps me understand what I need running, how they work together and what settings to use.
    
    source
    -> View More Comments
  - cooopsspace@infosec.pub ⁨1⁩ ⁨year⁩ ago
    Secure Web Application Gateway.
    
    And something like “swag selfhosted” or “swag linuxserver” would have been a better search term. You need to lead the horse at least slightly in the direction of water when it comes to Google searches.
    
    source
  - theghostoutside_@aussie.zone ⁨1⁩ ⁨year⁩ ago
    Haha how good. SWAG is a reverse proxy using Nginx. I use the Docker container.
    
    source
  - gdog05@lemmy.world ⁨1⁩ ⁨year⁩ ago
    I think you have to look for nginx in the swag search github.com/linuxserver/docker-swag
    
    source
notfromhere@lemmy.one ⁨1⁩ ⁨year⁩ ago
I know this isn’t what you’re asking for but I think this is still a good starting point. Like you correctly surmised, identity and authentication management is not an easy subject and does require extensive experience and theory.

source
rentar42@kbin.social ⁨1⁩ ⁨year⁩ ago
I don't have a simple guide, but it's probably a good idea to reduce the number of moving parts if you're trying to keep stuff simple. So pick something that has all the features in-one (user management, authentication, authorization, ...). They might not be the best at ever single thing (they almost certainly won't), but doing it all usually means that it's easier to configure and you don't need to wire multiple things together.

I've recently moved from Authelia to Authentik due to some features that I was missing/wishing for, but between those two I'd definitely say Authenlia is easier to get running initially (and you don't need external LDAP for it, as others have mentioned).

You'll probably still need a proxy that can do proxy auth because not all services can do OICD/OAuth2. I'm using Traefik, but heard that Caddy is easier to set up initially (can't compare myself).

source
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨year⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

DNS Domain Name Service/System

HTTP Hypertext Transfer Protocol, the Web

nginx Popular HTTP server

[Thread #171 for this sub, first seen 28th Sep 2023, 05:25] [FAQ] [Full list] [Contact] [Source code]

source
dinosaurdynasty@lemmy.world ⁨1⁩ ⁨year⁩ ago
Hint: you don’t have to use ldap to use authelia (I haven’t bothered). It’s a bit awkward to use though, I’d only recommend it for single-user setups (I wish they would just add support for SQLite, they already use it for 2fa and stuff)

source
conrad82@lemmy.world ⁨1⁩ ⁨year⁩ ago
I use nforwardauth and caddy for authentication, I think it is one of the simplest solutions github.com/nosduco/nforwardauth

source
vegetaaaaaaa@lemmy.world ⁨1⁩ ⁨year⁩ ago

what should I use as my base DN?

I posted this a while ago about LDAP basics: lemmy.world/comment/1539633

The base DN is usually the DN under which your user accounts (inetOrgPersons) can be found. In my case it is ou=users,dc=example,dc=org.

source

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
nginx	Popular HTTP server