20
submitted 2 months ago by kevincox@lemmy.ml to c/selfhosted@lemmy.world

Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don't want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

you are viewing a single comment's thread
view the rest of the comments
[-] kevincox@lemmy.ml 3 points 2 months ago

Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I'm not really interested in storing other data.

I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase ... I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I'm not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn't a goal).

[-] just_another_person@lemmy.world 2 points 2 months ago

Then it's the same situation. Find a box, setup an LDAP service, populate it, and you're good to go. That's it.

[-] kevincox@lemmy.ml 1 points 2 months ago

The concern is that it would be nice if the UNIX users and LDAP is automatically in sync and managed from a version controlled source. I guess the answer is just build up a static LDAP database from my existing configs. It would be nice to have one authoritative system on the server but I guess as long as they are both built from one source of truth it shouldn't be an issue.

[-] just_another_person@lemmy.world 2 points 2 months ago

You're thinking too hard about this.

There needs to be a source of truth. LDAP is just a simple protocol that can be backed by whatever. You're worried about the LDAP server going down, but guess what? It's all in flat files. Go ahead and set it up in a bit repo for config management service for the server/protocol portion, and backup the DB. Easy peasy.

You can also cluster your LDAP service amongst all of your nodes if you have 3+ nodes and un-even number of them to ensure consensus amongst them. You can even back LDAP with etcd if you really want to go down that road.

You're being paranoid about what happens if LDAP goes down, so solve for that. Any consumer of LDAP should be smart enough to work on cached info, and if not, it's badly implemented. Solve for the problem you have, not for what MIGHT happen, or else you're going to paranoid spiral like you are now because there is no such thing as a 100% effective solution to anything.

this post was submitted on 07 Sep 2024
20 points (85.7% liked)

Selfhosted

40330 readers
261 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS