this post was submitted on 15 Nov 2023
0 points (50.0% liked)

Homelab

380 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

Hello fellow labberators

I would like to manage users, passwords and groups among my (mostly) ubuntu machines and as I understand it, this is what LDAP is for. I have also read that i need kerberos for authenticating nfs shares.

I will ideally be running all these services on a proxmox server but i cant figure out where to start. What order should I do them in and should i run a separate machine/ct for each or all in one?

Thanks

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 11 months ago

You could use also UCS: https://www.univention.com/products/ucs/functions/ At least it can point you in right direction, everything that could make sense is already built in there and there is a free community version

[–] [email protected] 1 points 11 months ago (1 children)

You need to explain in high detail your top-view actual needs. If you need NFS, you MIGHT want to be using Kerberos, but you might also get away without using it depending on your network configuration and actual security requirements.

[–] [email protected] 1 points 11 months ago (1 children)

Not the op, but... I wish there was a simple way to centralize users, uids, gids, group membership, and maybe even ssh keys across hosts. Ideally this would be as simple as install package on new host, point at server, wait. I'd settle for managing Windows users and samba separately.

It would also be really cool if there was some easy integration with proxmox LXCs to enable mapping a list(s) of uids/gids into unprivileged containers.

Really long term homedirs, and windows user folders. So my kids and i could just hot desk at any computer in the house. I'd settle for just mounting a drive with their files.

[–] [email protected] 1 points 11 months ago

Yes! Im surprised that in 2023 there's no straightforward way of keeping users, files and settings in sync between machines on a OS that is supposedly good at networking

[–] [email protected] 1 points 11 months ago (1 children)

I propose you to try Freeipa in a docker container on one of your ubuntu server. It gives all functionality you requested and it is very easy to use. Biggest downside is that Freeipa create a Trust Authority certificate issuer and all users/computer using your internal domain will need to install the Authority Certificate to not get an error when validating personal certificate. Apart from that it is working very well.

[–] [email protected] 1 points 11 months ago (1 children)
[–] [email protected] 1 points 11 months ago (1 children)

Here are some of my notes.

You need to have a hostname set up on the server:

hostnamectl set-hostname your-server.domain.internal

You will need an entry in /etc/hosts defining the IP of the service with the hostname.

vi /etc/hosts

10.0.0.10 your-server.domain.internal

mkdir /opt/freeipa

docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --name $(hostname -s) -ti -h $(hostname -f) --read-only -v /opt/freeipa:/data -e IPA_SERVER_IP=$(ip a show dev ens18 | grep inet | awk '{ print $2 }' | sed -s 's//.*$//') freeipa/freeipa-server:rocky-9 ipa-server-install -r DOMAIN.INTERNAL -n domain.internal --no-ntp --setup-dns --forwarder=1.0.0.1 --forwarder=1.1.1.1 --reverse-zone=10.in-addr.arpa. --ip-address=$(ip a show dev ens18 | grep inet | awk '{ print $2 }' | sed -s 's//.*$//')

Here some stuff you might need to edit in the docker command:

Server IP:

-e IPA_SERVER_IP=$(ip a show dev ens18 | grep inet | awk '{ print $2 }' | sed -s 's/\/.*$//') #This line use ens18 (default for proxmox) to get the ip and use it to host the service. Change it to the IP you want for the freeipa server, same for --ip-address=

IPV6 usage:--sysctl net.ipv6.conf.all.disable_ipv6=0 # I didn't wanted to use ipv6 in my lab so you can switch it to 1 if you want ipv6 enabled

Realm domain:

-r DOMAIN.INTERNAL # Change this to whatever realm domain you want ALWAYS UPPERCASE

Domain name:

-n domain.internal # The LDAP domain to use, usually it is the realm name in lowercase

DNS parameter:

--forwarder=1.0.0.1 #These are cloudflare public dns

--forwarder=1.1.1.1 #These are cloudflare public dns

--reverse-zone=10.in-addr.arpa. #This is the reverse zone for the domain server

[–] [email protected] 1 points 11 months ago (1 children)

Thanks, i appreciate it!

Now as I started researching freeipa suddenly other options pop up such as lldap, authentik, authelia etc.. now im getting confused again! Lol

[–] [email protected] 1 points 11 months ago

On my side I have FreeIPA for LDAP/Kerberos/DNS/Certificate and Authentik for SSO (pulling account info from FreeIPA). I am pretty satisfied with FreeIPA in general. I even use FreeIPA with DDNS and create some domain for kubernetes directly. I also added freeipa as a Certificate Issuer in Cert-manager which allow me to generate internal certificate for my ingress.