Add LDAP support with LLDAP
This sets the stage for moving common authentication from IMAP/Dovecot to LDAP, which allows for more control over user information, as well as a basic form of RBAC. No services are currently set up to support LDAP -- support will follow soon after this commit.
This commit is contained in:
parent
7cfa407ec9
commit
4294f1ec9c
|
@ -26,6 +26,7 @@ ignition:
|
|||
- local: service/prometheus/spec.ign
|
||||
- local: service/grafana/spec.ign
|
||||
- local: service/gitea/spec.ign
|
||||
- local: service/lldap/spec.ign
|
||||
|
||||
passwd:
|
||||
users:
|
||||
|
@ -136,6 +137,14 @@ systemd:
|
|||
[Service]
|
||||
Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080
|
||||
|
||||
- name: nginx-proxy-http@lldap.localhost.service
|
||||
enabled: true
|
||||
dropins:
|
||||
- name: lldap-upstream.conf
|
||||
contents: |
|
||||
[Service]
|
||||
Environment=UPSTREAM_HOST=lldap UPSTREAM_PORT=8080
|
||||
|
||||
- name: letsencrypt-dns-register@localhost.service
|
||||
enabled: true
|
||||
dropins:
|
||||
|
|
|
@ -57,3 +57,10 @@ GITEA_SECRET_KEY=password
|
|||
GITEA_DISABLE_REGISTRATION=true
|
||||
GITEA_REQUIRE_SIGNIN_VIEW=false
|
||||
GITEA_MAILER_FROM=noreply@gitea.localhost
|
||||
|
||||
# Configuration for LLDAP.
|
||||
LLDAP_HOST=lldap.localhost
|
||||
LLDAP_JWT_SECRET=password
|
||||
LLDAP_ADMIN_EMAIL=admin@localhost
|
||||
LLDAP_ADMIN_USERNAME=admin
|
||||
LLDAP_ADMIN_PASSWORD=password
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
FROM docker.io/rust:1.63 AS builder
|
||||
ARG VERSION=8b01271e94671df88c68abbc69efb9bcec117498
|
||||
|
||||
RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
||||
git npm wget
|
||||
|
||||
RUN cargo install wasm-pack && rustup target add wasm32-unknown-unknown
|
||||
RUN npm install -g rollup
|
||||
|
||||
RUN git clone https://github.com/nitnelave/lldap.git /lldap && \
|
||||
cd /lldap && git reset --hard ${VERSION} && \
|
||||
cargo build --release -p lldap -p migration-tool && app/build.sh
|
||||
|
||||
RUN cd /lldap/app/static && \
|
||||
for file in $(cat libraries.txt); do wget "$file"; done && \
|
||||
for file in $(cat fonts/fonts.txt); do wget -P fonts "$file"; done
|
||||
|
||||
FROM docker.io/debian:bullseye-slim
|
||||
|
||||
RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
||||
gettext gosu
|
||||
|
||||
RUN addgroup --system --gid 10000 lldap
|
||||
RUN adduser --system --uid 10000 --ingroup lldap --home /var/lib/lldap lldap
|
||||
RUN mkdir -p /opt/lldap/app
|
||||
|
||||
COPY --from=builder /lldap/app/index_local.html /opt/lldap/app/index.html
|
||||
COPY --from=builder /lldap/app/static /opt/lldap/app/static
|
||||
COPY --from=builder /lldap/app/pkg /opt/lldap/app/pkg
|
||||
COPY --from=builder /lldap/target/release/lldap /lldap/target/release/migration-tool /opt/lldap
|
||||
|
||||
COPY container/config /etc/lldap
|
||||
COPY container/run-lldap /run-lldap
|
||||
|
||||
EXPOSE 3890 8080
|
||||
ENTRYPOINT ["/run-lldap"]
|
|
@ -0,0 +1,60 @@
|
|||
## The port on which to have the LDAP server.
|
||||
ldap_port = 3890
|
||||
|
||||
## The port on which to have the HTTP server, for user login and administration.
|
||||
http_port = 8080
|
||||
|
||||
## The public URL of the server, for password reset links.
|
||||
http_url = "https://${LLDAP_HOST}"
|
||||
|
||||
## Random secret for JWT signature.
|
||||
jwt_secret = "${LLDAP_JWT_SECRET}"
|
||||
|
||||
## Base DN for LDAP.
|
||||
## This is usually your domain name, and is used as a namespace for your users. The choice is
|
||||
## arbitrary, but will be needed to configure the LDAP integration with other services. The sample
|
||||
## value is for "example.com", but you can extend it with as many "dc" as you want, and you don't
|
||||
## actually need to own the domain name.
|
||||
ldap_base_dn = "dc=ldap,dc=local"
|
||||
|
||||
## Admin email.
|
||||
## Email for the admin account. It is only used when initially creating the admin user, and can
|
||||
## safely be omitted.
|
||||
ldap_user_email = "${LLDAP_ADMIN_EMAIL}"
|
||||
|
||||
## Admin username.
|
||||
## For the LDAP interface, a value of "admin" here will create the LDAP user
|
||||
## "cn=admin,ou=people,dc=example,dc=com" (with the base DN above). For the administration
|
||||
## interface, this is the username.
|
||||
ldap_user_dn = "${LLDAP_ADMIN_USERNAME}"
|
||||
|
||||
## Admin password.
|
||||
## Password for the admin account, both for the LDAP bind and for the
|
||||
## administration interface. It is only used when initially creating
|
||||
## the admin user.
|
||||
## It should be minimum 8 characters long.
|
||||
ldap_user_pass = "${LLDAP_ADMIN_PASSWORD}"
|
||||
|
||||
## Database URL.
|
||||
## This encodes the type of database (SQlite, MySQL and so on), the path, the user, password, and
|
||||
## sometimes the mode (when relevant).
|
||||
## Note: Currently, only SQlite is supported. SQlite should come with "?mode=rwc" to create the DB
|
||||
## if not present.
|
||||
##
|
||||
## Example URLs:
|
||||
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||
database_url = "sqlite:///var/lib/lldap/lldap.db?mode=rwc"
|
||||
|
||||
## Private key file.
|
||||
## Contains the secret private key used to store the passwords safely. Note that even with a
|
||||
## database dump and the private key, an attacker would still have to perform an (expensive) brute
|
||||
## force attack to find each password.
|
||||
## Randomly generated on first run if it doesn't exist.
|
||||
key_file = "/var/lib/lldap/private.key"
|
||||
|
||||
## Options to configure SMTP parameters, to send password reset emails. To set these options from
|
||||
## environment variables, use the following format
|
||||
[smtp_options]
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
||||
enable_password_reset=false
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
# Create configuration file from collected templates.
|
||||
envsubst < /etc/lldap/config.toml.template > /etc/lldap/config.toml
|
||||
|
||||
# Create data directories and correct permissions for data files.
|
||||
install --owner lldap --group lldap --mode 700 --directory /var/lib/lldap
|
||||
chown -R lldap:lldap /etc/lldap /var/lib/lldap
|
||||
|
||||
# Run entrypoint under specific user.
|
||||
cd /opt/lldap && gosu lldap /opt/lldap/lldap run --config-file /etc/lldap/config.toml "$@"
|
|
@ -0,0 +1,8 @@
|
|||
# Application settings.
|
||||
LLDAP_HOST=${LLDAP_HOST}
|
||||
LLDAP_JWT_SECRET=${LLDAP_JWT_SECRET}
|
||||
|
||||
# Admin user settings.
|
||||
LLDAP_ADMIN_EMAIL=${LLDAP_ADMIN_EMAIL}
|
||||
LLDAP_ADMIN_USERNAME=${LLDAP_ADMIN_USERNAME}
|
||||
LLDAP_ADMIN_PASSWORD=${LLDAP_ADMIN_PASSWORD}
|
|
@ -0,0 +1,12 @@
|
|||
variant: fcos
|
||||
version: 1.3.0
|
||||
storage:
|
||||
trees:
|
||||
- path: /etc/coreos-home-server/lldap
|
||||
local: service/lldap/
|
||||
- path: /etc/systemd/system
|
||||
local: service/lldap/systemd/
|
||||
systemd:
|
||||
units:
|
||||
- name: lldap.service
|
||||
enabled: true
|
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=LLDAP Light LDAP server
|
||||
Wants=container-build@%N.service container-volume@%N.service
|
||||
After=container-build@%N.service container-volume@%N.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
NotifyAccess=all
|
||||
SyslogIdentifier=%N
|
||||
Restart=on-failure
|
||||
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||
ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
|
||||
--env-file %E/coreos-home-server/%N/%N.env \
|
||||
--volume %N:/var/lib/%N:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --ignore --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --ignore --force %N
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue