Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/08/01 08:07] – [Changing account name/display name/email] d404d_idp.hackeriet.noinfra:services:hacker-id [2026/04/11 17:41] (current) d404d_idp.hackeriet.no
Line 5: Line 5:
  
 Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet. Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.
- 
-<WRAP center round important 60%> 
-This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts. 
-Ask if you have any questions, need help, need an account, or want to integrate something. 
- 
-Regards, 404'd 
-</WRAP> 
- 
  
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to. A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
  
 Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula). Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula).
 +
 +===== Onboarding =====
 +Hackeriet members can begin onboarding by visiting the Hacker-ID section in Hula:
 +
 +https://hackeriet.no/hula/idp/
  
 ===== Hacker-ID capable services ===== ===== Hacker-ID capable services =====
 All services enrolled into Hacker-ID are documented using tags in Netbox: All services enrolled into Hacker-ID are documented using tags in Netbox:
   * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented   * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented
-  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Not currently implemented+  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Select Nettlauget infrastructure
   * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID   * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID
   * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow   * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow
Line 38: Line 35:
  
 This includes the login name used for both the web portal, and any Unix accounts used on servers. This includes the login name used for both the web portal, and any Unix accounts used on servers.
-Unless noted otherwise here, all services consuming Hacker-ID supports account renames. 
- 
 This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile
  
-You can also rename and update your account profile using the CLI:+Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes.
  
 +<WRAP center round alert 60%>
 +Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this.
 +
 +Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account.
 +
 +When changing emails, you should keep your old primary email on-account as a secondary email.
 +</WRAP>
 +
 +<WRAP center round important 60%>
 +Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
 +</WRAP>
 +
 +You can also rename and update your account profile using the CLI:
  
   * Account name: <code>kanidm person update d404d --newname testlmao</code>   * Account name: <code>kanidm person update d404d --newname testlmao</code>
Line 61: Line 69:
 | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki | | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki | | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
-| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) | +| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no 
-| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad2.hackeriet.no |+| ''service-idp-sysops'' | ''service-idp-sysops'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) | 
 +| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox | | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox | | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
Line 112: Line 121:
  
 ===== Administrative actions ===== ===== Administrative actions =====
 +Slideset from admin workshop:
 +{{ :infra:services:main.pdf |}}
 ==== Onboarding users through the CLI ==== ==== Onboarding users through the CLI ====
 If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands: If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands:
Line 141: Line 152:
   * Located in ''/srv/kanidm''   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
 +    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1754035674.txt.gz · Last modified: by d404d_idp.hackeriet.no