-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #25 from NethServer/LDAP
Add LDAP authentication
- Loading branch information
Showing
14 changed files
with
334 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,6 +40,13 @@ username = data.get("username","admin") | |
password = data.get("password","admin") | ||
email = data.get("email", "[email protected]") | ||
full_name = data.get("user_full_name","Administrator") | ||
ldap_domain = data.get("ldap_domain", "") | ||
# bind user to the domain | ||
if ldap_domain: | ||
agent.bind_user_domains([ldap_domain]) | ||
else: | ||
agent.bind_user_domains([]) | ||
|
||
|
||
# Talk with agent using file descriptor. | ||
# Setup configuration from user input. | ||
|
@@ -53,6 +60,9 @@ agent.set_env("DOKUWIKI_FULL_NAME", full_name) | |
agent.set_env("PHP_ENABLE_OPCACHE", "1") | ||
agent.set_env("PHP_MEMORY_LIMIT", "512M") | ||
|
||
# Setup LDAP domain | ||
agent.set_env("LDAP_DOMAIN", ldap_domain) | ||
|
||
# Make sure everything is saved inside the environment file | ||
# just before starting systemd unit | ||
agent.dump_env() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#!/usr/bin/env python3 | ||
|
||
# | ||
# Copyright (C) 2024 Nethesis S.r.l. | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
# | ||
|
||
# | ||
# Find settings for LDAP service | ||
# | ||
|
||
import os | ||
import agent | ||
from agent.ldapproxy import Ldapproxy | ||
|
||
udomname = os.environ.get('LDAP_DOMAIN','') | ||
|
||
try: | ||
odom = Ldapproxy().get_domain(udomname) | ||
'host' in odom # Throw exception if odom is None | ||
except: | ||
# During restore the domain could be unavailable. Use a fallback | ||
# configuration, pointing to nowhere, just to set the variables. | ||
# Once the domain becomes available, the event will fix them. | ||
odom = { | ||
'host': '127.0.0.1', | ||
'port': 20000, | ||
'schema': 'rfc2307', | ||
'location': 'internal', | ||
'base_dn': 'dc=dokuwiki,dc=invalid', | ||
'bind_dn': 'cn=example,dc=dokuwiki,dc=invalid', | ||
'bind_password': 'invalid', | ||
} | ||
|
||
tmpfile = "discover.env." + str(os.getpid()) | ||
|
||
with open(tmpfile, "w") as denv: | ||
print('LDAP_PORT=' + str(odom['port']), file=denv) | ||
print('LDAP_USER=' + odom['bind_dn'], file=denv) | ||
print('LDAP_HOST=' + odom['host'], file=denv) | ||
print('LDAP_PASS=' + odom['bind_password'], file=denv) | ||
print('LDAP_SCHEMA=' + odom['schema'], file=denv) | ||
print('LDAP_BASE=' + odom['base_dn'], file=denv) | ||
|
||
os.replace(tmpfile, "discovery_ldap.env") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (C) 2024 Nethesis S.r.l. | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
# | ||
|
||
# specific to dokuwiki, it creates its own configuration file after a long time boot | ||
|
||
count=0 | ||
while [[ $count -lt 60 ]]; do | ||
if podman exec -ti dokuwiki ls /bitnami/dokuwiki/conf/local.php.dist >/dev/null 2>&1; then | ||
echo "First Configuration done. We push custom configuration files." | ||
exit 0 | ||
fi | ||
((count++)) | ||
echo "Waiting for dokuwiki container to be ready..." | ||
sleep 1 | ||
done | ||
|
||
echo "Dokuwiki container is not ready after 60s. Exiting..." | ||
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (C) 2024 Nethesis S.r.l. | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
# | ||
|
||
