-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP: Add FreeIPA Implementation #2177
Comments
I normally am opposed to comments that don't contribute to a discussion, but my purpose right now is to be a voice of a humble home-labber that is very interested in the development of this feature. I'd like to be able to create a group in freeipa called sonarr_users for users of sonarr versus specifying individuals. Doing so makes authelia more fluid, as it doesn't require a config-change+restart to implement, as ldap queries are done live. |
I'm happy to put some time into this. I've just not had someone who actively uses it and is actually constructive with their feedback. Could you explain what you mean by restarting? Authelia already periodically queries LDAP for up-to-date information. |
As of now, authelia isn't pulling group memberships from FreeIPA properly. Example, I am using authelia to protect sonarr.
If I want to modify what users can access sonarr, I have to modify the yaml and restart authelia. The prefered method would be to
This way, I can modify a group membership in freeipa, without having to restart authelia for the user permissions to take effect. |
Yeah gotcha. So it's not exactly restart related it's just that it doesn't work because FreeIPA doesn't use a RFC compliant group membership method. That's the main issue I was aiming to tackle with a FreeIPA implementation. |
It's mostly a convenience thing, really |
Can you share your LDAP section minus password (feel free to anonymize the DN's), as well as your compose for FreeIPA itself? |
Here's my ldap section in my authelia configuration.yml
Not sure what you mean by my freeipa compose Edit: if you mean docker-compose, I don't use docker for either authelia or freeipa |
Turns out the issue is FreeIPA requires the Krb GSSAPI SASL authentication to retrieve membership information of users which is the actual cause. The library we use currently doesn't support this unfortunately so the only way for now would be if there is a way to disable this feature either entirely or for a particular service user. |
This config should actually work now I've managed to dig through their implementation more (didn't manage to test it as FreeIPA's official docker container is absolute garbage): authentication_backend:
disable_reset_password: false
refresh_interval: 5m
ldap:
implementation: custom
url: ldaps://freeipa.example.com
base_dn: DC=example,DC=com
additional_users_dn: CN=users,CN=accounts
users_filter: '(&({username_attribute}={input})(objectClass=person))'
username_attribute: uid
mail_attribute: mail
display_name_attribute: displayName
additional_groups_dn: ''
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn
user: UID=admin,CN=users,CN=accounts,DC=example,DC=com |
Okay I settled on this setting suite for now, works perfectly with groups (see logs), and prevents disabled accounts from logging in (tested on FreeIPA 4.10 on AlmaLinux 9): authentication_backend:
disable_reset_password: false
refresh_interval: 5m
ldap:
implementation: custom
url: ldaps://freeipa.example.com
tls:
server_name: freeipa.example.com
skip_verify: true
base_dn: DC=ipa,DC=example,DC=com
additional_users_dn: CN=users,CN=accounts
users_filter: '(&({username_attribute}={input})(objectClass=person)(!(nsAccountLock=TRUE)))'
username_attribute: uid
mail_attribute: mail
display_name_attribute: displayName
additional_groups_dn: ''
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn
user: UID=authelia,CN=users,CN=accounts,DC=ipa,DC=example,DC=com
password: authelia
|
Is that with current code, or unreleased code? |
Current. |
I'll give it a try shortly |
Log message after adding two groups to the user, logging out of authelia, ensuring authelia DOES NOT restart, and logging in again:
|
Can confirm, this worked wonderfully for me, and my sonarr_users group works great Freeipa 4.9.6 on Rocky Linux 8.5 I am running updates on my freeipa servers and will edit when done When updates are done it should be Freeipa 4.9.10 on Rocky Linux 8.7 |
Confirmed working on Freeipa 4.9.10 on Rocky Linux 8.7 |
PR4482 will close part of this adding the |
This adds a FreeIPA LDAP implementation which purely adds sane defaults for FreeIPA. There are no functional differences just when the implementation option is set to 'freeipa' sane defaults which should be sufficient for most use cases are set. See the documentation at https://www.authelia.com/r/ldap#defaults for more details. Closes #2177, Closes #2161
Feature Request
Description
Add an implementation for FreeIPA with sane defaults. Criteria is as follows:
Users filter should exclude:
Values Needed:
distinguished_name_attribute (new attribute)groups_attributeUse Case
Easier LDAP Implementation.
The text was updated successfully, but these errors were encountered: