OOD authentication options

Hi,

I’m new to OOD and I’m looking to use it without an LDAP system. I’ve tried htpasswd already, We need the ability to add and remove users from a GUI interface and hopefully, the user can get mapped on the system as well. Is there such a method out there? htpasswd would make it hard on someone who’s not too technical. Especially, when dealing with multiple systems at the same time. I really appreciate anyone helping on this. Thanks.

Hello and welcome!

Have you looked at something like OpenID Connect? I don’t know what criteria you are exactly going by but there are some options available which you can see here:

https://osc.github.io/ood-documentation/latest/authentication.html

Sorry if that isn’t specific enough, but please feel free to ask some more follow-up questions as you look through the options and consider if any work for your environment.

You might also want to look at ColdFront. OOD doesn’t handle any of the underlying system config stuff like account management. It relies on other tools to do that.

https://dl.acm.org/doi/pdf/10.1145/3437359.3465585

I have started to look at OpenID Connect but I thought it would also require an LDAP system. If it isn’t the case I would like to use it. I can see there’s a user_map_cmd. Do I still need to create every user manually for OpenID connect to work? The OOD server is alone, will be adding a few servers to the cluster as we go. We have no infrastructure around it. This is why we need a method that will create the user for the system and OOD application. Previously, I tried htpasswd, I had to add the user manually for the application and system.

I believe OpenID Connect uses OAuth 2.0 but I am not an authentication expert unfortunately.

@tdockendorf do you have any guidance here? I am not knowledgeable about how the users are created and mapped by these auth systems.

htpasswd is no longer supported with OnDemand, it’s too insecure so we removed support entirely though there may be ways to add that support back in. Also using just htpasswd won’t work with OnDemand if you don’t also have that username mapping to actual Linux user on the system that can access files and log into the system.

OpenID Connect has nothing to do with defining users/passwords just a means to authenticate existing users from various sources. If you want to use OpenID Connect the system providing the OIDC tokens needs somewhere to pull user info from, like LDAP or Active Directory or even Github or Google.

If you want to add local users and have them be used with OnDemand your best bet with will using PAM and mod_auth_pam with Apache to authenticate local /etc/passwd users. Add PAM Authentication — Open OnDemand 2.0.20 documentation. I must warn against using this in production, mod_auth_pam has security issues and relies on Basic auth which is extremely insecure. If you plan to run OnDemand in production I would strongly recommend having LDAP or some other user database setup (like with ColdFront as frontend) so you can use solutions that are more secure and scale better.

Yea or you could try FreeIPA for your user management. That may server as your UI to manage users.