diff --git a/docs/SMB_LDAP_AD_INTEGRATION.md b/docs/SMB_LDAP_AD_INTEGRATION.md new file mode 100644 index 0000000..a2f08f2 --- /dev/null +++ b/docs/SMB_LDAP_AD_INTEGRATION.md @@ -0,0 +1,305 @@ +# SMB/CIFS Shares - LDAP/Active Directory Integration + +## Skema Autentikasi Saat Ini + +### Implementasi Current (v0.1.0-dev) + +1. **Samba Configuration:** + - `security = user` - User-based authentication + - User management terpisah antara: + - **Atlas Web UI**: In-memory `UserStore` (untuk login web) + - **Samba**: User harus dibuat manual di sistem Linux menggunakan `smbpasswd` atau `pdbedit` + +2. **Masalah yang Ada:** + - ❌ User Atlas (web UI) ≠ User Samba (SMB access) + - ❌ Tidak ada sinkronisasi user antara Atlas dan Samba + - ❌ User harus dibuat manual di sistem untuk akses SMB + - ❌ Tidak ada integrasi dengan LDAP/AD + - ❌ `ValidUsers` di SMB share hanya berupa list username string, tidak terintegrasi dengan sistem user management + +3. **Arsitektur Saat Ini:** + ``` + Atlas Web UI (UserStore) ──┐ + ├──> Tidak terhubung + Samba (smbpasswd/pdbedit) ─┘ + ``` + +## Feasibility untuk LDAP/AD Integration + +### ✅ **SANGAT FEASIBLE** + +Samba memiliki dukungan native untuk LDAP dan Active Directory: + +1. **Samba Security Modes:** + - `security = ads` - Active Directory Domain Services (recommended untuk AD) + - `security = domain` - NT4 Domain (legacy) + - `passdb backend = ldapsam` - LDAP backend untuk user database + +2. **Keuntungan Integrasi LDAP/AD:** + - ✅ Single Sign-On (SSO) - user login sekali untuk semua service + - ✅ Centralized user management - tidak perlu manage user di multiple tempat + - ✅ Group-based access control - bisa assign share berdasarkan AD groups + - ✅ Enterprise-ready - sesuai dengan best practices enterprise storage + - ✅ Audit trail yang lebih baik - semua akses ter-track di AD + +## Rekomendasi Implementasi + +### Phase 1: LDAP/AD Configuration Support (Priority: High) + +**1. Tambahkan Configuration Model:** +```go +// internal/models/config.go +type LDAPConfig struct { + Enabled bool `json:"enabled"` + Type string `json:"type"` // "ldap" or "ad" + Server string `json:"server"` // LDAP/AD server FQDN or IP + BaseDN string `json:"base_dn"` // Base DN for searches + BindDN string `json:"bind_dn"` // Service account DN + BindPassword string `json:"bind_password"` // Service account password + UserDN string `json:"user_dn"` // User DN template (e.g., "CN=Users,DC=example,DC=com") + GroupDN string `json:"group_dn"` // Group DN template + Realm string `json:"realm"` // AD realm (e.g., "EXAMPLE.COM") + Workgroup string `json:"workgroup"` // Workgroup name +} +``` + +**2. Update SMB Service untuk Support LDAP/AD:** +```go +// internal/services/smb.go +func (s *SMBService) generateConfig(shares []models.SMBShare, ldapConfig *models.LDAPConfig) (string, error) { + var b strings.Builder + + b.WriteString("[global]\n") + b.WriteString(" server string = AtlasOS Storage Server\n") + b.WriteString(" dns proxy = no\n") + + if ldapConfig != nil && ldapConfig.Enabled { + if ldapConfig.Type == "ad" { + // Active Directory mode + b.WriteString(" security = ads\n") + b.WriteString(fmt.Sprintf(" realm = %s\n", ldapConfig.Realm)) + b.WriteString(fmt.Sprintf(" workgroup = %s\n", ldapConfig.Workgroup)) + b.WriteString(" idmap config * : backend = tdb\n") + b.WriteString(" idmap config * : range = 10000-20000\n") + b.WriteString(" winbind enum users = yes\n") + b.WriteString(" winbind enum groups = yes\n") + } else { + // LDAP mode + b.WriteString(" security = user\n") + b.WriteString(" passdb backend = ldapsam:ldap://" + ldapConfig.Server + "\n") + b.WriteString(fmt.Sprintf(" ldap admin dn = %s\n", ldapConfig.BindDN)) + b.WriteString(fmt.Sprintf(" ldap suffix = %s\n", ldapConfig.BaseDN)) + b.WriteString(fmt.Sprintf(" ldap user suffix = %s\n", ldapConfig.UserDN)) + b.WriteString(fmt.Sprintf(" ldap group suffix = %s\n", ldapConfig.GroupDN)) + } + } else { + // Default: user mode (current implementation) + b.WriteString(" security = user\n") + b.WriteString(" map to guest = Bad User\n") + } + + // ... rest of share configuration +} +``` + +**3. Tambahkan API Endpoints untuk LDAP/AD Config:** +```go +// internal/httpapp/api_handlers.go +// GET /api/v1/config/ldap - Get LDAP/AD configuration +// PUT /api/v1/config/ldap - Update LDAP/AD configuration +// POST /api/v1/config/ldap/test - Test LDAP/AD connection +``` + +### Phase 2: User Sync & Group Support (Priority: Medium) + +**1. LDAP/AD User Sync Service:** +```go +// internal/services/ldap.go +type LDAPService struct { + config *models.LDAPConfig + conn *ldap.Conn +} + +func (s *LDAPService) SyncUsers() ([]LDAPUser, error) { + // Query LDAP/AD untuk get users + // Return list of users dengan attributes +} + +func (s *LDAPService) SyncGroups() ([]LDAPGroup, error) { + // Query LDAP/AD untuk get groups + // Return list of groups dengan members +} + +func (s *LDAPService) Authenticate(username, password