Hey everyone,

How do you do user management, I have a small handful of users that want one password for physical machines and for web apps. I was looking at KanIDM but I was wondering what other people use?

Edit: I would like to only use one piece of software if possible.

    • P'undrak@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I use it for quite a few of my services, it’s ready effective! And not that hard to set up, though I haven’t tried to make it work with an LDAP service yes.

      • seang96@spgrn.com
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        I got it set up with LDAP and a web front end to configure LDAP users. Works really nice. If only my services supported with with it.

  • notabot@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I use an LDAP server, as it’s pretty much designed for exactly this task. You can tell PAM to authenticate and authorise from it to manage logins to the physical machines, and web apps typically either have a straightforward way to use LDAP, or support ‘external’ auth, with your web server handling the authentication and authorisation for it.

    OpenLDAP is a solid, easily self hosted server. If you like working from the shell it has everything you need. If you prefer a GUI there are a variety of desktop and web based management frontends available.

  • redcalcium@lemmy.institute
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I would recommend keycloak. I can basically do everything related to webapps authentication (OIDC, 2FA, etc)… except working as an LDAP/AD server, which typically used to enable login to physical machine using the network account. But, it has built-in LDAP provider support, which mean you can use OpenLDAP to host the accounts of your users (so they can use LDAP authentication on their own machine), and point keycloak to that OpenLDAP instance to allow your users to login to your webapps using their OpenLDAP account.

  • surfrock66@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    I don’t have the exactly solution for you, but I went through this a while ago and came up with using openLDAP for this. It’s not tidy at all, but it was a tremendous learning experience, and I documented it in 2 blog posts which may be interesting to you; I doubt you’ll want to do what I did, but it was informative and has worked flawlessly since. I documented some of the flaws I found in options I considered at the time:

    https://www.surfrock66.com/my-experience-guide-setting-up-openldap-for-pc-webapp-authentication-on-ubuntu-20-04/

    https://www.surfrock66.com/openldap-kerberos-and-sasl-my-experience-in-the-homelab/