Hey everyone,
How do you do user management, I have a small handful of users that want one password for physical machines and for web apps. I was looking at KanIDM but I was wondering what other people use?
Edit: I would like to only use one piece of software if possible.
The Single Sign-On Multi-Factor portal for web apps
I use an LDAP server, as it’s pretty much designed for exactly this task. You can tell PAM to authenticate and authorise from it to manage logins to the physical machines, and web apps typically either have a straightforward way to use LDAP, or support ‘external’ auth, with your web server handling the authentication and authorisation for it.
OpenLDAP is a solid, easily self hosted server. If you like working from the shell it has everything you need. If you prefer a GUI there are a variety of desktop and web based management frontends available.
I’ve been toying with the idea of standing it up. Any recommendations for the GUI side?
I confess I normally work from the command line, but I have set up LDAPAdmim for projects where others needed to manage the directory, and it worked pretty well.
I got ya. Took a quick look at that link and it looks like the client is Windows specific which is frowned upon and permanently blacklisted in this house!!!
Still, I appreciate the reply
That’s what comes of late night posting, I’d meant to link you to PHPLDAPAdmin, not LDAPAdmin! It’s written in PHP, which isn’t lovely, but it does it’s job.
I use openLDAP + LDAP Account Manager and Self-service password. Deployed/managed through this ansible role
Well…. you just blocked off my calendar for the weekend!
I don’t have the exactly solution for you, but I went through this a while ago and came up with using openLDAP for this. It’s not tidy at all, but it was a tremendous learning experience, and I documented it in 2 blog posts which may be interesting to you; I doubt you’ll want to do what I did, but it was informative and has worked flawlessly since. I documented some of the flaws I found in options I considered at the time:
https://www.surfrock66.com/openldap-kerberos-and-sasl-my-experience-in-the-homelab/
