BeryJu
commented
3 years ago So since this is already a thing in 2021.6.x, have you gotten around to testing this yet? @toboshii
Closed toboshii closed 3 years ago
BeryJu
commented
3 years ago So since this is already a thing in 2021.6.x, have you gotten around to testing this yet? @toboshii
toboshii
commented
3 years ago Not yet, been busy with other things. I'll try to set up a test lab tonight and give it a go.
toboshii
commented
3 years ago Here's some basic instructions for getting this going with Authentik. Client is Ubuntu 20.04:
# apt install sssd libpam-sss libnss-sss
# vim /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
domains = ldap.goauthentik.io
[pam]
reconnection_retries = 3
[domain/ldap.goauthentik.io]
ldap_id_use_start_tls = False
cache_credentials = True
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://<outpost_ip>:389
ldap_tls_reqcert = never
# Slight tweaking needed to match the LDAP outpost schema
ldap_schema = rfc2307bis
ldap_user_search_base = ou=users,dc=ldap,dc=goauthentik,dc=io
ldap_group_search_base = ou=groups,dc=ldap,dc=goauthentik,dc=io
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_fullname = displayName
ldap_group_object_class = group
ldap_group_name = cn
# Restrict access to users matching a filter (in this case in the `Infra Admins` group)
ldap_access_order = filter
ldap_access_filter = memberOf=cn=Infra Admins,ou=groups,dc=ldap,dc=goauthentik,dc=io
# Bind credentials
ldap_default_bind_dn = cn=service-infra,ou=users,dc=ldap,dc=goauthentik,dc=io
ldap_default_authtok = <bind_password>
# Hidden flag to override SSSD TLS requirement (for now)
ldap_auth_disable_tls_never_use_in_production = true# systemctl restart sssd
# pam-auth-update --enable mkhomedir
# vim /etc/ssh/sshd_config
Append/change the following lines:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobodyRestart SSH:
# systemctl restart sshd
Create or update a user with the following attributes modified to your liking:
gidNumber: "10000"
uidNumber: "10000"
loginShell: /bin/bash
sshPublicKey: ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIDMgRWut2vpq4AwKheXpWNNELjaA3iwg8eNK7MgRWut2vpq4AwKheXpWNNELjaA3iwg8eNK7
homeDirectory: /home/<username>Create a group with the same name as the user, put the user in it, add the following attributes to the group:
gidNumber: "10000"At this point everything should be configured. You can test by doing:
$ id <username>
It should return the Authentik user with the attributes you configured, ex:
ubuntu@ldap-client:~$ id toboshii
uid=10000(toboshii) gid=10000(toboshii) groups=10000(toboshii)Similarly $ getent passwd <username> should return the passwd line for the user including the full name, default shell, and home folder:
ubuntu@ldap-client:~$ getent passwd toboshii
toboshii:*:10000:10000:Toboshii Nakama:/home/toboshii:/bin/bashFinally $ /usr/bin/sss_ssh_authorizedkeys <username> should return your configured ssh public key.
At this point you should be able to logout and log back in using the configured user and SSH keypair.
toboshii
commented
3 years ago Current issues making this non-viable for production:
dn attributes which causes secondary groups to not function. Fixed by #1137BeryJu
commented
3 years ago Thanks for the extensive documentation! The first three issues are now fixed on the beta branch, feel free to try them.
BeryJu
commented
3 years ago Also, does this setup bind the user on login, or does it only bind via the bind_dn user?
toboshii
commented
3 years ago Also, does this setup bind the user on login, or does it only bind via the
bind_dnuser?
Yes during an uncached auth attempt the user logging in would be attempted as a bind. Theoretically that means you could leave out this section:
# Restrict access to users matching a filter (in this case in the `Infra Admins` group)
ldap_access_order = filter
ldap_access_filter = memberOf=cn=Infra Admins,ou=groups,dc=ldap,dc=goauthentik,dc=ioand instead use a flow to achieve the same results.
Rynoxx
commented
3 years ago I'd also recommend these two parameters in your SSSD config in the domain section:
fallback_homedir = /home/%u
default_shell = /bin/bashThis would mean that the only thing you must to configure per user in authentik is sshKeys. And then you can optionally set homedir and shell by user
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem? Please describe.
I've long searched for a system for authenticating and authorizing users on a small number of linux machines. Something more lightweight than FreeIPA, less external configuration than something like step-ca, etc. Given that the rest of my auth is now handled by Authentik it would be awesome if it could fill this role as well.
I believe a first step towards supporting this could be as simple as allowing user attributes to be exposed in LDAP query attributes in a configurable method and then using LDAP to authenticate with SSSD.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-sssd-to-use-ldap-and-require-tls-authentication_configuring-authentication-and-authorization-in-rhel#configuring-SSSD-to-use-LDAP-and-require-TLS-authentication_configuring-SSSD-to-use-LDAP-and-require-TLS-authentication
https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd
Describe the solution you'd like
The ability to add custom attributes to users and possibly groups that then can be exposed in the LDAP outpost in some configurable format (so that the response matches the expected schema). This would be used to provide things like user ssh keys, unix user IDs, unix group IDs, etc.
Configuring SSSD to use this data would be left as an exercise to for the user, possibly to be documented later.
Describe alternatives you've considered FreeIPA - Bulky, requires running LDAP + BIND + Kerberos + DogtagCA. Server only runs on RH based distros, containerization is crap, can't be ran in K8s. ActiveDirectory - lol OpenLDAP/etc. - Works but makes the LDAP proxy redundant. Would just be cool if Authentik could do it all
Additional context <3