string) (*LDAPUser, error) { + // Authenticate user against LDAP/AD +} +``` + +**2. Update SMB Share Model untuk Support Groups:** +```go +// internal/models/storage.go +type SMBShare struct { + // ... existing fields + ValidUsers []string `json:"valid_users"` // Username list + ValidGroups []string `json:"valid_groups"` // Group name list (NEW) +} +``` + +**3. Update Samba Config untuk Support Groups:** +```go +if len(share.ValidUsers) > 0 { + b.WriteString(fmt.Sprintf(" valid users = %s\n", strings.Join(share.ValidUsers, ", "))) +} +if len(share.ValidGroups) > 0 { + b.WriteString(fmt.Sprintf(" valid groups = %s\n", strings.Join(share.ValidGroups, ", "))) +} +``` + +### Phase 3: UI Integration (Priority: Medium) + +**1. LDAP/AD Configuration Page:** +- Form untuk configure LDAP/AD connection +- Test connection button +- Display sync status +- Manual sync button + +**2. Update SMB Share Creation UI:** +- Dropdown untuk select users dari LDAP/AD (bukan manual input) +- Dropdown untuk select groups dari LDAP/AD +- Auto-complete untuk username/group search + +## Implementation Steps + +### Step 1: Add LDAP Library Dependency +```bash +go get github.com/go-ldap/ldap/v3 +``` + +### Step 2: Create LDAP Service +- Implement `internal/services/ldap.go` +- Support both LDAP and AD protocols +- Handle connection, authentication, and queries + +### Step 3: Update SMB Service +- Modify `generateConfig()` to accept LDAP config +- Support both `security = ads` and `passdb backend = ldapsam` + +### Step 4: Add Configuration Storage +- Store LDAP/AD config (encrypted password) +- Add API endpoints for config management + +### Step 5: Update UI +- Add LDAP/AD configuration page +- Update SMB share creation form +- Add user/group selector with LDAP/AD integration + +## Dependencies & Requirements + +### System Packages: +```bash +# For AD integration +sudo apt-get install winbind libnss-winbind libpam-winbind krb5-user + +# For LDAP integration +sudo apt-get install libnss-ldap libpam-ldap ldap-utils + +# Samba packages (should already be installed) +sudo apt-get install samba samba-common-bin +``` + +### Go Dependencies: +```go +// go.mod +require ( + github.com/go-ldap/ldap/v3 v3.4.6 +) +``` + +## Security Considerations + +1. **Password Storage:** + - Encrypt LDAP bind password di storage + - Use environment variables atau secret management untuk production + +2. **TLS/SSL:** + - Always use `ldaps://` (LDAP over TLS) untuk production + - Support certificate validation + +3. **Service Account:** + - Use dedicated service account dengan minimal permissions + - Read-only access untuk user/group queries + +4. **Network Security:** + - Firewall rules untuk LDAP/AD ports (389, 636, 88, 445) + - Consider VPN atau private network untuk LDAP/AD server + +## Testing Strategy + +1. **Unit Tests:** + - LDAP connection handling + - User/group query parsing + - Samba config generation dengan LDAP/AD + +2. **Integration Tests:** + - Test dengan LDAP server (OpenLDAP) + - Test dengan AD server (Windows Server atau Samba AD) + - Test user authentication flow + +3. **Manual Testing:** + - Create SMB share dengan AD user + - Create SMB share dengan AD group + - Test access dari Windows client + - Test access dari Linux client + +## Migration Path + +### For Existing Installations: + +1. **Backward Compatibility:** + - Keep support untuk `security = user` mode + - Existing shares tetap berfungsi + - LDAP/AD adalah optional enhancement + +2. **Gradual Migration:** + - Admin bisa enable LDAP/AD secara gradual + - Test dengan non-production shares dulu + - Migrate user-by-user atau group-by-group + +## Estimated Effort + +- **Phase 1 (LDAP/AD Config):** 2-3 days +- **Phase 2 (User Sync & Groups):** 3-4 days +- **Phase 3 (UI Integration):** 2-3 days +- **Testing & Documentation:** 2-3 days + +**Total: ~10-13 days** untuk full LDAP/AD integration + +## Alternative: Hybrid Approach + +Jika full LDAP/AD integration terlalu kompleks untuk sekarang, bisa implement **hybrid approach**: + +1. **Keep current `security = user` mode** +2. **Add manual user import from LDAP/AD:** + - Admin bisa sync users dari LDAP/AD ke local Samba + - Users tetap di-manage di Samba, tapi source of truth adalah LDAP/AD + - Periodic sync job untuk update users + +3. **Benefits:** + - Simpler implementation + - No need untuk complex Samba AD join + - Still provides centralized user management + +## Conclusion + +✅ **LDAP/AD integration sangat feasible dan recommended untuk enterprise storage solution** + +**Recommended Approach:** +1. Start dengan **Phase 1** (LDAP/AD config support) +2. Test dengan environment development +3. Gradually implement Phase 2 dan 3 +4. Consider hybrid approach jika full integration terlalu complex + +**Priority:** +- High untuk enterprise customers yang sudah punya AD/LDAP infrastructure +- Medium untuk SMB customers yang mungkin belum punya AD/LDAP +