othman.suseno/atlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2bb892dfdceb1b6085ec1ae3eb092a57fd2be7ae
atlas/docs/SMB_LDAP_AD_INTEGRATION.md
Othman Hendy Suseo 2bb892dfdc
Some checks failed
CI / test-build (push) Has been cancelled
Details
add next action plan - SMB LDAP/AD Integration
2025-12-20 13:27:29 +00:00

9.7 KiB
Raw Blame History

SMB/CIFS Shares - LDAP/Active Directory Integration

Skema Autentikasi Saat Ini

Implementasi Current (v0.1.0-dev)

  1. Samba Configuration:

    • security = user - User-based authentication
    • User management terpisah antara:
      • Atlas Web UI: In-memory UserStore (untuk login web)
      • Samba: User harus dibuat manual di sistem Linux menggunakan smbpasswd atau pdbedit

  2. Masalah yang Ada:

    • User Atlas (web UI) ≠ User Samba (SMB access)
    • Tidak ada sinkronisasi user antara Atlas dan Samba
    • User harus dibuat manual di sistem untuk akses SMB
    • Tidak ada integrasi dengan LDAP/AD
    • ValidUsers di SMB share hanya berupa list username string, tidak terintegrasi dengan sistem user management

  3. Arsitektur Saat Ini:

    Atlas Web UI (UserStore) ──┐
                           ├──> Tidak terhubung
Samba (smbpasswd/pdbedit) ─┘

Feasibility untuk LDAP/AD Integration

SANGAT FEASIBLE

Samba memiliki dukungan native untuk LDAP dan Active Directory:

  1. Samba Security Modes:

    • security = ads - Active Directory Domain Services (recommended untuk AD)
    • security = domain - NT4 Domain (legacy)
    • passdb backend = ldapsam - LDAP backend untuk user database

  2. Keuntungan Integrasi LDAP/AD:

    • Single Sign-On (SSO) - user login sekali untuk semua service
    • Centralized user management - tidak perlu manage user di multiple tempat
    • Group-based access control - bisa assign share berdasarkan AD groups
    • Enterprise-ready - sesuai dengan best practices enterprise storage
    • Audit trail yang lebih baik - semua akses ter-track di AD

Rekomendasi Implementasi

Phase 1: LDAP/AD Configuration Support (Priority: High)

1. Tambahkan Configuration Model:

// internal/models/config.go
type LDAPConfig struct {
    Enabled     bool   `json:"enabled"`
    Type        string `json:"type"`        // "ldap" or "ad"
    Server      string `json:"server"`      // LDAP/AD server FQDN or IP
    BaseDN      string `json:"base_dn"`     // Base DN for searches
    BindDN      string `json:"bind_dn"`     // Service account DN
    BindPassword string `json:"bind_password"` // Service account password
    UserDN      string `json:"user_dn"`     // User DN template (e.g., "CN=Users,DC=example,DC=com")
    GroupDN     string `json:"group_dn"`    // Group DN template
    Realm       string `json:"realm"`       // AD realm (e.g., "EXAMPLE.COM")
    Workgroup   string `json:"workgroup"`  // Workgroup name
}

2. Update SMB Service untuk Support LDAP/AD:

// internal/services/smb.go
func (s *SMBService) generateConfig(shares []models.SMBShare, ldapConfig *models.LDAPConfig) (string, error) {
    var b strings.Builder
    
    b.WriteString("[global]\n")
    b.WriteString("  server string = AtlasOS Storage Server\n")
    b.WriteString("  dns proxy = no\n")
    
    if ldapConfig != nil && ldapConfig.Enabled {
        if ldapConfig.Type == "ad" {
            // Active Directory mode
            b.WriteString("  security = ads\n")
            b.WriteString(fmt.Sprintf("  realm = %s\n", ldapConfig.Realm))
            b.WriteString(fmt.Sprintf("  workgroup = %s\n", ldapConfig.Workgroup))
            b.WriteString("  idmap config * : backend = tdb\n")
            b.WriteString("  idmap config * : range = 10000-20000\n")
            b.WriteString("  winbind enum users = yes\n")
            b.WriteString("  winbind enum groups = yes\n")
        } else {
            // LDAP mode
            b.WriteString("  security = user\n")
            b.WriteString("  passdb backend = ldapsam:ldap://" + ldapConfig.Server + "\n")
            b.WriteString(fmt.Sprintf("  ldap admin dn = %s\n", ldapConfig.BindDN))
            b.WriteString(fmt.Sprintf("  ldap suffix = %s\n", ldapConfig.BaseDN))
            b.WriteString(fmt.Sprintf("  ldap user suffix = %s\n", ldapConfig.UserDN))
            b.WriteString(fmt.Sprintf("  ldap group suffix = %s\n", ldapConfig.GroupDN))
        }
    } else {
        // Default: user mode (current implementation)
        b.WriteString("  security = user\n")
        b.WriteString("  map to guest = Bad User\n")
    }
    
    // ... rest of share configuration
}

3. Tambahkan API Endpoints untuk LDAP/AD Config:

// internal/httpapp/api_handlers.go
// GET /api/v1/config/ldap - Get LDAP/AD configuration
// PUT /api/v1/config/ldap - Update LDAP/AD configuration
// POST /api/v1/config/ldap/test - Test LDAP/AD connection

Phase 2: User Sync & Group Support (Priority: Medium)

