𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍

I haven’t used Authentik myself at all; Okta at one place I worked, but that was managed by the ops team so I didn’t have much to do with it.

Committing to LDAP is one thing; getting SSO is a whole other level of effort. Again, I have experience with LDAP so it seems manageable, and common enough to be worth setting up - does a large enough portion of OSS hosted software support SAML or OpenID or whatever to make setting up Authentik worth the effort?

I’ll re-iterate, I do not enjoy ops. I do it only because it’s slightly more important to me to have control over my data than it is to not have to admin stuff. I like lldap specifically because it’s a single executable, one or two really basic config files (requiring a bare minimum of understanding LDAP to configure), and one SQLite DB file - backing it up is, like, 3 files. This has huge value to someone like me, far exceeding the capability limitations of lldap vs OpenLDAP. If Authentik is just as easy, with minimum external dependencies, then I’m interested. If I have to install, configure, and administer and maintain PostgreSQL, redis, and a half dozen other external dependencies… then my family can live without SSO :-)

Yeah, what they said.

OP, invest in a UPS - cheap or less cheap - you can get them as big as your bank account, and they’re worth it. I tend to like Cyberpower for price, because they’re common enough that I’ve never found a model that nuts didn’t already know about, and they tend to have replaceable batteries. As parent said, the nightmare is if power goes out, and even though the laptop has a battery, you’re buying yourself extra time. Plus extra surge protection and all that.

I’m not probably saying anything you don’t already know, OP, but I feel there’s a general under-valuing of UPSes when I hear about people’s set-ups. They may mention a surge protector, but rarely do I see folks taking about their UPSes.

Caveat: this is not my area of expertise. However, I agree SSO is going to be the hardest part of this.

OP, you can use lldap to centralize authentication, so that each user had only one account and one password for all sites. It’s trickier to get each of these platforms to work together with SSO. For that, you’ll need something like Authentik (OSS SSO solution, like Okta) which you then back by lldap - Authentik handles the SSO and authorization part, and uses lldap for the authentication part. I suggest doing it in stages: install your servers, get them using lldap to log in, and then when it’s all working insert Authentik into the mix. Doing something like this and learning all the technology at once is boiling the ocean.

I’m recommending lldap over OpenLDAP because I’ve used both extensively, and OpenLDAP is a nightmare whereas lldap isn’t. lldap is trivial to install, and comes with a nice, simple user/group admin web interface, a sane default schema configuration, and is stupid easy to back up. Just getting OpenLDAP configured with the right schemas can take forever. If you’d said you already had a lot of experience with LDAP in general, then sure: OpenLDAP is capable and powerful. But it’s harder.

My one caveat about lldap is that I’m not sure that it’s possible to set up master/slave replication - or any sort of replication - which is probably not going to be an issue for your all-in-one set-up, but would limit scaling and failover if you ever get there.

I do rant a little about OpenLDAP because LDAP was in supposed to be lightweight OLAP, and yet is some of the most frustrating software I’ve ever had to deal with.

Again, I’m not a devops, or any sort of ops, guy, so my perspective is colored by the an attitude that ops is a necessary evil, and not something I love, so easier==better.