diff --git a/content/auth.md b/content/auth.md new file mode 100644 index 0000000..07e6790 --- /dev/null +++ b/content/auth.md @@ -0,0 +1,43 @@ ++++ +title = "Authentication" +categories = [ "services", "lxc", "ldap" ] ++++ + +Our SSO is currently handled via keycloak, though the user accounts themselves +are stored in LDAP; keycloak just fetches them from there. + +Both LDAP and Keycloak are running in lxc containers containing debian systems +rather than on nix directly (though they both run on `parsons`). + +## LDAP + +LDAP stores all user accounts except those that can admininster the keycloak +master realm. + +It should be reachable from within keycloak's container under `10.1.2.103`; if +it is not, keycloak will return confusingly generic errors to users. + +## Keycloak + +Keycloak provides other services with SSO. + +An admin password for the master realm should be available in [vaultwarden](pw.hacc.space); +use it to log in to the [admin console](https://auth.infra4future.de/auth/admin/master/console/). + +Inside its lxc container, keycloak lives under `/opt/keycloak` and is not managed +by any kind of package manager. + +Keycloak does not write any logs to systemd; either check the logs in the admin +console or take a look at `/opt/keycloak/standalone/log/server.log` within the +lxc container. Logs are rotated daily, and apparently we keep all of them, forever. + +User groups are sometimes fiddly, and currently synced with nextcloud via a +script `/opt/ldap-provision-update.sh` that systemd runs regularly. + +## Useful commands + - login to a container as root with a usable shell + `lxc-attach -n keycloak -- /usr/bin/sudo -i` + - restarting the keycloak and ldap containers + `lxc-stop -n keycloak && lxc-start -n keycloak` + - restarting their network bridge: + `systemctl restart lxcbr0-netdev.services`