While authelia is quite cool "infra-as-code" tool, since you have your entire configuration in yaml form, for those not willing to spend a few evenings configuring SSO, there is authentik [1] which features management UI.
Offers similar feature set, also self-hostable, but most importantly - simple to set-up. I've spent 8h on authelia deployment, where 30 minutes in authentik would be sufficient. But both are good options, pick what you prefer.
Kanidm is another similar tool for user management I've been enjoying. It has a strong focus on safe defaults and supports exposing the users via LDAP ootb. It's fairly simple to set up as well, but I feel like it sometimes expects the users to be fairly technical.
Bizarre coincidence. I just ran into lldap for the first time earlier today. I built it on Windows for fun. I'm new to Rust and it was surprisingly easy (and only needed very slight modification).
If I were going to support Windows clients on the hypothetical home network, however, I'd use Samba as a Domain Controller and use the LDAP server there. That gets you SSO to Windows clients too.
Those who do not want to choose e-mail as the notification method can take a look at ntfy.sh (https://github.com/binwiederhier/ntfy). You can receive notifications via your smartphone (Android, iOS). A self-hosted server can also be used.
I've been using freeipa[1] in the past, it wasn't specifically easy to setup, but is well designed, documented, and supported. Plus, it's able to manage certificates. But to use more "modern" techs, like OpenID, Keycloak will be needed.
Getting this stack set up is not as complicated as this post makes it seem... LLDAP is great and the dev was very responsive when I had issues with some early builds.
Plenty of documentation around on getting Authelia set up, and connecting it to LLDAP is also pretty straightforward.
LLDAP dev here, I'm glad you found the project easy to setup! That was one of the main motivations for creating it, after struggling to set up OpenLDAP
LLDAP dev here! I'm happy to see it on the front page :)
I made LLDAP specifically because it was very complicated to get OpenLDAP up and running, and it was resource heavy for a handful of users on a self-hosted server.
If you have any questions, AMA!
I want to set up something like this for my home network. The one thing missing that I'd also like is a way for users to log in to windows machines using these credentials. I understand that is also possible via Kerberos, but... Well, it takes some time to understand these things, me not doing a whole lot of sysadmin work
...
It also seems the author has a more recent post about using Samba as an AD controller, and that would be an alternative to this setup right here:
I'd go the Samba Domain Controller route, personally. Of any way to do it I think that would give you the smallest sysadmin "burden". You'll also get Group Policy functionality, which is useful for standardizing configurations across your Windows clients (if that's a thing you need).
Keycloak has Kerberos+LDAP Federation build in. I wrote a blog post on how to self-host keycloak [1]. If you don't do theming, it is quite quick to setup. Just updated the blog post for version 25.0.1.
There's a few people who looked into getting samba to plug into LLDAP. I haven't looked myself, but I seem to remember that the main obstacle was not insurmountable (last modified timestamp for users)
I use authelia with nginx proxy manager talking to it for auth, works well. Haven't externalized the users since I only have a few to deal with, but it's cool having an entire suite of sites protected and provides http headers to grab the logged in user's information.
This caught my eye and I started reading over it but my eyes glazed over after a couple of sections of setting up various docker containers in various zfs directory structures and editing toml configuration files and zzzz…
Here’s a hint: for 99.999% of potential users, including 99.9% of motivated, technically savvy users, if I need to know the directory structure of your software, then you already failed.
I appreciate that you went through all the pain and learning and effort to figure out how to set all this up AND went to the trouble to write down a how to guide.
I hope someone comes later and bundles it up into a script I can launch that will prompt me for the various config options and then set it all up for me.
I'd love to be wrong, but I suspect that it is quite a narrow niche of users that a) are willing to run their own identity and auth servers but b) aren't so persnickety about their software that they would be cool with some wizard to set it all up automagically.
I disagree, seems like a pretty standard structure of one directorz per app and inside that subfolders for configuration, secrets, opaque various data. Not complicated at all really.
BonusPlay|1 year ago
Offers similar feature set, also self-hostable, but most importantly - simple to set-up. I've spent 8h on authelia deployment, where 30 minutes in authentik would be sufficient. But both are good options, pick what you prefer.
1: https://goauthentik.io/
Vaslo|1 year ago
ShaddyDC|1 year ago
nitnelave|1 year ago
EvanAnderson|1 year ago
If I were going to support Windows clients on the hypothetical home network, however, I'd use Samba as a Domain Controller and use the LDAP server there. That gets you SSO to Windows clients too.
nitnelave|1 year ago
diskopanzer|1 year ago
methou|1 year ago
-- [1] https://www.freeipa.org/
kayson|1 year ago
Plenty of documentation around on getting Authelia set up, and connecting it to LLDAP is also pretty straightforward.
nitnelave|1 year ago
nitnelave|1 year ago
RealityVoid|1 year ago
It also seems the author has a more recent post about using Samba as an AD controller, and that would be an alternative to this setup right here:
https://helgeklein.com/blog/samba-active-directory-in-a-dock...
EvanAnderson|1 year ago
SteveNuts|1 year ago
https://www.freeipa.org/page/Windows_authentication_against_...
Helmut10001|1 year ago
[1]: https://du.nkel.dev/blog/2024-02-10_keycloak-docker-compose-...
nitnelave|1 year ago
mike503|1 year ago
efitz|1 year ago
Here’s a hint: for 99.999% of potential users, including 99.9% of motivated, technically savvy users, if I need to know the directory structure of your software, then you already failed.
I appreciate that you went through all the pain and learning and effort to figure out how to set all this up AND went to the trouble to write down a how to guide.
I hope someone comes later and bundles it up into a script I can launch that will prompt me for the various config options and then set it all up for me.
hamandcheese|1 year ago
fesc|1 year ago
oriettaxx|1 year ago
unknown|1 year ago
[deleted]