this post was submitted on 16 Mar 2024
95 points (97.0% liked)

Selfhosted

59939 readers
551 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
95
Simple authentication for homelab? (eviltoast.org)
submitted 2 years ago by johntash@eviltoast.org to c/selfhosted@lemmy.world
71 comments fedilink hide all child comments
 

What's everyones recommendations for a self-hosted authentication system?

My requirements are basically something lightweight that can handle logins for both regular users and google. I only have 4-5 total users.

So far, I've looked at and tested:

  • Authentik - Seems okay, but also really slow for some reason. I'm also not a fan of the username on one page, password on the next screen flow
  • Keycloak - Looks like it might be lighter in resources these days, but definitely complicated to use
  • LLDAP - I'd be happy to use it for the ldap backend, but it doesn't solve the whole problem
  • Authelia - No web ui, which is fine, but also doesn't support social logins as far as I can tell. I think it would be my choice if it did support oidc
  • Zitadel - Sounds promising, but I spent a couple hours troubleshooting it just to get it working. I might go back to it, but I've had the most trouble with it so far and can't even compare the actual config yet
you are viewing a single comment's thread
view the rest of the comments
[–] g5pw@feddit.it 1 points 2 years ago (1 children)

Yeah, sounds like a security feature… I was able to configure Traefik to connect with TLS, verifying the peer certificate.

[–] timbuck2themoon@sh.itjust.works 1 points 2 years ago (1 children)

I could do this but sadly even just the trial did not work. I'm using podman but it gives me "invalid state" just trying to login with a user per the quickstart, etc. Can't reset the password cleanly, can't add a passkey via bitwarden, etc.

Unsure if I'm doing something wrong or if it's very alpha/beta.

[–] g5pw@feddit.it 1 points 2 years ago (1 children)

I didn’t have any issues, do you see anything in the logs?

[–] timbuck2themoon@sh.itjust.works 1 points 2 years ago* (last edited 2 years ago) (1 children) 
0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "displayname" Equality was not found. YOU MUST REINDEX YOUR DATABASE
0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "name_history" Equality was not found. YOU MUST REINDEX YOUR DATABASE
0e2475ba-882a-4f61-8938-2642ca80193b WARN     │  ┝━ 🚧 [warn]: WARNING: index "jws_es256_private_key" Equality was not found. YOU MUST REINDEX YOUR DATABASE

I had to drop it for a few days. I got that at some point though. It's all brand new so I wouldn't know why. Seems a bit rough around the edges so far. I'll try to reindex and attempt again. I really want this to be the product I use since it's a nice AIO solution but we'll see.

Edit:

[~]$ podman run --rm -i -t -v kanidm:/data \
    kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml
error: unrecognized subcommand 'reindex'

Phew boy. Straight from the docs. Same with the vacuum command.

Looks like the docs need updated to specify the command is kanidm database reindex -c /data/server.toml

And further upon trying to login...

300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     handle_request [ 188µs | 0.00% / 100.00% ]
300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO     ┕━ request [ 188µs | 72.94% / 100.00% ] method: GET | uri: /v1/auth/valid | version: HTTP/1.1
300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        ┝━ handle_auth_valid [ 50.8µs | 25.54% / 27.06% ]
300e55b7-e30a-42a5-ac3e-ec0e69285605 INFO        │  ┝━ validate_client_auth_info_to_ident [ 2.85µs | 1.51% ]
300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        │  │  ┕━ 🚧 [warn]: No client certificate or bearer tokens were supplied
300e55b7-e30a-42a5-ac3e-ec0e69285605 ERROR       │  ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1
300e55b7-e30a-42a5-ac3e-ec0e69285605 WARN        ┕━ 🚧 [warn]:  | latency: 204.504µs | status_code: 401 | kopid: "300e55b7-e30a-42a5-ac3e-ec0e69285605" | msg: "client error"

I think I'm gonna have to just nuke it and start fresh but yeah, this is not a great first impression at all.

[–] g5pw@feddit.it 1 points 2 years ago (1 children)

I mean, it is a bit rough, they’re not at 1.0 yet, also: are you looking at the stable or latest docs? That may be the reason the commands do not match with the docs.

[–] timbuck2themoon@sh.itjust.works 1 points 2 years ago

I will have to check. Still willing to try again. I'll update if i get it going better on round 2.

Thanks for the hint about the docs. I hadn't thought of that.