# SMB/CIFS Shares - LDAP/Active Directory Integration ## Skema Autentikasi Saat Ini ### Implementasi Current (v0.1.0-dev) 1. **Samba Configuration:** - `security = user` - User-based authentication - User management terpisah antara: - **Atlas Web UI**: In-memory `UserStore` (untuk login web) - **Samba**: User harus dibuat manual di sistem Linux menggunakan `smbpasswd` atau `pdbedit` 2. **Masalah yang Ada:** - ❌ User Atlas (web UI) ≠ User Samba (SMB access) - ❌ Tidak ada sinkronisasi user antara Atlas dan Samba - ❌ User harus dibuat manual di sistem untuk akses SMB - ❌ Tidak ada integrasi dengan LDAP/AD - ❌ `ValidUsers` di SMB share hanya berupa list username string, tidak terintegrasi dengan sistem user management 3. **Arsitektur Saat Ini:** ``` Atlas Web UI (UserStore) ──┐ ├──> Tidak terhubung Samba (smbpasswd/pdbedit) ─┘ ``` ## Feasibility untuk LDAP/AD Integration ### ✅ **SANGAT FEASIBLE** Samba memiliki dukungan native untuk LDAP dan Active Directory: 1. **Samba Security Modes:** - `security = ads` - Active Directory Domain Services (recommended untuk AD) - `security = domain` - NT4 Domain (legacy) - `passdb backend = ldapsam` - LDAP backend untuk user database 2. **Keuntungan Integrasi LDAP/AD:** - ✅ Single Sign-On (SSO) - user login sekali untuk semua service - ✅ Centralized user management - tidak perlu manage user di multiple tempat - ✅ Group-based access control - bisa assign share berdasarkan AD groups - ✅ Enterprise-ready - sesuai dengan best practices enterprise storage - ✅ Audit trail yang lebih baik - semua akses ter-track di AD ## Rekomendasi Implementasi ### Phase 1: LDAP/AD Configuration Support (Priority: High) **1. Tambahkan Configuration Model:** ```go // internal/models/config.go type LDAPConfig struct { Enabled bool `json:"enabled"` Type string `json:"type"` // "ldap" or "ad" Server string `json:"server"` // LDAP/AD server FQDN or IP BaseDN string `json:"base_dn"` // Base DN for searches BindDN string `json:"bind_dn"` // Service account DN BindPassword string `json:"bind_password"` // Service account password UserDN string `json:"user_dn"` // User DN template (e.g., "CN=Users,DC=example,DC=com") GroupDN string `json:"group_dn"` // Group DN template Realm string `json:"realm"` // AD realm (e.g., "EXAMPLE.COM") Workgroup string `json:"workgroup"` // Workgroup name } ``` **2. Update SMB Service untuk Support LDAP/AD:** ```go // internal/services/smb.go func (s *SMBService) generateConfig(shares []models.SMBShare, ldapConfig *models.LDAPConfig) (string, error) { var b strings.Builder b.WriteString("[global]\n") b.WriteString(" server string = AtlasOS Storage Server\n") b.WriteString(" dns proxy = no\n") if ldapConfig != nil && ldapConfig.Enabled { if ldapConfig.Type == "ad" { // Active Directory mode b.WriteString(" security = ads\n") b.WriteString(fmt.Sprintf(" realm = %s\n", ldapConfig.Realm)) b.WriteString(fmt.Sprintf(" workgroup = %s\n", ldapConfig.Workgroup)) b.WriteString(" idmap config * : backend = tdb\n") b.WriteString(" idmap config * : range = 10000-20000\n") b.WriteString(" winbind enum users = yes\n") b.WriteString(" winbind enum groups = yes\n") } else { // LDAP mode b.WriteString(" security = user\n") b.WriteString(" passdb backend = ldapsam:ldap://" + ldapConfig.Server + "\n") b.WriteString(fmt.Sprintf(" ldap admin dn = %s\n", ldapConfig.BindDN)) b.WriteString(fmt.Sprintf(" ldap suffix = %s\n", ldapConfig.BaseDN)) b.WriteString(fmt.Sprintf(" ldap user suffix = %s\n", ldapConfig.UserDN)) b.WriteString(fmt.Sprintf(" ldap group suffix = %s\n", ldapConfig.GroupDN)) } } else { // Default: user mode (current implementation) b.WriteString(" security = user\n") b.WriteString(" map to guest = Bad User\n") } // ... rest of share configuration } ``` **3. Tambahkan API Endpoints untuk LDAP/AD Config:** ```go // internal/httpapp/api_handlers.go // GET /api/v1/config/ldap - Get LDAP/AD configuration // PUT /api/v1/config/ldap - Update LDAP/AD configuration // POST /api/v1/config/ldap/test - Test LDAP/AD connection ``` ### Phase 2: User Sync & Group Support (Priority: Medium) **1. LDAP/AD User Sync Service:** ```go // internal/services/ldap.go type LDAPService struct { config *models.LDAPConfig conn *ldap.Conn } func (s *LDAPService) SyncUsers() ([]LDAPUser, error) { // Query LDAP/AD untuk get users // Return list of users dengan attributes } func (s *LDAPService) SyncGroups() ([]LDAPGroup, error) { // Query LDAP/AD untuk get groups // Return list of groups dengan members } func (s *LDAPService) Authenticate(username, password string) (*LDAPUser, error) { // Authenticate user against