This repository has been archived on 2024-01-30. You can view files and clone it, but cannot push or open issues or pull requests.
docs/content/auth.md

1.6 KiB

+++ title = "Authentication" categories = [ "services", "lxc", "ldap" ] +++

Our SSO is currently handled via keycloak, though the user accounts themselves are stored in LDAP; keycloak just fetches them from there.

Both LDAP and Keycloak are running in lxc containers containing debian systems rather than on nix directly (though they both run on parsons).

LDAP

LDAP stores all user accounts except those that can admininster the keycloak master realm.

It should be reachable from within keycloak's container under 10.1.2.103; if it is not, keycloak will return confusingly generic errors to users.

Keycloak

Keycloak provides other services with SSO.

An admin password for the master realm should be available in vaultwarden; use it to log in to the admin console.

Inside its lxc container, keycloak lives under /opt/keycloak and is not managed by any kind of package manager.

Keycloak does not write any logs to systemd; either check the logs in the admin console or take a look at /opt/keycloak/standalone/log/server.log within the lxc container. Logs are rotated daily, and apparently we keep all of them, forever.

User groups are sometimes fiddly, and currently synced with nextcloud via a script /opt/ldap-provision-update.sh that systemd runs regularly.

Useful commands

  • login to a container as root with a usable shell lxc-attach -n keycloak -- /usr/bin/sudo -i
  • restarting the keycloak and ldap containers lxc-stop -n keycloak && lxc-start -n keycloak
  • restarting their network bridge: systemctl restart lxcbr0-netdev.services