Personally I think of Authelia and Keratin as really good projects in the don't-build-auth-into-your-apps-ever-again space. If auth isn't already built into your app gateway/mesh/proxy, then these services might be something worth dropping alongside.
A few more projects in this space:
- Keycloak (you won't get fired for picking this)[0]
- CloudFoundry's UAA[1]
- Gluu [2]
- ORY (Hydra + friends)[3]
- Keratin [4]
- OpenUnison [5]
- Dex[6]
- Netlify's GoTrue[7]
All of these solutions are a bit different but here are some of the axes:
- Whether or not they function as an OAuth provider
- Whether they're centered around application-user-login via mechanisms like email/password, application auth, or SSO
- Whether or not they serve as a proxy to another down-the-line OAuth provider (Dex, GoTrue)
- GUI availability
- F/OSS-ness (basically all of them have very permissive licenses)
[EDIT] More entries for this list in another comment @ https://news.ycombinator.com/item?id=26411457
[0]: https://www.keycloak.org/
[1]: https://github.com/cloudfoundry/uaa
[2]: https://gluu.org/docs/gluu-server/4.2/
[3]: https://github.com/ory/hydra#what-is-ory-hydra
[4]: https://keratin.github.io/authn-server/
[5]: https://github.com/tremolosecurity/openunison
What’s your pick for LDAP + Free? OpenLDAP is arcane, freeipa is complex and has so many moving pieces.
Unfortunately I don't have one -- all I've got saved is precisely OpenLDAP and FreeIPA. Though I do have this saved:
https://github.com/i-core/werther
It's a bit of a mouthfull:
> Werther is an Identity Provider for ORY Hydra over LDAP. It implements Login And Consent Flow and provides basic UI.
So basically, turn your LDAP into OAuth2, if I'm reading the features right:
> Support Active Directory;
> Mapping LDAP attributes to OpenID Connect claims;
> Mapping LDAP groups to user roles;
> OAuth 2.0 scopes;
> Caching users roles;
> UI customization.
Unfortunately this doesn't really free you from maintaining an LDAP server, it just... let's you login using OAuth instead, by bringing pieces of the ORY ecosystem along.
If anything I'd like something like the inverse of Werther - I don't necessarily want to have a complete LDAP db and setup. It's just those couple of softwares that support LDAP and nothing else, so just providing an LDAP authentication interface to some other auth/identity solution would be great.
Not having the time to implement that ourselves, we're stuck with LDAP as a backend as the common denominator.
This feels like it might exist so I went looking, looks like Auth0 had this[0][1]. I'm not sure there are any open source projects that actually do this ldap-in-the-front-something-else-in-the-back, but you can get very close:
- https://github.com/glauth/glauth (ldap in front, local file/s3/ldap in the back, extensible)
- https://github.com/kernel164/go389 (ldap in front, YAML file in the back)
Seems like this is quite the unsolved problem (unless you're using Auth0). Maybe it's worth using Auth0 only for this. If you're going with the F/OSS solutions then it feels like you could either add a plugin (DB, OAuth maybe?) to glauth, or hack together some sort of system that updates the YAML/S3 as accounts get added.
[EDIT] - Also looks like Joyent has put together a framework for LDAP clients and servers in JS... (http://ldapjs.org/server.html). The raw pieces are there but someone would really need to put them together to offer the facade.
[EDIT2] - Also in go: https://github.com/vjeantet/ldapserver
[EDIT3] - Original code listing for auth0's connector (https://github.com/auth0/auth0-ldap-endpoint), lib/routes/authenticate.js looks very easy to work around...