While authelia is quite cool "infra-as-code" tool, since you have your entire configuration in yaml form, for those not willing to spend a few evenings configuring SSO, there is authentik [1] which features management UI.
Offers similar feature set, also self-hostable, but most importantly - simple to set-up. I've spent 8h on authelia deployment, where 30 minutes in authentik would be sufficient. But both are good options, pick what you prefer.
In more "formal" discussion environments than an Internet discussion thread, sometimes a "proposal" or statement made by someone will be met by someone else giving their support of said statement by stating "I second that", meaning they're the second person in the room to support the statement verbally aloud.
TLDR; They're throwing their support of the OP's statement into the ring.
> "do you mean authentik is much easier to setup?"
I do believe from the context of the rest of their comment that's exactly what they mean to say.
Kanidm is another similar tool for user management I've been enjoying. It has a strong focus on safe defaults and supports exposing the users via LDAP ootb. It's fairly simple to set up as well, but I feel like it sometimes expects the users to be fairly technical.
Bizarre coincidence. I just ran into lldap for the first time earlier today. I built it on Windows for fun. I'm new to Rust and it was surprisingly easy (and only needed very slight modification).
If I were going to support Windows clients on the hypothetical home network, however, I'd use Samba as a Domain Controller and use the LDAP server there. That gets you SSO to Windows clients too.
I'm a complete Rust neophyte. I don't know any of the practices for writing portable Rust code. I'm at the point w/ Rust where I'm just acting like a cargo cult script kiddie (typing commands and hoping they work).
Doing a 'cargo build' on Windows 10 x64 running Rust 1.79 x86_64-pc-windows-msvc gives me an error "error[E0433]: failed to resolve: could not find `unix` in `os`" referencing "server\src\infra\configuration.rs:239:22". That, in turn, causes compilaton of line 240 to bomb out.
So, in true skiddie mode, I just commented out lines 239 - 242. Then it builds and runs fine.
Those who do not want to choose e-mail as the notification method can take a look at ntfy.sh (https://github.com/binwiederhier/ntfy). You can receive notifications via your smartphone (Android, iOS). A self-hosted server can also be used.
I've been using freeipa[1] in the past, it wasn't specifically easy to setup, but is well designed, documented, and supported. Plus, it's able to manage certificates. But to use more "modern" techs, like OpenID, Keycloak will be needed.
Getting this stack set up is not as complicated as this post makes it seem... LLDAP is great and the dev was very responsive when I had issues with some early builds.
Plenty of documentation around on getting Authelia set up, and connecting it to LLDAP is also pretty straightforward.
LLDAP dev here, I'm glad you found the project easy to setup! That was one of the main motivations for creating it, after struggling to set up OpenLDAP
LLDAP dev here! I'm happy to see it on the front page :)
I made LLDAP specifically because it was very complicated to get OpenLDAP up and running, and it was resource heavy for a handful of users on a self-hosted server.
If you have any questions, AMA!
I want to set up something like this for my home network. The one thing missing that I'd also like is a way for users to log in to windows machines using these credentials. I understand that is also possible via Kerberos, but... Well, it takes some time to understand these things, me not doing a whole lot of sysadmin work
...
It also seems the author has a more recent post about using Samba as an AD controller, and that would be an alternative to this setup right here:
I'd go the Samba Domain Controller route, personally. Of any way to do it I think that would give you the smallest sysadmin "burden". You'll also get Group Policy functionality, which is useful for standardizing configurations across your Windows clients (if that's a thing you need).
Keycloak has Kerberos+LDAP Federation build in. I wrote a blog post on how to self-host keycloak [1]. If you don't do theming, it is quite quick to setup. Just updated the blog post for version 25.0.1.
There's a few people who looked into getting samba to plug into LLDAP. I haven't looked myself, but I seem to remember that the main obstacle was not insurmountable (last modified timestamp for users)
I use authelia with nginx proxy manager talking to it for auth, works well. Haven't externalized the users since I only have a few to deal with, but it's cool having an entire suite of sites protected and provides http headers to grab the logged in user's information.
This caught my eye and I started reading over it but my eyes glazed over after a couple of sections of setting up various docker containers in various zfs directory structures and editing toml configuration files and zzzz…
Here’s a hint: for 99.999% of potential users, including 99.9% of motivated, technically savvy users, if I need to know the directory structure of your software, then you already failed.
I appreciate that you went through all the pain and learning and effort to figure out how to set all this up AND went to the trouble to write down a how to guide.
I hope someone comes later and bundles it up into a script I can launch that will prompt me for the various config options and then set it all up for me.
I'd love to be wrong, but I suspect that it is quite a narrow niche of users that a) are willing to run their own identity and auth servers but b) aren't so persnickety about their software that they would be cool with some wizard to set it all up automagically.
Microsoft sold (maybe still sells) Home Server and Small Business Server which were turnkey solutions that included directory services, file & print sharing, and other stuff.
I very much think everyone should a person should have a personal identity server. I think it should be buried enough that the user is managing “friend” objects transparently.
I disagree, seems like a pretty standard structure of one directorz per app and inside that subfolders for configuration, secrets, opaque various data. Not complicated at all really.
Offers similar feature set, also self-hostable, but most importantly - simple to set-up. I've spent 8h on authelia deployment, where 30 minutes in authentik would be sufficient. But both are good options, pick what you prefer.
1: https://goauthentik.io/