Is there any service that will speak LDAP but just respond with the local UNIX users?
Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.
I noticed that a lot of services support LDAP auth, but I don’t want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).
The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.
(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)
I think you’re missing the point of LDAP then. It’s a centralized directory used for querying information. It’s not necessarily about user information, but can be anything.
What you’re asking for is akin to locally hosting a SQL server that other machines can talk to? Then it’s just a server. Start an LDAP server somewhere, then talk to it. That’s how it works.
If you don’t want a network service for this purpose, then don’t use LDAP. If you want a bunch of users to exist on many machines without having to manually create them, then use LDAP, or a system configuration tool that creates and keeps them all eventually consistent.
Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I’m not really interested in storing other data.
I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase … I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I’m not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn’t a goal).
Then it’s the same situation. Find a box, setup an LDAP service, populate it, and you’re good to go. That’s it.
The concern is that it would be nice if the UNIX users and LDAP is automatically in sync and managed from a version controlled source. I guess the answer is just build up a static LDAP database from my existing configs. It would be nice to have one authoritative system on the server but I guess as long as they are both built from one source of truth it shouldn’t be an issue.
You’re thinking too hard about this.
There needs to be a source of truth. LDAP is just a simple protocol that can be backed by whatever. You’re worried about the LDAP server going down, but guess what? It’s all in flat files. Go ahead and set it up in a bit repo for config management service for the server/protocol portion, and backup the DB. Easy peasy.
You can also cluster your LDAP service amongst all of your nodes if you have 3+ nodes and un-even number of them to ensure consensus amongst them. You can even back LDAP with etcd if you really want to go down that road.
You’re being paranoid about what happens if LDAP goes down, so solve for that. Any consumer of LDAP should be smart enough to work on cached info, and if not, it’s badly implemented. Solve for the problem you have, not for what MIGHT happen, or else you’re going to paranoid spiral like you are now because there is no such thing as a 100% effective solution to anything.
What’s wrong with LDAP for users? (I’m trying to think of a negative, and can’t).
Yet another service to maintain. If the server is crashing you can’t log in, so you need backup UNIX users anyways.
Then you don’t understand how it works with local auth services.
deleted by creator
Your local auth services are configured to use LDAP as a source, whatever your local auth mechanism is checks credentials, and then you’re auth’d or not. Some distros have easy to use interfaces to configure this, some don’t, but mostly it’s just configuring pam.d (for Linux), and a caching daemon of some sort to keep locally cached copies of the shadow info so you can auth when the LDAP server can’t be contacted (if you’ve previously authenticated once). You can set up many different authentication sources and backends as well, and set their preferences, restrictions, options…etc.
RHEL/Fedora examples: https://www.redhat.com/sysadmin/pam-authconfig
Debian examples: https://wiki.debian.org/LDAP/PAM
You need backup local admin accounts, not Backups for each user.
Which is how enterprise does things. There are local accounts with root access, but the id’s and passwords are tightly controlled.
Against which regular user database?
Look into Single Sign-On services (SSO) like Authelia, Authentik, or KeyCloak. Most SSO tools do the sorts of things you’re looking for. Some will talk to the native UNIX user store. I do agree with the others, though: if you’re this far along, then it’s time to spin up LDAP and SSO, but this might be the same tool in your case.
But the problem is that most self-hosted apps don’t integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.
deleted by creator
I use NixOS.
Meaning what?
NixOS makes it very easy to declaratively configure servers. For example the users config to manage UNIX users: https://nixos.org/manual/nixos/stable/options#opt-users.users
That’s not much of an answer, I’m not reading docs because you can’t be bothered. I don’t use NixOS, so if you want to use that as an example, you’ll need to put in the effort to explain how it’s different.
If you don’t want to use LDAP, don’t. Then you get to manage each user account on each device.
To be frank, it seems like you have an adversarial attitude about this, and you think NixOS is the answer. Every one of your responses has been “but” whatever. You don’t seem like you want to understand how to use things, just complain it doesn’t work the way you think it should.
