From 7d9c1b1eecb152ff1b6ef1a912db3bdbdadcbf55 Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Tue, 19 Oct 2021 00:20:50 +0900 Subject: [PATCH] readme: Add more information about the configuration of LDAP clients --- README.md | 124 +++++++++++++++++-------------- server/src/infra/ldap_handler.rs | 4 +- 2 files changed, 72 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index d13b66a..bed6462 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,76 @@ It mostly targets self-hosting servers, with open-source components like Nextcloud, Airsonic and so on that only support LDAP as a source of external authentication. +## Setup + +### With Docker + +The image is available at `nitnelave/lldap`. You should persist the `/data` +folder, which contains your configuration, the database and the private key +file (unless you move them in the config). + +Configure the server by copying the `lldap_config.docker_template.toml` to +`/data/lldap_config.toml` and updating the configuration values (especially the +`jwt_secret` and `ldap_user_pass`, unless you override them with env variables). + +Example for docker compose: + +```yaml +volumes: + lldap_data: + driver: local + +services: + lldap: + image: nitnelave/lldap + ports: + # For LDAP + - "3890:3890" + # For the web front-end + - "17170:17170" + volumes: + - "lldap_data:/data" + environment: + - JWT_SECRET=REPLACE_WITH_RANDOM + - LDAP_USER_PASS=REPLACE_WITH_PASSWORD + - LDAP_BASE_DN=dc=example,dc=com +``` + +Then the service will listen on two ports, one for LDAP and one for the web +front-end. + +To configure the services that will talk to LLDAP, here are the values: + - The LDAP user DN is from the configuration. By default, + `cn=admin,dc=example,dc=com`. + - The LDAP password is from the configuration (same as to log in to the web + UI). + - The users are all located in `ou=people,` + the base DN, so by default user + `bob` is at `cn=bob,ou=people,dc=example,dc=com`. + - Similarly, the groups are located in `ou=groups`, so the group `family` + will be at `cn=family,ou=groups,dc=example,dc=com`. + +Testing group membership through `membeOf` is supported, so you can have a +filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`. + +The administrator group for LLDAP is `lldap_admin`: anyone in this group has +admin rights in the Web UI. + +### From source + +To bring up the server, you'll need to compile the frontend. In addition to +cargo, you'll need: + +* WASM-pack: `cargo install wasm-pack` +* rollup.js: `npm install rollup` + +Then you can build the frontend files with `./app/build.sh` (you'll need to run +this after every front-end change to update the WASM package served). + +To bring up the server, just run `cargo run`. The default config is in +`src/infra/configuration.rs`, but you can override it by creating an +`lldap_config.toml`, setting environment variables or passing arguments to +`cargo run`. + ## Architecture The server is entirely written in Rust, using [actix](https://actix.rs) for the @@ -120,57 +190,3 @@ running `./export_schema.sh`. Join our [Discord server](https://discord.gg/h5PEdRMNyP) if you have any questions! - -### Setup - -#### With Docker - -The image is available at `nitnelave/lldap`. You should persist the `/data` -folder, which contains your configuration, the database and the private key -file (unless you move them in the config). - -Configure the server by copying the `lldap_config.docker_template.toml` to -`/data/lldap_config.toml` and updating the configuration values (especially the -`jwt_secret` and `ldap_user_pass`, unless you override them with env variables). - -Example for docker compose: - -```yaml -volumes: - lldap_data: - driver: local - -services: - lldap: - image: nitnelave/lldap - ports: - # For LDAP - - "3890:3890" - # For the web front-end - - "17170:17170" - volumes: - - "lldap_data:/data" - environment: - - JWT_SECRET=REPLACE_WITH_RANDOM - - LDAP_USER_PASS=REPLACE_WITH_PASSWORD - - LDAP_BASE_DN=dc=example,dc=com -``` - -Then the service will listen on two ports, one for LDAP and one for the web -front-end. - -#### From source - -To bring up the server, you'll need to compile the frontend. In addition to -cargo, you'll need: - -* WASM-pack: `cargo install wasm-pack` -* rollup.js: `npm install rollup` - -Then you can build the frontend files with `./app/build.sh` (you'll need to run -this after every front-end change to update the WASM package served). - -To bring up the server, just run `cargo run`. The default config is in -`src/infra/configuration.rs`, but you can override it by creating an -`lldap_config.toml`, setting environment variables or passing arguments to -`cargo run`. diff --git a/server/src/infra/ldap_handler.rs b/server/src/infra/ldap_handler.rs index 1e44b3f..f2cbe62 100644 --- a/server/src/infra/ldap_handler.rs +++ b/server/src/infra/ldap_handler.rs @@ -41,14 +41,14 @@ fn get_group_id_from_distinguished_name( if parts.len() == base_tree.len() + 2 { if parts[1].0 != "ou" || parts[1].1 != "groups" || parts[0].0 != "cn" { bail!( - r#"Unexpected user DN format. Expected: "cn=groupname,ou=groups,{}""#, + r#"Unexpected group DN format. Expected: "cn=groupname,ou=groups,{}""#, base_dn_str ); } Ok(parts[0].1.to_string()) } else { bail!( - r#"Unexpected user DN format. Expected: "cn=groupname,ou=groups,{}""#, + r#"Unexpected group DN format. Expected: "cn=groupname,ou=groups,{}""#, base_dn_str ); }