Create new authentication/authorization system #67
Labels
No Label
dns
exploration
gitea
mail
new stuff
services
software
art
backup
big
blocked
bug
crash report
disputed
documentation
duplicate
enhancement
good first issue
logging
nixos
question
salt
security
servers n' hardware
wontfix
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Drift/issues#67
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Currently Balduzius serves as KDC master (Swedish kerberos lmao, not the MIT one, ITK has good docs). In addition, Spikkjeposche runs SimpleSAML for auth services for web.
We have not touched these systems in a long while, and with moving the servers and most services rather using either LDAP or OIDC for auth these days, we really need a need setup.
Mandatory features
Nice to have features
We have a few options for this one;
Keep our existing setup
This is the "simplest", but is quite problematic as we need OAuth2 and LDAP to integrate with new web services and allow user login on NixOS.
This makes it not viable in the long run.
Keep using kerberos, add keycloak and LDAP
The biggest disadvantage of this system is that it can be quite a lot of work to configure and maintain all these different services, separating and combining them in the right way.
OpenLDAP and Keycloak are both in nixpkgs, so running them should be very possible.
The end result will expose both LDAP and Oauth2, but with many moving parts that depend on each other.
Key words: Old, stable, clunky, predictable
Use Kanidm
This is a young project still in beta, but most of the core features seem to be stable.
This will probably be the simplest system to manage, as a single program will manage all our authentication and authorization.
It will however not be as "standard" as the above solution. Local auth with PAM will require a custom module made by Kanidm, and not all LDAP features are supported.
My suggested plan:
When these things are confirmed working, we can start migrating users and designing how we organize groups, ids and similar.
There are also many alternatives to OpenLDAP, and some who combine LDAP and kerberos into single services.
These larger/combined services include
and other smaller LDAP servers like
I don't think any of these will be better suited to our needs than the original suggestions above, but they are worth mentioning/researching.
I support trying kanidm to see what the workflow would look like