I am trying to figure out how I can retain personal SSH keys (probably the most important part, or at least important to have an alternative connection method) while also having modern tools like SSO or at least SAML, some way to federate to different ADs.
I know there are a few things out there like Authentik and Authelia, but not 100% sure Authentik covers those needs above. Does anyone have experience with these or other modern LDAP alternatives that work well with Linux?
The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:
- oauth2
- ssh key distribution
- RADIUS
- PAM/SSSD
- LDAP
I just noticed they have a beta for multimaster replication, which is nice.
I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.
I’m sorry for worthless comment in advance. I’ve never heard of FreeIPA, but I’d definitely get free IPA ;-)
It’s my understanding that FreeIPA can federate with Active Directory, but personally I haven’t tried that myself. As for Authentik, it looks interesting but it’s the first I’ve heard of it. I also rely on FreeIPA’s certmonger implementation, so I wonder if Authentik could replace that?
Just to understand your use case, you have users in Active Directory where you want to manage SSH keys and be able to login via SSH to linux machines?