1. LDAP/AD User Sync Service:

// internal/services/ldap.go
type LDAPService struct {
    config *models.LDAPConfig
    conn   *ldap.Conn
}

func (s *LDAPService) SyncUsers() ([]LDAPUser, error) {
    // Query LDAP/AD untuk get users
    // Return list of users dengan attributes
}

func (s *LDAPService) SyncGroups() ([]LDAPGroup, error) {
    // Query LDAP/AD untuk get groups
    // Return list of groups dengan members
}

func (s *LDAPService) Authenticate(username, password string) (*LDAPUser, error) {
    // Authenticate user against LDAP/AD
}

2. Update SMB Share Model untuk Support Groups:

// internal/models/storage.go
type SMBShare struct {
    // ... existing fields
    ValidUsers  []string `json:"valid_users"`   // Username list
    ValidGroups []string `json:"valid_groups"`   // Group name list (NEW)
}

3. Update Samba Config untuk Support Groups:

if len(share.ValidUsers) > 0 {
    b.WriteString(fmt.Sprintf("  valid users = %s\n", strings.Join(share.ValidUsers, ", ")))
}
if len(share.ValidGroups) > 0 {
    b.WriteString(fmt.Sprintf("  valid groups = %s\n", strings.Join(share.ValidGroups, ", ")))
}

Phase 3: UI Integration (Priority: Medium)

1. LDAP/AD Configuration Page:

  • Form untuk configure LDAP/AD connection
  • Test connection button
  • Display sync status
  • Manual sync button

2. Update SMB Share Creation UI:

  • Dropdown untuk select users dari LDAP/AD (bukan manual input)
  • Dropdown untuk select groups dari LDAP/AD
  • Auto-complete untuk username/group search

Implementation Steps

Step 1: Add LDAP Library Dependency

go get github.com/go-ldap/ldap/v3

Step 2: Create LDAP Service

  • Implement internal/services/ldap.go
  • Support both LDAP and AD protocols
  • Handle connection, authentication, and queries

Step 3: Update SMB Service

  • Modify generateConfig() to accept LDAP config
  • Support both security = ads and passdb backend = ldapsam

Step 4: Add Configuration Storage

  • Store LDAP/AD config (encrypted password)
  • Add API endpoints for config management

Step 5: Update UI

  • Add LDAP/AD configuration page
  • Update SMB share creation form
  • Add user/group selector with LDAP/AD integration

Dependencies & Requirements

System Packages:

# For AD integration
sudo apt-get install winbind libnss-winbind libpam-winbind krb5-user

# For LDAP integration
sudo apt-get install libnss-ldap libpam-ldap ldap-utils

# Samba packages (should already be installed)
sudo apt-get install samba samba-common-bin

Go Dependencies:

// go.mod
require (
    github.com/go-ldap/ldap/v3 v3.4.6
)

Security Considerations

  1. Password Storage:

    • Encrypt LDAP bind password di storage
    • Use environment variables atau secret management untuk production

  2. TLS/SSL:

    • Always use ldaps:// (LDAP over TLS) untuk production
    • Support certificate validation

  3. Service Account:

    • Use dedicated service account dengan minimal permissions
    • Read-only access untuk user/group queries

  4. Network Security:

    • Firewall rules untuk LDAP/AD ports (389, 636, 88, 445)
    • Consider VPN atau private network untuk LDAP/AD server

Testing Strategy

  1. Unit Tests:

    • LDAP connection handling
    • User/group query parsing
    • Samba config generation dengan LDAP/AD

  2. Integration Tests:

    • Test dengan LDAP server (OpenLDAP)
    • Test dengan AD server (Windows Server atau Samba AD)
    • Test user authentication flow

  3. Manual Testing:

    • Create SMB share dengan AD user
    • Create SMB share dengan AD group
    • Test access dari Windows client
    • Test access dari Linux client

Migration Path

For Existing Installations:

  1. Backward Compatibility:

    • Keep support untuk security = user mode
    • Existing shares tetap berfungsi
    • LDAP/AD adalah optional enhancement

  2. Gradual Migration:

    • Admin bisa enable LDAP/AD secara gradual
    • Test dengan non-production shares dulu
    • Migrate user-by-user atau group-by-group

Estimated Effort

  • Phase 1 (LDAP/AD Config): 2-3 days
  • Phase 2 (User Sync & Groups): 3-4 days
  • Phase 3 (UI Integration): 2-3 days
  • Testing & Documentation: 2-3 days

Total: ~10-13 days untuk full LDAP/AD integration

Alternative: Hybrid Approach

Jika full LDAP/AD integration terlalu kompleks untuk sekarang, bisa implement hybrid approach:

  1. Keep current security = user mode

  2. Add manual user import from LDAP/AD:

    • Admin bisa sync users dari LDAP/AD ke local Samba
    • Users tetap di-manage di Samba, tapi source of truth adalah LDAP/AD
    • Periodic sync job untuk update users

  3. Benefits:

    • Simpler implementation
    • No need untuk complex Samba AD join
    • Still provides centralized user management

Conclusion

LDAP/AD integration sangat feasible dan recommended untuk enterprise storage solution

Recommended Approach:

  1. Start dengan Phase 1 (LDAP/AD config support)
  2. Test dengan environment development
  3. Gradually implement Phase 2 dan 3
  4. Consider hybrid approach jika full integration terlalu complex

Priority:

  • High untuk enterprise customers yang sudah punya AD/LDAP infrastructure
  • Medium untuk SMB customers yang mungkin belum punya AD/LDAP