LDAP/AD } ``` **2. Update SMB Share Model untuk Support Groups:** ```go // internal/models/storage.go type SMBShare struct { // ... existing fields ValidUsers []string `json:"valid_users"` // Username list ValidGroups []string `json:"valid_groups"` // Group name list (NEW) } ``` **3. Update Samba Config untuk Support Groups:** ```go if len(share.ValidUsers) > 0 { b.WriteString(fmt.Sprintf(" valid users = %s\n", strings.Join(share.ValidUsers, ", "))) } if len(share.ValidGroups) > 0 { b.WriteString(fmt.Sprintf(" valid groups = %s\n", strings.Join(share.ValidGroups, ", "))) } ``` ### Phase 3: UI Integration (Priority: Medium) **1. LDAP/AD Configuration Page:** - Form untuk configure LDAP/AD connection - Test connection button - Display sync status - Manual sync button **2. Update SMB Share Creation UI:** - Dropdown untuk select users dari LDAP/AD (bukan manual input) - Dropdown untuk select groups dari LDAP/AD - Auto-complete untuk username/group search ## Implementation Steps ### Step 1: Add LDAP Library Dependency ```bash go get github.com/go-ldap/ldap/v3 ``` ### Step 2: Create LDAP Service - Implement `internal/services/ldap.go` - Support both LDAP and AD protocols - Handle connection, authentication, and queries ### Step 3: Update SMB Service - Modify `generateConfig()` to accept LDAP config - Support both `security = ads` and `passdb backend = ldapsam` ### Step 4: Add Configuration Storage - Store LDAP/AD config (encrypted password) - Add API endpoints for config management ### Step 5: Update UI - Add LDAP/AD configuration page - Update SMB share creation form - Add user/group selector with LDAP/AD integration ## Dependencies & Requirements ### System Packages: ```bash # For AD integration sudo apt-get install winbind libnss-winbind libpam-winbind krb5-user # For LDAP integration sudo apt-get install libnss-ldap libpam-ldap ldap-utils # Samba packages (should already be installed) sudo apt-get install samba samba-common-bin ``` ### Go Dependencies: ```go // go.mod require ( github.com/go-ldap/ldap/v3 v3.4.6 ) ``` ## Security Considerations 1. **Password Storage:** - Encrypt LDAP bind password di storage - Use environment variables atau secret management untuk production 2. **TLS/SSL:** - Always use `ldaps://` (LDAP over TLS) untuk production - Support certificate validation 3. **Service Account:** - Use dedicated service account dengan minimal permissions - Read-only access untuk user/group queries 4. **Network Security:** - Firewall rules untuk LDAP/AD ports (389, 636, 88, 445) - Consider VPN atau private network untuk LDAP/AD server ## Testing Strategy 1. **Unit Tests:** - LDAP connection handling - User/group query parsing - Samba config generation dengan LDAP/AD 2. **Integration Tests:** - Test dengan LDAP server (OpenLDAP) - Test dengan AD server (Windows Server atau Samba AD) - Test user authentication flow 3. **Manual Testing:** - Create SMB share dengan AD user - Create SMB share dengan AD group - Test access dari Windows client - Test access dari Linux client ## Migration Path ### For Existing Installations: 1. **Backward Compatibility:** - Keep support untuk `security = user` mode - Existing shares tetap berfungsi - LDAP/AD adalah optional enhancement 2. **Gradual Migration:** - Admin bisa enable LDAP/AD secara gradual - Test dengan non-production shares dulu - Migrate user-by-user atau group-by-group ## Estimated Effort - **Phase 1 (LDAP/AD Config):** 2-3 days - **Phase 2 (User Sync & Groups):** 3-4 days - **Phase 3 (UI Integration):** 2-3 days - **Testing & Documentation:** 2-3 days **Total: ~10-13 days** untuk full LDAP/AD integration ## Alternative: Hybrid Approach Jika full LDAP/AD integration terlalu kompleks untuk sekarang, bisa implement **hybrid approach**: 1. **Keep current `security = user` mode** 2. **Add manual user import from LDAP/AD:** - Admin bisa sync users dari LDAP/AD ke local Samba - Users tetap di-manage di Samba, tapi source of truth adalah LDAP/AD - Periodic sync job untuk update users 3. **Benefits:** - Simpler implementation - No need untuk complex Samba AD join - Still provides centralized user management ## Conclusion ✅ **LDAP/AD integration sangat feasible dan recommended untuk enterprise storage solution** **Recommended Approach:** 1. Start dengan **Phase 1** (LDAP/AD config support) 2. Test dengan environment development 3. Gradually implement Phase 2 dan 3 4. Consider hybrid approach jika full integration terlalu complex **Priority:** - High untuk enterprise customers yang sudah punya AD/LDAP infrastructure - Medium untuk SMB customers yang mungkin belum punya AD/LDAP