othman.suseno/atlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add next action plan - SMB LDAP/AD Integration
Some checks failed
CI / test-build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
othman hendy suseno
2025-12-20 13:27:29 +00:00
parent a463a09329
commit 2bb892dfdc
1 changed files with 305 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

305
docs/SMB_LDAP_AD_INTEGRATION.md Normal file
View File

@@ -0,0 +1,305 @@
# SMB/CIFS Shares - LDAP/Active Directory Integration
## Skema Autentikasi Saat Ini
### Implementasi Current (v0.1.0-dev)
1. **Samba Configuration:**
- `security = user` - User-based authentication
- User management terpisah antara:
- **Atlas Web UI**: In-memory `UserStore` (untuk login web)
- **Samba**: User harus dibuat manual di sistem Linux menggunakan `smbpasswd` atau `pdbedit`
2. **Masalah yang Ada:**
- ❌ User Atlas (web UI) ≠ User Samba (SMB access)
- ❌ Tidak ada sinkronisasi user antara Atlas dan Samba
- ❌ User harus dibuat manual di sistem untuk akses SMB
- ❌ Tidak ada integrasi dengan LDAP/AD
-`ValidUsers` di SMB share hanya berupa list username string, tidak terintegrasi dengan sistem user management
3. **Arsitektur Saat Ini:**
```
Atlas Web UI (UserStore) ──┐
├──> Tidak terhubung
Samba (smbpasswd/pdbedit) ─┘
```
## Feasibility untuk LDAP/AD Integration
### ✅ **SANGAT FEASIBLE**
Samba memiliki dukungan native untuk LDAP dan Active Directory:
1. **Samba Security Modes:**
- `security = ads` - Active Directory Domain Services (recommended untuk AD)
- `security = domain` - NT4 Domain (legacy)
- `passdb backend = ldapsam` - LDAP backend untuk user database
2. **Keuntungan Integrasi LDAP/AD:**
- ✅ Single Sign-On (SSO) - user login sekali untuk semua service
- ✅ Centralized user management - tidak perlu manage user di multiple tempat
- ✅ Group-based access control - bisa assign share berdasarkan AD groups
- ✅ Enterprise-ready - sesuai dengan best practices enterprise storage
- ✅ Audit trail yang lebih baik - semua akses ter-track di AD
## Rekomendasi Implementasi
### Phase 1: LDAP/AD Configuration Support (Priority: High)
**1. Tambahkan Configuration Model:**
```go
// internal/models/config.go
type LDAPConfig struct {
Enabled bool `json:"enabled"`
Type string `json:"type"` // "ldap" or "ad"
Server string `json:"server"` // LDAP/AD server FQDN or IP
BaseDN string `json:"base_dn"` // Base DN for searches
BindDN string `json:"bind_dn"` // Service account DN
BindPassword string `json:"bind_password"` // Service account password
UserDN string `json:"user_dn"` // User DN template (e.g., "CN=Users,DC=example,DC=com")
GroupDN string `json:"group_dn"` // Group DN template
Realm string `json:"realm"` // AD realm (e.g., "EXAMPLE.COM")
Workgroup string `json:"workgroup"` // Workgroup name
}
```
**2. Update SMB Service untuk Support LDAP/AD:**
```go
// internal/services/smb.go
func (s *SMBService) generateConfig(shares []models.SMBShare, ldapConfig *models.LDAPConfig) (string, error) {
var b strings.Builder
b.WriteString("[global]\n")
b.WriteString(" server string = AtlasOS Storage Server\n")
b.WriteString(" dns proxy = no\n")
if ldapConfig != nil && ldapConfig.Enabled {
if ldapConfig.Type == "ad" {
// Active Directory mode
b.WriteString(" security = ads\n")
b.WriteString(fmt.Sprintf(" realm = %s\n", ldapConfig.Realm))
b.WriteString(fmt.Sprintf(" workgroup = %s\n", ldapConfig.Workgroup))
b.WriteString(" idmap config * : backend = tdb\n")
b.WriteString(" idmap config * : range = 10000-20000\n")
b.WriteString(" winbind enum users = yes\n")
b.WriteString(" winbind enum groups = yes\n")
} else {
// LDAP mode
b.WriteString(" security = user\n")
b.WriteString(" passdb backend = ldapsam:ldap://" + ldapConfig.Server + "\n")
b.WriteString(fmt.Sprintf(" ldap admin dn = %s\n", ldapConfig.BindDN))
b.WriteString(fmt.Sprintf(" ldap suffix = %s\n", ldapConfig.BaseDN))
b.WriteString(fmt.Sprintf(" ldap user suffix = %s\n", ldapConfig.UserDN))
b.WriteString(fmt.Sprintf(" ldap group suffix = %s\n", ldapConfig.GroupDN))
}
} else {
// Default: user mode (current implementation)
b.WriteString(" security = user\n")
b.WriteString(" map to guest = Bad User\n")
}
// ... rest of share configuration
}
```
**3. Tambahkan API Endpoints untuk LDAP/AD Config:**
```go
// internal/httpapp/api_handlers.go
// GET /api/v1/config/ldap - Get LDAP/AD configuration
// PUT /api/v1/config/ldap - Update LDAP/AD configuration
// POST /api/v1/config/ldap/test - Test LDAP/AD connection
```
### Phase 2: User Sync & Group Support (Priority: Medium)
**1. LDAP/AD User Sync Service:**
```go
// internal/services/ldap.go
type LDAPService struct {
config *models.LDAPConfig
conn *ldap.Conn
}
func (s *LDAPService) SyncUsers() ([]LDAPUser, error) {
// Query LDAP/AD untuk get users
// Return list of users dengan attributes
}
