I previously posted my experiences setting up OpenLDAP on Ubuntu Server, using my own custom schema. This whole ordeal is for a couple of reasons...I wanted to learn about openLDAP and how schema works, and I wanted to eventually create something akin to "Active Directory" from my home that wasn't just "use Samba" or "use FreeIPA." I don't have anything against Samba, but it feels like using Samba is trying to acheive Microsoft functionality with Microsoft compatibility, and I don't need Microsoft compatibility, so I wanted to do it without. I have no Microsoft devices in my ecosystem and have no plans to add any. I don't have anything against FreeIPA either, but their docs target rpm distros and I tend to live in deb land, and I found the initial install frustrating unless I switched platforms...it felt like lock-in. There are other solutions and this is a problem that has been solved other ways but with shortcomings, but I wanted to really do something "from scratch" so I share this not as a recommendation, but as a start-to-finish resource with some nuggets of wisdom that may help someone else whose journey brushes up against parts of mine.
When I started, I was just authenticating web services like nextcloud, jellyfin, SAML, etc. Tying those into openLDAP was very easy and has worked very well for a long time. Now though, I want to use Kerberos for Linux PAM authentication as I am about to spin up a bunch of small servers (I got a new hypervisor and am redoing a lot of infrastructure, I don't want different credential stores all over the place). Because of this, I'm bolting on MIT Kerberos as my network authentication provider; that being said, getting OpenLDAP and Kerberos to work together and only use 1 password was not intuitive. Kerberos will use LDAP as it's database, and authentication will happen through SASL. Ultimately, requests will go to openLDAP, then depending on the account, the password will either be validated in OpenLDAP for web users, or it will defer to SASL for users doing both web/PAM stuff, which will then authenticate against the Kerberos passoword it stores in LDAP. Circular much?
Here is the vision, to help you see what I'm working towards. Ultimately I have about 20 users, all of which might access web services like nextcloud, but 4 core users which will actually log into computers. One of those 4 (me) has sudo rights on any computer. All 20 users should be able to log into nextcloud, jellyfin, etc without issue, and for now I'm managing password resets if they come to my house (I had previously used phpldapadmin for password resets, but that was struggling on php7+ when I last tried). For the internal users, they will be able to sit at ANY computer and log in using their same username and password. If an web only user tries to sit and log into a computer, the'll get username not found. If any of the 3 non-sudo users tries sudo, they'll get an unauthorized error. If my account tries sudo, I can become root. I can handle password resets for the internal users via kpasswd or kadmin.local.
Read more »
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -