diff --git a/README.md b/README.md index 2e586b8..bdd3c93 100644 --- a/README.md +++ b/README.md @@ -1,41 +1,53 @@ # Openmediavault LDAP -This plugin connects OMV5 to an OPEN-LDAP Server for centralized user management +This plugin connects OMV6 to an OPEN-LDAP Server for centralized user management and authentification. It adapts the official LDAP plugin [1] for OMV4 to use it -with OMV5. -Basically there aren't any fundamental changes up to 5.3.9-r1 tag. You can use LDAP +with OMV6 or OMV5. +Basically there aren't any fundamental changes up to 6.3.5-2 tag. You can use LDAP for system wide User- and Groupmanagement. Additionally you can activate PAM auth with *libpam-ldapd* module. The name switch service is done with *libnss-ldapd*. For caching actually the NSCD service is used, maybe we should change from NSLCD to SSSD in future. A good explanation of the pam auth and nss process will give you the reference [4]. +The security is enforced at StartTLS or SSL. This repo is under development. Checkout the tags in the master branch for stable and tested releases. If you encounter some problems make a new issue or write an email to *devel[at]nareo.de*. -Be aware: This code was tested in a clean environment with fresh installed OMV5 setup. +Be aware: This code was tested in a clean environment with fresh installed OMV6 setup. I am not responsible for loss of your data! Please make always a full backup of your OMV machine before installing this plugin! +## Install dependencies + +sudo apt install build-essential git curl debhelper libnss-ldap libpam-ldap smbldap-tools + +## Get code + +cd /usr/local/src + +git clone + + ## Build DEBIAN package Create DEB package with `dpkg-buildpackage -uc -us` inside the source directory. The \*.deb file will be placed in the parent directory. -## Install Plugin into Openmediavault 5 +## Install Plugin into Openmediavault 6 -Upload the generated \*.deb file to OMV5 plugins and install it. Once it is +Upload the generated \*.deb file to OMV6 plugins and install it. Once it is installed, you have an additional menu item for LDAP Server settings. ## Testing Environment and Help The directory *.test* contains some basic config files for test environment -with OMV5. I need someone to test with other LDAP services. +with OMV6. I need someone to test with other LDAP services. Environment: -* Openmediavault 5.5.9-1 (Usul) with running SAMBA service +* Openmediavault 6.3.5-2 (Shaitan,) with running SAMBA service * OpenLDAP 2.4.47 server (setup with `smbldap-populate`) -* all smbldap-tools 0.9.9-1 installed on OMV5 +* all smbldap-tools 0.9.9-1 installed on OMV6 If you get in trouble, try: * update system with `apt-get update` and `apt-upgrade` @@ -49,4 +61,4 @@ If you get in trouble, try: * [2] https://wiki.debian.org/LDAP/PAM * [3] https://linux-club.de/wiki/opensuse/Samba_und_OpenLDAP * [4] https://www.debuntu.org/how-to-set-up-a-ldap-server-and-its-clients-page-2/ -* [5] https://deepdoc.at/dokuwiki/doku.php?id=server_und_serverdienste:openldap_mit_samba_als_pdc_neues_backend \ No newline at end of file +* [5] https://deepdoc.at/dokuwiki/doku.php?id=server_und_serverdienste:openldap_mit_samba_als_pdc_neues_backend diff --git a/srv/salt/omv/deploy/ldap/files/etc-ldap-pam_conf.j2 b/srv/salt/omv/deploy/ldap/files/etc-ldap-pam_conf.j2 index 3bd0776..fe7f1a0 100644 --- a/srv/salt/omv/deploy/ldap/files/etc-ldap-pam_conf.j2 +++ b/srv/salt/omv/deploy/ldap/files/etc-ldap-pam_conf.j2 @@ -4,6 +4,6 @@ uri ldap{% if config.enablessl | to_bool %}'s'{% endif %}://{{ config.host }}{% ldap_version {{ ldap_version }} binddn {{ config.rootbinddn }} {%- if config.rootbindpw | length > 0 %} -bindpw rootbindpw +bindpw {{ config.rootbinddn }} {%- endif %} pam_password crypt diff --git a/srv/salt/omv/deploy/samba/files/global-ldap.j2 b/srv/salt/omv/deploy/samba/files/global-ldap.j2 index fbc1e33..5ef8ba7 100644 --- a/srv/salt/omv/deploy/samba/files/global-ldap.j2 +++ b/srv/salt/omv/deploy/samba/files/global-ldap.j2 @@ -1,14 +1,16 @@ {%- set smb_security = salt['pillar.get']('default:OMV_SAMBA_SECURITY', 'user') -%} -{%- set smb_ldap_ssl = salt['pillar.get']('default:OMV_SAMBA_LDAP_SSL', 'off') -%} +{%- set smb_ldap_ssl = salt['pillar.get']('default:OMV_SAMBA_LDAP_SSL', 'start tls') -%} {%- set smb_ldap_pwdsync = salt['pillar.get']('default:OMV_SAMBA_LDAP_PASSWDSYNC', 'yes') -%} {%- set smb_ldap_sam_trusted = salt['pillar.get']('default:OMV_SAMBA_LDAP_LDAPSAMTRUSTED', 'no') -%} #======================= LDAP Settings ======================= security = {{ smb_security }} -passdb backend = ldapsam:ldap{% if config.enablessl | to_bool %}'s'{% endif %}://{{ config.host }}{% if config.port | string | length > 0 %}:{{ config.port }}{% endif %} +passdb backend = ldapsam:ldap{% if config.enablessl | to_bool %}s{% endif %}://{{ config.host }}{% if config.port | string | length > 0 %}:{{ config.port }}{% endif %} ldap suffix = {{ config.base }} ldap admin dn = {{ config.rootbinddn }} -ldap user suffix = {{ config.usersuffix }} -ldap group suffix = {{ config.groupsuffix }} +{% if config.usersuffix | string | length > 0 %}ldap user suffix = {{ config.usersuffix }} +{% if config.groupsuffix | string | length > 0 %}ldap group suffix = {{ config.groupsuffix }} +{% if config.machinesuffix | string | length > 0 %}ldap machine suffix = {{ config.machinesuffix }} +{% if config.idmapsuffix | string | length > 0 %}ldap idmap suffix = {{ config.idmapsuffix }}{% endif %} ldap ssl = {{ smb_ldap_ssl }} ldap passwd sync = {{ smb_ldap_pwdsync }} ldapsam:trusted = {{ smb_ldap_sam_trusted }} diff --git a/usr/share/openmediavault/confdb/create.d/conf.service.ldap.sh b/usr/share/openmediavault/confdb/create.d/conf.service.ldap.sh index f6ddd06..5f0a46b 100755 --- a/usr/share/openmediavault/confdb/create.d/conf.service.ldap.sh +++ b/usr/share/openmediavault/confdb/create.d/conf.service.ldap.sh @@ -28,7 +28,7 @@ set -e # # # -# 0 +# 1 # # 389 # 0 @@ -37,6 +37,8 @@ set -e # # # +# +# # 0|1 # # @@ -46,7 +48,7 @@ set -e ######################################################################## if ! omv_config_exists "/config/services/ldap"; then omv_config_add_node "/config/services" "ldap" - omv_config_add_key "/config/services/ldap" "enable" "0" + omv_config_add_key "/config/services/ldap" "enable" "1" omv_config_add_key "/config/services/ldap" "host" "" omv_config_add_key "/config/services/ldap" "port" "389" omv_config_add_key "/config/services/ldap" "enablessl" "0" @@ -55,6 +57,8 @@ if ! omv_config_exists "/config/services/ldap"; then omv_config_add_key "/config/services/ldap" "rootbindpw" "" omv_config_add_key "/config/services/ldap" "usersuffix" "ou=Users" omv_config_add_key "/config/services/ldap" "groupsuffix" "ou=Groups" + omv_config_add_key "/config/services/ldap" "machinesuffix" "ou=Computers" + omv_config_add_key "/config/services/ldap" "idmapsuffix" "ou=idmap" omv_config_add_key "/config/services/ldap" "enablepam" "1" omv_config_add_key "/config/services/ldap" "extraoptions" "" omv_config_add_key "/config/services/ldap" "extraclientoptions" "" diff --git a/usr/share/openmediavault/datamodels/conf.service.ldap.json b/usr/share/openmediavault/datamodels/conf.service.ldap.json index 1c9b980..c907d4b 100644 --- a/usr/share/openmediavault/datamodels/conf.service.ldap.json +++ b/usr/share/openmediavault/datamodels/conf.service.ldap.json @@ -9,7 +9,7 @@ "properties": { "enable": { "type": "boolean", - "default": false + "default": true }, "host": { "type": "string" @@ -41,6 +41,14 @@ "type": "string", "default": "ou=Groups" }, + "machinesuffix": { + "type": "string", + "default": "ou=Computers" + }, + "idmapsuffix": { + "type": "string", + "default": "ou=idmap" + }, "enablepam": { "type": "boolean", "default": true diff --git a/usr/share/openmediavault/datamodels/rpc.ldap.json b/usr/share/openmediavault/datamodels/rpc.ldap.json index 0746f42..67d6315 100644 --- a/usr/share/openmediavault/datamodels/rpc.ldap.json +++ b/usr/share/openmediavault/datamodels/rpc.ldap.json @@ -36,11 +36,19 @@ }, "usersuffix": { "type": "string", - "required": true + "required": false }, "groupsuffix": { "type": "string", - "required": true + "required": false + }, + "machinesuffix": { + "type": "string", + "required": false + }, + "idmapsuffix": { + "type": "string", + "required": false }, "enablepam": { "type": "boolean", diff --git a/usr/share/openmediavault/locale/it_IT/openmediavault-ldap.po b/usr/share/openmediavault/locale/it_IT/openmediavault-ldap.po index 67cf214..83515fe 100644 --- a/usr/share/openmediavault/locale/it_IT/openmediavault-ldap.po +++ b/usr/share/openmediavault/locale/it_IT/openmediavault-ldap.po @@ -49,6 +49,12 @@ msgstr "Impostazioni generali" msgid "Groups suffix" msgstr "Suffisso dei gruppi" +msgid "Machine suffix" +msgstr "Suffisso delle Machines" + +msgid "IdMap suffix" +msgstr "Suffisso dei IdMap" + msgid "Host" msgstr "Host" diff --git a/usr/share/openmediavault/locale/openmediavault-ldap.pot b/usr/share/openmediavault/locale/openmediavault-ldap.pot index 6f0cec2..6f7a3f6 100644 --- a/usr/share/openmediavault/locale/openmediavault-ldap.pot +++ b/usr/share/openmediavault/locale/openmediavault-ldap.pot @@ -47,6 +47,12 @@ msgstr "" msgid "Groups suffix" msgstr "" +msgid "Machine suffix" +msgstr "" + +msgid "IdMap suffix" +msgstr "" + msgid "Host" msgstr "" diff --git a/usr/share/openmediavault/workbench/component.d/omv-services-ldap-settings.yaml b/usr/share/openmediavault/workbench/component.d/omv-services-ldap-settings.yaml new file mode 100644 index 0000000..7dc2af4 --- /dev/null +++ b/usr/share/openmediavault/workbench/component.d/omv-services-ldap-settings.yaml @@ -0,0 +1,96 @@ +version: "1.0" +type: component +data: + name: omv-services-ldap-settings + type: formPage + config: + request: + service: LDAP + get: + method: getSettings + post: + method: setSettings + fields: + - type: checkbox + name: enable + label: _("Enabled") + value: true + - type: numberInput + name: port + label: _("Port") + value: 389 + validators: + required: true + min: 1 + max: 65535 + patternType: port + - type: textInput + name: host + label: _("Host") + hint: _("The FQDN or IP address of the server.") + value: 'ldap.example.net' + validators: + required: true + - type: checkbox + name: enablessl + label: _("Enable explicit SSL instead of StartTLS") + hint: _("Enable SSL secure connection.") + value: false + - type: textInput + name: base + label: _("Base DN") + hint: _("Specifies the base distinguished name (DN) to use as search base, e.g. 'dc=example,dc=net'.") + value: "dc=example,dc=net" + - type: textInput + name: rootbinddn + label: _("Root Bind DN") + hint: _("Specifies the distinguished name (DN) with which to bind to the directory server for lookups, e.g. 'cn=manager,dc=example,dc=net'.") + value: "cn=manager,dc=example,dc=net" + - type: passwordInput + name: rootbindpw + label: _("Password") + hint: _("Specifies the credentials with which to bind.") + value: "" + modifiers: + - type: hidden + - type: textInput + name: usersuffix + label: _("Users suffix") + hint: _("Specifies the user suffix, e.g. 'ou=Users'.") + value: "ou=Users" + - type: textInput + name: groupsuffix + label: _("Groups suffix") + hint: _("Specifies the group suffix, e.g. 'ou=Groups'.") + value: "ou=Groups" + - type: textInput + name: machineuffix + label: _("Machines suffix") + hint: _("Specifies the machines suffix, e.g. 'ou=Computers'.") + value: "ou=Computers" + - type: textInput + name: idmapsuffix + label: _("IdMap suffix") + hint: _("Specifies the idmap suffix, e.g. 'ou=idmap'.") + value: "ou=idmap" + - type: checkbox + name: enablepam + label: _("Enable PAM") + hint: _("Use LDAP for authentication system-wide along with other authentication sources.") + value: true + - type: textInput + name: extraoptions + label: _("Extra options LIBNSS-LDAP.CONF") + hint: _("Please check the manual page for more details.") + value: '' + - type: textInput + name: extraclientoptions + label: _("Extra client options LDAP.CONF") + hint: _("Please check the manual page for more details.") + value: '' + buttons: + - template: submit + - template: cancel + execute: + type: url + url: /services/ldap/settings diff --git a/usr/share/openmediavault/workbench/navigation.d/services.ldap.yaml b/usr/share/openmediavault/workbench/navigation.d/services.ldap.yaml new file mode 100644 index 0000000..449c3ad --- /dev/null +++ b/usr/share/openmediavault/workbench/navigation.d/services.ldap.yaml @@ -0,0 +1,8 @@ +version: "1.0" +type: navigation-item +data: + path: "services.ldap" + text: _("LDAP Directory Service") + position: 5 + icon: "mdi:mdi-account-card-details" + url: "/services/ldap" diff --git a/usr/share/openmediavault/workbench/route.d/services.ldap.settings.yaml b/usr/share/openmediavault/workbench/route.d/services.ldap.settings.yaml new file mode 100644 index 0000000..39d3b48 --- /dev/null +++ b/usr/share/openmediavault/workbench/route.d/services.ldap.settings.yaml @@ -0,0 +1,8 @@ +version: "1.0" +type: route +data: + url: "/services/ldap/settings" + title: _("Settings") + editing: true + notificationTitle: _('Updated LDAP settings.') + component: omv-services-ldap-settings diff --git a/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Ldap.js b/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Ldap.js index 24d447d..de7793b 100644 --- a/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Ldap.js +++ b/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Ldap.js @@ -23,7 +23,7 @@ OMV.WorkspaceManager.registerNode({ id: "ldap", path: "/privilege", - text: _("Directory Service"), + text: _("LDAP Directory Service"), iconCls: "mdi mdi-account-card-details", position: 5 }); diff --git a/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Settings.js b/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Settings.js index 049bf2f..71d815a 100644 --- a/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Settings.js +++ b/var/www/openmediavault/js/omv/module/admin/privilege/ldap/Settings.js @@ -43,7 +43,7 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { xtype: "checkbox", name: "enable", fieldLabel: _("Enable"), - checked: false + checked: true },{ xtype: "textfield", name: "host", @@ -53,7 +53,8 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { plugins: [{ ptype: "fieldinfo", text: _("The FQDN or IP address of the server.") - }] + }], + value: 'ldap.example.net' },{ xtype: "numberfield", name: "port", @@ -65,15 +66,15 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { allowBlank: false, plugins: [{ ptype: "fieldinfo", - text: _("Specifies the port to connect to.") + text: _("Specifies the port to connect to. Default 389 StartTLS") }], value: 389 },{ xtype: "checkbox", name: "enablessl", - fieldLabel: _("Enable SSL/TLS"), + fieldLabel: _("Enable explicit SSL instead of StartTLS"), checked: false, - boxLabel: _("Enable secure connection.") + boxLabel: _("Enable SSL secure connection.") },{ xtype: "textfield", name: "base", @@ -82,7 +83,8 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { plugins: [{ ptype: "fieldinfo", text: _("Specifies the base distinguished name (DN) to use as search base, e.g. 'dc=example,dc=net'.") - }] + }], + value: 'dc=example,dc=net' },{ xtype: "textfield", name: "rootbinddn", @@ -100,12 +102,13 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { plugins: [{ ptype: "fieldinfo", text: _("Specifies the credentials with which to bind.") - }] + }], + value: 'cn=manager,dc=example,dc=net' },{ xtype: "textfield", name: "usersuffix", fieldLabel: _("Users suffix"), - allowBlank: false, + allowBlank: true, plugins: [{ ptype: "fieldinfo", text: _("Specifies the user suffix, e.g. 'ou=Users'."), @@ -115,12 +118,32 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { xtype: "textfield", name: "groupsuffix", fieldLabel: _("Groups suffix"), - allowBlank: false, + allowBlank: true, plugins: [{ ptype: "fieldinfo", text: _("Specifies the group suffix, e.g. 'ou=Groups'."), }], value: "ou=Groups" + },{ + xtype: "textfield", + name: "machinessuffix", + fieldLabel: _("Machine suffix"), + allowBlank: true, + plugins: [{ + ptype: "fieldinfo", + text: _("Specifies the machines (serveurs) suffix, e.g. 'ou=Computers'."), + }], + value: "ou=Computers" + },{ + xtype: "textfield", + name: "idmapsuffix", + fieldLabel: _("IdMap suffix"), + allowBlank: true, + plugins: [{ + ptype: "fieldinfo", + text: _("Specifies the idmap suffix, e.g. 'ou=idmap'."), + }], + value: "ou=idmap" },{ xtype: "checkbox", name: "enablepam", @@ -134,7 +157,7 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { allowBlank: true, plugins: [{ ptype: "fieldinfo", - text: _("Please check the manual page for more details.") + text: _("Please check the manual page for more details.") }] },{ xtype: "textarea", @@ -143,7 +166,7 @@ Ext.define("OMV.module.admin.privilege.ldap.Settings", { allowBlank: true, plugins: [{ ptype: "fieldinfo", - text: _("Please check the manual page for more details.") + text: _("Please check the manual page for more details. Ex: tls_cert *** tls_key *** tls_cacertfile ***") }] }] }];