I use kanidm with oauth2-proxy. No issues so far, it was pretty easy to set up.
Note that the connection to kanidm needs to be TLS even if you have a reverse proxy!
EDIT: currently using 80MB RAM for two users and three Service Providers.
The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:
I just noticed they have a beta for multimaster replication, which is nice.
I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.
Saving this for all my future pro-systemd flames, thank you!
Aw man… and I was just thinking about deploying Nomad in my homelab…
Molise, Italy, which is a whole region that doesn’t exists!
I think you can create a group for friends and a group for family. If you want more separation I think Authentik handles multi-tenancy as well
Perhaps you could find some info in the translation project wiki page?
I’m using sops with my GPG key currently.
Sure, but it’s a question of principle. I try to use and support FLOSS software if possible.
I’m also leaving, migrates to infomaniak as a registrar, DeSec as DNS provider and Migadu for email… no regrets!
Yeah, I was registering my domains there because they are in Europe and had some extra services, I’ll be taking my business elsewhere now
I found the definition of Coordi-Nations interesting. It could also be applied to hackerspaces/hackbases. I need to look into that
Maybe you could try tryton? It’s modular and you can add a lot of useful functionality for businesses, like stocks/orders etc
I’ve moved mine to Infomaniak (Switzerland), no complaints so far!
It’s a bit chaotic, and they try to force you to pay for other stuff in the process, but the prices were not that far off from other registrars. Note that I use DeSEC for the actual nameservers though.
I use sops, usually with exec-env
Huh, that’s actually way better than my current setup of spamming me on Telegram every time there’s an update
Yeah, that’s a solid choice! I’ve used their proxy service and was pretty solid.
I mean, it is a bit rough, they’re not at 1.0 yet, also: are you looking at the stable or latest docs? That may be the reason the commands do not match with the docs.
Oh nice, and they're based in EU too, which is better for me, too!
I’m looking into kanidm, it’s a pretty new project and very lightweight (compared to Keycloak).
If that won’t pan out, I’ll probably fall back to lldap + Authelia.
If that fails I’ll set up Authentik.
Yes, it should cover all the use cases you mention!
I use oauth2-proxy as ForwardAuth on Traefik so I can protect apps that do not support OAuth/OIDC login/
Huh, great idea about client certs! I think I’ll implement mine that way!
Yeah, sounds like a security feature… I was able to configure Traefik to connect with TLS, verifying the peer certificate.
I didn’t have any issues, do you see anything in the logs?
Yeah, the usual approach is to create a DMZ network/VLAN where you forward external traffic to, but you can’t reach anything except the internet from.
Exactly this. In a federated network, the instance with the majority of users could dictate the protocol, forcing the smaller issues to continually adapt or die. See this post for a very real example of this.