Dominik George

Fediverse Profile link: https://toot.teckids.org/@nik

Born 1990, Linux sysadmin since 2004, co-founder of the [Teckids](https://teckids.org) community in 2012. Since then, I am mainly working on the intersection between pedagogics and informatics.

I am involved in Debian as a contributor since 2007 and was active in Debian Edu for some years.

In 2022, I founded my company velocitux, after having been employed by credativ before. velocitux provides managed hosting, support, consulting and training around FOSS topics. Personally, I spend most of my work time giving Linux, PostgreSQL, Rust, and some other trainings at Linuxhotel.

Teckids, originally the Free Software Youth Organisation, plays a huge role in my life. We foster everything concerning comprehensibility of technology, which includes teaching children technical skills, as well as activism around digital rights, and community building among children and youth.

Accepted Talks:

WebIDAMd – OpenID Connect and OAuth for Linux system clients

For many decades, LDAP and Kerberos based setups have been the default for providing enterprise-grade, network-wide authentication and authorisation in Linux environments after they slowly replaced NIS / yellow pages from the dark Unix eras.

Today, the Web, however, has become the default platform for many applications, and it has well established identity and authorisation protocols – the most prominent being OpenID Connect, which is based on OAuth2.

In 2023 at MiniDebConf Hamburg, I talked about bringing Linux enterprise authentication to the cloud by leveraging OIDC authentication in NSS/PAM. Starting from there, WebIDAMd is now available as a prototype for logging in to Linux machines using OAuth and OIDC.

While there are other approaches (sssd, Himmelblau, and others), WebIDAMd is designed to be the most flexible: It is not limited to Keycloak or Microsoft Entra, but can use any ODIC provider and any JSON-based API. Plus, it wants to integrate other softwar with this login, so we get single sign-on for desktop applications running in the user session as well. This means that we can now use Salsa as an account provider for a Debian machine!

In this talk, I want to demonstrate what WebIDAMd can already do, and what is still on the roadmap (and maybe looking for contributors). While at it, we will cast a glance at the modern mechanisms systemd provides for managing and listing users, i.e. userdbd and homed.