Create new authentication/authorization system

[h7x4]

Currently Balduzius serves as KDC master (Swedish kerberos lmao, not the MIT one, ITK has good docs). In addition, Spikkjeposche runs SimpleSAML for auth services for web.

We have not touched these systems in a long while, and with moving the servers and most services rather using either LDAP or OIDC for auth these days, we really need a need setup.

Mandatory features

• Authenticate web services like nettsiden, gitea, mediawiki, etc...
• Authenticate SSH login to machines via PAM

Nice to have features

• Authorize access to different kinds of resources using groups, like present in LDAP or OAuth2.
• Reduce amount of duplicate state, absolute single source of truth is probably impossible but strive to achieve this. Especially for things like usernames, UIDs and GIDs.
• Users should be able to change their own password.

[felixalbrigtsen]

We have a few options for this one;

Keep our existing setup

• This involves keeping Balduzius with heimdal kerberos, and reconfiguring SimpleSamlPHP on a new host.
• This will not give any support for LDAP or OAuth2

This is the "simplest", but is quite problematic as we need OAuth2 and LDAP to integrate with new web services and allow user login on NixOS. This makes it not viable in the long run.

Keep using kerberos, add keycloak and LDAP

• Keycloak is a huge blob of java that's pretty good at its job; SSO
• It's an open source project supported by RedHat, active for many years.
• Keycloak will provide Oauth2/OIDC, and we will need OpenLDAP and a kerberos server in addition
• Web services will auth with Keycloak, and PAM / local machines will auth with LDAP+Krb5

The biggest disadvantage of this system is that it can be quite a lot of work to configure and maintain all these different services, separating and combining them in the right way. OpenLDAP and Keycloak are both in nixpkgs, so running them should be very possible. The end result will expose both LDAP and Oauth2, but with many moving parts that depend on each other. Key words: Old, stable, clunky, predictable

Use Kanidm

• Kanidm A simple, secure and fast identity management platform , written in rust
• This is quite new, just moved into beta
• Kanidm implements a minimal LDAP and a minimal Oauth2 / OIDC
• It does not expose kerberos, but provides a custom PAM module to facilitate local authentication

This is a young project still in beta, but most of the core features seem to be stable. This will probably be the simplest system to manage, as a single program will manage all our authentication and authorization.

It will however not be as "standard" as the above solution. Local auth with PAM will require a custom module made by Kanidm, and not all LDAP features are supported.

My suggested plan:

• Configure a new nixos machine with full disk encryption and a Kanidm server
• Make some demo users
• Try to authenticate a few services with kanidm; Like gitea and mediawiki
• Test the pam module and LDAP login on a few different systems; Debian, FreeBSD and NixOS needs to be able to auth users
• Find or write some tooling for our most important operations:
  • Import / Migrate users from our existiing salt+kerberos setup (usernames, UIDs, etc)
  • Create new users from NTNU usernames
  • Manage groups / teams

When these things are confirmed working, we can start migrating users and designing how we organize groups, ids and similar.

[felixalbrigtsen]

There are also many alternatives to OpenLDAP, and some who combine LDAP and kerberos into single services.

These larger/combined services include

• Apache DS - All-in-one solution from Apache
• FreeIPA - Clunky RHEL-only solution, not fun to manage
• Microsoft Active Directory (haha, no)

and other smaller LDAP servers like

• 389DS
• LLDAP

I don't think any of these will be better suited to our needs than the original suggestions above, but they are worth mentioning/researching.

[dali99]

I support trying kanidm to see what the workflow would look like