Hello, i have setup Freeipa (on Docker) and was able to logon via pam / SSSD on some host. Klist shows a valid Ticket and in Firefox i am able to log into FreeIPAs WebUI using SSO/Kerberos as the User i am logged in. I would like to have Nextcloud (also on Docker) use SSO Kerberos. There are many Apps in Nextcloud and i don't know howto start: SSO/SAML, Social Logon, Backend LDAP, OpenID, OAuth... I only found one Documentation an SSO in Nextcloud but its behind a paywall (and our Company is too small to get a subscription). Does anybody got this working? Which Nextcloud Apps should be used and how would they be configured? -- -- Mit freundlichen Grüßen Daniel Pätzold
On 2024-10-09 20:35, Daniel Pätzold via FreeIPA-users wrote:
Hello, i have setup Freeipa (on Docker) and was able to logon via pam / SSSD on some host. Klist shows a valid Ticket and in Firefox i am able to log into FreeIPAs WebUI using SSO/Kerberos as the User i am logged in. I would like to have Nextcloud (also on Docker) use SSO Kerberos. There are many Apps in Nextcloud and i don't know howto start: SSO/SAML, Social Logon, Backend LDAP, OpenID, OAuth... I only found one Documentation an SSO in Nextcloud but its behind a paywall (and our Company is too small to get a subscription). Does anybody got this working? Which Nextcloud Apps should be used and how would they be configured?
SSO/SAML is the one that handles kerberos. I got it working with it once.
What you want to do basically is to configure the webserver you have in front of Nextcloud to use Kerberos (that is, you create a service principal on FreeIPA for that host), get its keytab and then configure your webserver to use it.
Basically it works this way: the webserver gets the user's HTTP ticket, and set up a variable (you choose which, if I'm not mistaken), and the SSO/SAML application will read that variable from the webserver.
I remember it was tough to configure it. Most documentation was based on a deprecated apache module, so I had to figure out how to configure it with the modern module.
If I could suggest anything, would be to drop this webserver configuration, use Keycloak instead for authentication. It was a breeze to get keycloak to work with FreeIPA, including kerberos. Of course, it is one more component, but Keycloak might be useful for other applications anyway.
Good luck!
Best,
--- Francis Augusto Medeiros-Logeay Oslo, Norway
For anyone having the same problem - i now solved it like this: 1. Install FreeIPA in Docker 2. Create a User in FreeIPA 3. Client with SSSD + Kerberos and ipa-client integrated to the Domain -> User can logon to the client as described above 4. Set up Authentik as Docker - Version 10/2024 has Kerberos- Support. This is needed as middleware 5. Make Authentic sync FreeIPA users and Groups with LDAP 6. Konfigure Kerberos SPNEGO in Authentik (NOT using kerberos- sync) 7. Setup Nextcloud to authenticate with Authentik via OIDC Connect (OAuth)
Thats it. You can find all necessary ressources in the docs of those apps.
Interesting, I've had no issue with just using the Nextcloud LDAP plugin to auth directly to FreeIPA without any addtional stuff. it's just worked. I use Nextcloud in FreeBSD - so no docker for that. And i use FreeIPA in as stock a form as possible to prevent issues on upgrades - done in Rocky. This is repeatable and pretty easy.
On 11/27/24 13:25, Daniel Paetzold via FreeIPA-users wrote:
For anyone having the same problem - i now solved it like this:
- Install FreeIPA in Docker
- Create a User in FreeIPA
- Client with SSSD + Kerberos and ipa-client integrated to the Domain -> User can logon to the client as described above
- Set up Authentik as Docker - Version 10/2024 has Kerberos- Support. This is needed as middleware
- Make Authentic sync FreeIPA users and Groups with LDAP
- Konfigure Kerberos SPNEGO in Authentik (NOT using kerberos- sync)
- Setup Nextcloud to authenticate with Authentik via OIDC Connect (OAuth)
Thats it. You can find all necessary ressources in the docs of those apps.
Sure, that would work too, but it does not do Single- Sign- On (SSO). I (my users) didn't want to have to enter the password of the user twice ;) That way, the whole login after Client- Logon is just pressing buttons.
On the other Hand its worth to mention: be very carefuly with LDAP as FreeIPA does not force encryption by default. Neither it configures SSL, nor does it force 389-Port to be TSL- secured, so connections may be plain text. One may change this first after install of FreeIPA.