# Retrieving environment variables | ||
LDAP_DOMAIN=${LDAP_DOMAIN} | ||
LDAP_PORT=${LDAP_PORT} | ||
LDAP_USER=${LDAP_USER} | ||
LDAP_HOST=${LDAP_HOST} | ||
LDAP_PASS=${LDAP_PASS} | ||
LDAP_SCHEMA=${LDAP_SCHEMA} | ||
LDAP_BASE=${LDAP_BASE} | ||
|
||
mkdir -vp dokuwiki-config | ||
cat <<EOF > dokuwiki-config/local.protected.php | ||
<?php | ||
/** | ||
* this is file is generated by the dokuwki container automatically | ||
* do not edit it manually | ||
*/ | ||
EOF | ||
# Check the value of $LDAP_DOMAIN | ||
if [[ "$LDAP_DOMAIN" == "" ]]; then | ||
cat <<EOF >> dokuwiki-config/local.protected.php | ||
\$conf['authtype'] = 'authplain'; | ||
EOF | ||
|
||
elif [[ "$LDAP_DOMAIN" != "" ]]; then | ||
if [[ "$LDAP_SCHEMA" == "rfc2307" ]]; then | ||
cat <<EOF >> dokuwiki-config/local.protected.php | ||
\$conf['authtype'] = 'authldap'; | ||
\$conf['plugin'][\$conf['authtype']]['server'] = "ldap://accountprovider:${LDAP_PORT}"; | ||
\$conf['plugin'][\$conf['authtype']]['version'] = '3'; | ||
\$conf['plugin'][\$conf['authtype']]['usertree'] = "ou=People,${LDAP_BASE}"; | ||
\$conf['plugin'][\$conf['authtype']]['grouptree'] = "ou=Groups,${LDAP_BASE}"; | ||
\$conf['plugin'][\$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))'; | ||
\$conf['plugin']['authldap']['groupfilter'] = '(memberUid=%{uid})'; | ||
\$conf['plugin'][\$conf['authtype']]['groupkey'] = 'cn'; | ||
\$conf['plugin']['authldap']['binddn'] = "${LDAP_USER}"; | ||
\$conf['plugin']['authldap']['bindpw'] = "${LDAP_PASS}"; | ||
\$conf['plugin']['authldap']['starttls'] = 0; | ||
\$conf['plugin']['authldap']['modPass'] = 0; | ||
EOF | ||
elif [[ "$LDAP_SCHEMA" == "ad" ]]; then | ||
cat <<EOF >> dokuwiki-config/local.protected.php | ||
\$conf['authtype'] = 'authad'; | ||
\$conf['plugin']['authad']['account_suffix'] = '@${LDAP_DOMAIN}'; | ||
\$conf['plugin']['authad']['base_dn'] = '${LDAP_BASE}'; | ||
\$conf['plugin']['authad']['domain_controllers'] = 'ldap://accountprovider:${LDAP_PORT}'; //multiple can be given | ||
\$conf['plugin']['authad']['use_tls'] = 0; | ||
EOF | ||
|
||
fi | ||
fi | ||
cat <<EOF >> dokuwiki-config/local.protected.php | ||
\$conf['useacl'] = 1; | ||
\$conf['superuser'] = 'admin,admin@${LDAP_DOMAIN},administrator,administrator@${LDAP_DOMAIN}'; | ||
EOF | ||
|
||
echo "Configuration written to dokuwiki-config/local.protected.php" | ||
|
||
cat <<EOF > dokuwiki-config/plugins.local.php | ||
<?php | ||
/* | ||
* Local plugin enable/disable settings | ||
* | ||
* Auto-generated by install s | ||
*/ | ||
\$plugins['authad'] = 1; | ||
\$plugins['authldap'] = 1; | ||
\$plugins['authmysql'] = 0; | ||
\$plugins['authpgsql'] = 0; | ||
EOF | ||
echo "Configuration written to dokuwiki-config/plugins.local.php" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/usr/bin/env python3 | ||
|
||
# | ||
# Copyright (C) 2024 Nethesis S.r.l. | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
# | ||
|
||
import json | ||
import sys | ||
import agent | ||
import os | ||
|
||
event = json.load(sys.stdin) | ||
|
||
if event.get('domain') != os.getenv('LDAP_DOMAIN'): | ||
exit(0) | ||
|
||
if 'node' in event and str(event['node']) != os.getenv('NODE_ID'): | ||
exit(0) # ignore event if the source is not in our node | ||
|
||
agent.run_helper('systemctl', '--user', '-T', 'try-restart', 'dokuwiki.service').check_returncode() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.