Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/08/07 20:13] – [Changing account name/display name/email] d404d_idp.hackeriet.noinfra:services:hacker-id [2026/04/11 17:41] (current) d404d_idp.hackeriet.no
Line 5: Line 5:
  
 Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet. Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.
- 
-<WRAP center round important 60%> 
-This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts. 
-Ask if you have any questions, need help, need an account, or want to integrate something. 
- 
-Regards, 404'd 
-</WRAP> 
  
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to. A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
Line 25: Line 18:
 All services enrolled into Hacker-ID are documented using tags in Netbox: All services enrolled into Hacker-ID are documented using tags in Netbox:
   * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented   * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented
-  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Not currently implemented+  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Select Nettlauget infrastructure
   * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID   * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID
   * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow   * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow
Line 54: Line 47:
 </WRAP> </WRAP>
  
-<WRAP center round warning 60%>+<WRAP center round important 60%>
 Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes. Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
 </WRAP> </WRAP>
Line 77: Line 70:
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki | | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
 | ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no | | ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
-| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |+| ''service-idp-sysops'' | ''service-idp-sysops'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
 | ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no | | ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox | | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
Line 128: Line 121:
  
 ===== Administrative actions ===== ===== Administrative actions =====
 +Slideset from admin workshop:
 +{{ :infra:services:main.pdf |}}
 ==== Onboarding users through the CLI ==== ==== Onboarding users through the CLI ====
 If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands: If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands:
Line 157: Line 152:
   * Located in ''/srv/kanidm''   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
 +    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1754597585.txt.gz · Last modified: by d404d_idp.hackeriet.no