Web lists-archives.com

Re: Single Sign On for Debian




On Tue, 22 Aug 2017, Mathieu Parent wrote:

> Hello,
> 
> Le mardi 22 août 2017, Luca Filipozzi <lfilipoz@xxxxxxxxxx> a écrit :
> > On Mon, Aug 21, 2017 at 04:35:59PM -0700, Raoul Snyman wrote:
> >> On 2017-08-21 5:48, Alexander Wirt wrote:
> >> > > I second that: Using LDAP as a single source of truth. It's also
> >> > > possible to store SSH keys etc. in LDAP.
> >> > Then someone has to go ahead and develop a complete usermangement for
> >> > sso.d.o. As it is we can't work with software that is maybe coming at
> >> > some
> >> > point. Therefore we will start with gitlabs own user management,
> >> > combined
> >> > with debians ldap.
> >> >
> >> > But if you do take in point the following things:
> >> >
> >> > - user self management (lost password, deletion)
> >> > - key self management
> >> > - api for user manipulation
> >> > - oauth2 frontend (sso as oauth2 provider)
> >> > - maybe saml frontend (sso as saml provider)
> >>
> >> Has anyone looked at Keycloak? http://www.keycloak.org/
> >
> > I have and deployed it for others in production. Not an unreasonable
> > option.
> 
> There is lemonldap-ng already packaged which provides saml, oauth,
> openid-connect, CAS, and more (both identity provider and service
> provider). It works with users in ldap but doesn't have a user management
> interface.
> 
> We use it at work and it integrates nicely with all kind of webapp
> (including gitlab, via oauth).
I haven't looked into it. Can lemonldap-ng have multiple backends at the same
time? 
Specifially one LDAP (db.d.o.) Backend and one Oauth2 (gitlab) Backend?

If the answer is yes, I maybe find time to evaluate it (of course any help is
appreciated)

Alex