Daniel
Dear Group/Maintainers, i had some work getting FreeIPA to work with Letsencyrpt Certificates behind an ACME enabled Proxy (here Caddy).
Finally i got it working :)
Maybe someone would write the hints in some Docs for others to learn how to get this working. Or maybe someone has a trick to do it better.
Its worth to mention, that if the Certificates get outdated NO UPDATE OF THE CERTS are working any more. I had it once and i needed to manually fake the hosts date to get it working again. So its important to have the script running straight when the letsencrypts certs are renewed.
This is my script i run every day to ensure that imports are done:
#!/bin/bash # FQDN="ipa.domain.com" # or: FQDN=$(hostname -f) # This is the path of the caddy- acme client: cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$FQDN # ## letsencrypt- rootcertificate (only needed the first time or when expired, see https://letsencrypt.org/certificates/) #curl https://letsencrypt.org/certs/isrgrootx1.pem%3E isrgrootx1.pem #
# Install RootCA to FreeIPA ipa-cacert-manage install isrgrootx1.pem # Split certificates into containing parts, as the commands do only support one certificate at a time csplit -f cert ${FQDN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' # The second part (cert02) should be the CA signing the Key (intermediate) - so its the right one: ipa-cacert-manage -p 'IPAPASSWORD' -t C,, install cert02 ipa-certupdate
# Not important: Full keychain #cat /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.crt isrgrootx1.pem> fullchain.pem # # Finally import Certifictae and Key into FreeIPA ipa-server-certinstall -d -w $FQDN.crt $FQDN.key --pin='WEBSERVERPIN' -p 'IPAPASSWORD' && ipactl restart
-- Mit freundlichen Grüßen
Daniel Pätzold
Daniel Pätzold via FreeIPA-users wrote:
Dear Group/Maintainers, i had some work getting FreeIPA to work with Letsencyrpt Certificates behind an ACME enabled Proxy (here Caddy).
Finally i got it working :)
Maybe someone would write the hints in some Docs for others to learn how to get this working. Or maybe someone has a trick to do it better.
Its worth to mention, that if the Certificates get outdated NO UPDATE OF THE CERTS are working any more. I had it once and i needed to manually fake the hosts date to get it working again. So its important to have the script running straight when the letsencrypts certs are renewed.
This is my script i run every day to ensure that imports are done:
#!/bin/bash # FQDN="ipa.domain.com" # or: FQDN=$(hostname -f) # This is the path of the caddy- acme client: cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$FQDN
# ## letsencrypt- rootcertificate (only needed the first time or when expired, see https://letsencrypt.org/certificates/) #curl https://letsencrypt.org/certs/isrgrootx1.pem%3E isrgrootx1.pem #
# Install RootCA to FreeIPA ipa-cacert-manage install isrgrootx1.pem # Split certificates into containing parts, as the commands do only support one certificate at a time csplit -f cert ${FQDN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' # The second part (cert02) should be the CA signing the Key (intermediate) - so its the right one: ipa-cacert-manage -p 'IPAPASSWORD' -t C,, install cert02 ipa-certupdate
# Not important: Full keychain #cat /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.crt
isrgrootx1.pem> fullchain.pem # # Finally import Certifictae and Key into FreeIPA ipa-server-certinstall -d -w $FQDN.crt $FQDN.key --pin='WEBSERVERPIN' -p 'IPAPASSWORD' && ipactl restart
For what it's worth you're doing essentially the same we do with certs for our demo site, code at https://github.com/freeipa/freeipa-letsencrypt
Both have a pretty significant downside in that the roots, and in our case the intermediates, are hardcoded. This is less than ideal.
A user submitted a patch, https://github.com/freeipa/freeipa-letsencrypt/pull/49 but we haven't merged it yet.
This is a project we work on in our spare time, which is rather rare, so it doesn't see a lot of love unless it affects the demo site. It's unfortunate but time is a commodity.
rob
So now we also have the ability to have full automated caddy- proxy acme certs integrated too.
I don't see the downside while caddy will automatically refresh intermediate certs and if you like you can also download the root as described in the script, so nothing is hard codede there I think.
Keep up good work, maybe I can help a bit, but for me everything now works fine.
freeipa-users@lists.fedorahosted.org