func (s *LDAPService) SyncGroups() ([]LDAPGroup, error) {
// Query LDAP/AD untuk get groups
// Return list of groups dengan members
}
func (s *LDAPService) Authenticate(username, password string) (*LDAPUser, error) {
// Authenticate user against LDAP/AD
}
```
**2. Update SMB Share Model untuk Support Groups:**
```go
// internal/models/storage.go
type SMBShare struct {
// ... existing fields
ValidUsers []string `json:"valid_users"` // Username list
ValidGroups []string `json:"valid_groups"` // Group name list (NEW)
}
```
**3. Update Samba Config untuk Support Groups:**
```go
if len(share.ValidUsers) > 0 {
b.WriteString(fmt.Sprintf(" valid users = %s\n", strings.Join(share.ValidUsers, ", ")))
}
if len(share.ValidGroups) > 0 {
b.WriteString(fmt.Sprintf(" valid groups = %s\n", strings.Join(share.ValidGroups, ", ")))
}
```
### Phase 3: UI Integration (Priority: Medium)
**1. LDAP/AD Configuration Page:**
- Form untuk configure LDAP/AD connection
- Test connection button
- Display sync status
- Manual sync button
**2. Update SMB Share Creation UI:**
- Dropdown untuk select users dari LDAP/AD (bukan manual input)
- Dropdown untuk select groups dari LDAP/AD
- Auto-complete untuk username/group search
## Implementation Steps
### Step 1: Add LDAP Library Dependency
```bash
go get github.com/go-ldap/ldap/v3
```
### Step 2: Create LDAP Service
- Implement `internal/services/ldap.go`
- Support both LDAP and AD protocols
- Handle connection, authentication, and queries
### Step 3: Update SMB Service
- Modify `generateConfig()` to accept LDAP config
- Support both `security = ads` and `passdb backend = ldapsam`
### Step 4: Add Configuration Storage
- Store LDAP/AD config (encrypted password)
- Add API endpoints for config management
### Step 5: Update UI
- Add LDAP/AD configuration page
- Update SMB share creation form
- Add user/group selector with LDAP/AD integration
## Dependencies & Requirements
### System Packages:
```bash
# For AD integration
sudo apt-get install winbind libnss-winbind libpam-winbind krb5-user
# For LDAP integration
sudo apt-get install libnss-ldap libpam-ldap ldap-utils
# Samba packages (should already be installed)
sudo apt-get install samba samba-common-bin
```
### Go Dependencies:
```go
// go.mod
require (
github.com/go-ldap/ldap/v3 v3.4.6
)
```
## Security Considerations
1. **Password Storage:**
- Encrypt LDAP bind password di storage
- Use environment variables atau secret management untuk production
2. **TLS/SSL:**
- Always use `ldaps://` (LDAP over TLS) untuk production
- Support certificate validation
3. **Service Account:**
- Use dedicated service account dengan minimal permissions
- Read-only access untuk user/group queries
4. **Network Security:**
- Firewall rules untuk LDAP/AD ports (389, 636, 88, 445)
- Consider VPN atau private network untuk LDAP/AD server
## Testing Strategy
1. **Unit Tests:**
- LDAP connection handling
- User/group query parsing
- Samba config generation dengan LDAP/AD
2. **Integration Tests:**
- Test dengan LDAP server (OpenLDAP)
- Test dengan AD server (Windows Server atau Samba AD)
- Test user authentication flow
3. **Manual Testing:**
- Create SMB share dengan AD user
- Create SMB share dengan AD group
- Test access dari Windows client
- Test access dari Linux client
## Migration Path
### For Existing Installations:
1. **Backward Compatibility:**
- Keep support untuk `security = user` mode
- Existing shares tetap berfungsi
- LDAP/AD adalah optional enhancement
2. **Gradual Migration:**
- Admin bisa enable LDAP/AD secara gradual
- Test dengan non-production shares dulu
- Migrate user-by-user atau group-by-group
## Estimated Effort
- **Phase 1 (LDAP/AD Config):** 2-3 days
- **Phase 2 (User Sync & Groups):** 3-4 days
- **Phase 3 (UI Integration):** 2-3 days
- **Testing & Documentation:** 2-3 days
**Total: ~10-13 days** untuk full LDAP/AD integration
## Alternative: Hybrid Approach
Jika full LDAP/AD integration terlalu kompleks untuk sekarang, bisa implement **hybrid approach**:
1. **Keep current `security = user` mode**
2. **Add manual user import from LDAP/AD:**
- Admin bisa sync users dari LDAP/AD ke local Samba
- Users tetap di-manage di Samba, tapi source of truth adalah LDAP/AD
- Periodic sync job untuk update users
3. **Benefits:**
- Simpler implementation
- No need untuk complex Samba AD join
- Still provides centralized user management
## Conclusion
**LDAP/AD integration sangat feasible dan recommended untuk enterprise storage solution**
**Recommended Approach:**
1. Start dengan **Phase 1** (LDAP/AD config support)
2. Test dengan environment development
3. Gradually implement Phase 2 dan 3
4. Consider hybrid approach jika full integration terlalu complex
**Priority:**
- High untuk enterprise customers yang sudah punya AD/LDAP infrastructure
- Medium untuk SMB customers yang mungkin belum punya AD/LDAP