Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don’t want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

  • Shimitar
    link
    fedilink
    English
    43 months ago

    They actually do, i am down the same path recently and installing authelia was the best choice I made. Still working on it.

    But most stvies support either basic auth, headers auth, oidc or similar approaches. Very few don’t.

    • @[email protected]OP
      link
      fedilink
      English
      13 months ago

      How are you configuring this? I checked for Jellyfin and their are third-party plugins which don’t look too mature, but none of them seem to work with apps. qBittorrent doesn’t support much (actually I may be able to put reverse-proxy auth in front… I’ll look into that) and Metabase locks SSO behind a premium subscription.

      IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work

      • Shimitar
        link
        fedilink
        English
        13 months ago

        You might use LDAP, but its total overkill.

        I have not yet worked jellyfin with authelia, but its more or less the last piece and I don’t really care so far if its left out.

        A good reverse proxy with https is mandatory, so start with that one. I mean, from all point of views, not login.

        I have all my services behing nginx, then authelia linked to nginx. Some stuff works only with basic auth. Most works with headers anyway, so natively with authelia. Some bitches don’t, so I disable authelia for them. Annoying, but I have only four users so there is not much to keep in sync.

        • @[email protected]OP
          link
          fedilink
          English
          13 months ago

          I do use a reverse proxy but for various reasons you can’t just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can’t just slap a proxy in front.

          I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.

          • Shimitar
            link
            fedilink
            English
            13 months ago

            Never found a service that don’t work with nginx reverse proxy.

            My jelly fin does.

            Don’t run photoprims tough…

            • @[email protected]OP
              link
              fedilink
              English
              13 months ago

              Are you doing auth in the reverse proxy for Jellyfin? Do you use Chromecast or any non-web interface? If so I’m very interested how you got it to work.

              • Shimitar
                link
                fedilink
                English
                13 months ago

                This is my jellyfin nginx setup: https://wiki.gardiol.org/doku.php?id=services:jellyfin#reverse-proxy_configuration

                currently i don’t use any proxy related authentication because i need to find the time to work with the plugins in Jellyfin. I don’t have any chromecast, but i do regularly use the Android Jellyfin app just fine.

                I expect, using the OIDC plugin in jellyfin, that Jellyfin will still manage the login via Authelia itself, so i do not expect much changes in NGINX config (except, maybe, adding the endpoints).

                  • Shimitar
                    link
                    fedilink
                    English
                    13 months ago

                    Well, here is the relevant part then, sorry if it was not clear:

                    • Jellyfin will not play well with reverse proxy auth. While the web interface can be put behind it, the API endpoints will need to be excluded from the authentication (IIRC there are some examples on the web) but the web part will stil force you to double login and canot identify the proxy auth passed down to it.
                    • Jellyfin do support OIDC providers such Authelia and it’s perfectly possible to link the two, in this case as i was pointing out, Jellyfin will still use it’s own authentication login window and user management, so the proxy does not need to be modified.

                    TLDR: proxy auth doesnt work with Jellyfin, OIDC yes and it bypassess proxy, so in both cases proxy will not be involved.