view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
OpenLDAP is easy :) Once you understand LDAP concepts.
Check this and read through the
tasks/
directory (particularlyopenldap.yml
andpopulate.yml
. It sets up everything needed for an LDAP authentication service (if you don't use ansible you can still read what the tasks do and you should get a pretty good understanding of what's needed, if not let me know).In short you need:
slapd
(the OpenLDAP server)system
,users
andgroups
)admin
directly at the base of the LDAP directory)bind
user in the LDAP directory (unvprivileged account that can only list/read users/groups) (mine isbind
under thesystem
OU)access_jellyfin
are allowed to login to jellyfin)When you login to an application/service configured to use the LDAP authentication backend, it connects to the LDAP directory using the
bind
user credentials, and checks that the user exists (depending on how you configured the application either by name, uid, email...) , that the password you provided matches the hash stored in the LDAP directory, optionally that the user is part of the required groups. Then it allows or denies access.There's not much else to it:
bind
account but I wouldn't recommend it (either configure your applications to use theadmin
user in which case they have admin access to the LDAP directory... not good. Or allow anonymous read-only access to the LDAP directory - also not ideal).slapd
stores its configuration (admin user/password, log level...) inside the LDAP directory itself as attributes of a special entity (cn=config
), so to access or modify it you have to use LDIF files and theldapadd/ldapmodify
commands, or use a convenient wrapper like the ansible modules tools used above.jane.doe
in OUusers
in the directory for domainexample.org
has the Distinguished Name (DC)cn=jane.doe,ou=users,dc=example,dc=org
. Think of it like/path/to/file
.inetOrgPerson
s, groups areposixGroup
s...) and attributes (uid
,cn
,email
,phonenumber
...). Usually applications that support LDAP come with predefined filters to look for users in specific groups, etc.