website/integrations: add QNAP NAS using LDAP (#2614)
* Add Docu: QNAP NAS LDAP connect * fix formatting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
cca0f60bda
commit
4f08a9424a
190
website/integrations/services/qnap-nas/index.md
Normal file
190
website/integrations/services/qnap-nas/index.md
Normal file
|
@ -0,0 +1,190 @@
|
||||||
|
---
|
||||||
|
title: QNAP NAS
|
||||||
|
---
|
||||||
|
|
||||||
|
## What is QNAP NAS
|
||||||
|
|
||||||
|
From <https://en.wikipedia.org/wiki/QNAP_Systems>
|
||||||
|
|
||||||
|
:::note
|
||||||
|
QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
|
||||||
|
:::
|
||||||
|
|
||||||
|
Connecting a QNAP NAS to an LDAP Directory is a little bit special
|
||||||
|
as it is **not** (well) documented what really is done behind the scenes of QNAP.
|
||||||
|
|
||||||
|
## Preperation
|
||||||
|
|
||||||
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
|
||||||
|
- `ldap.domain` is (typically) a FQDN for your domain. Usually
|
||||||
|
it is just the components of your base DN. For example, if
|
||||||
|
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
|
||||||
|
might be `ldap.goauthentik.io`.
|
||||||
|
- `ldap.searchGroup` is the "Search Group" that can can see all
|
||||||
|
users and groups in authentik.
|
||||||
|
- `qnap.serviceAccount` is a service account created in authentik
|
||||||
|
- `qnap.serviceAccountToken` is the service account token generated
|
||||||
|
by authentik.
|
||||||
|
|
||||||
|
Create an LDAP Provider if you don't already have one setup.
|
||||||
|
This guide assumes you will be running with TLS. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side.
|
||||||
|
|
||||||
|
Remember the `ldap.baseDN` you have configured for the provider as you'll
|
||||||
|
need it in the sssd configuration.
|
||||||
|
|
||||||
|
Create a new service account for all of your hosts to use to connect
|
||||||
|
to LDAP and perform searches. Make sure this service account is added
|
||||||
|
to `ldap.searchGroup`.
|
||||||
|
|
||||||
|
:::warning
|
||||||
|
It seems that QNAP LDAP client configuration has issues with too long password.
|
||||||
|
Max password length <= 66 characters.
|
||||||
|
:::
|
||||||
|
|
||||||
|
## Deployment
|
||||||
|
|
||||||
|
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
|
||||||
|
|
||||||
|
The outpost will connect to authentik and configure itself.
|
||||||
|
|
||||||
|
## NAS Configuration
|
||||||
|
|
||||||
|
The procedure is a two step setup:
|
||||||
|
|
||||||
|
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
|
||||||
|
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
|
||||||
|
|
||||||
|
:::note
|
||||||
|
The config edit is essential, as QNAP relies on certain not configurable things.
|
||||||
|
The search for users and groups relies on a fix filter for
|
||||||
|
`objectClass` in `posixAccount` or `posixGroup` classes.
|
||||||
|
|
||||||
|
Also by default the search scope is set to `one` (`singleLevel`), which can be
|
||||||
|
adapted in the config to `sub` (`wholeSubtree`).
|
||||||
|
|
||||||
|
### Sample LDAP request from QNAP
|
||||||
|
|
||||||
|
Default search for users
|
||||||
|
|
||||||
|
```text
|
||||||
|
Scope: 1 (singleLevel)
|
||||||
|
Deref Aliases: 0 (neverDerefAliases)
|
||||||
|
Size Limit: 0
|
||||||
|
Time Limit: 0
|
||||||
|
Types Only: false
|
||||||
|
Filter: (objectClass=posixAccount)
|
||||||
|
Attributes:
|
||||||
|
uid
|
||||||
|
userPassword
|
||||||
|
uidNumber
|
||||||
|
gidNumber
|
||||||
|
cn
|
||||||
|
homeDirectory
|
||||||
|
loginShell
|
||||||
|
gecos
|
||||||
|
description
|
||||||
|
objectClass
|
||||||
|
```
|
||||||
|
|
||||||
|
Default search for groups
|
||||||
|
|
||||||
|
```text
|
||||||
|
Scope: 1 (singleLevel)
|
||||||
|
Deref Aliases: 0 (neverDerefAliases)
|
||||||
|
Size Limit: 0
|
||||||
|
Time Limit: 0
|
||||||
|
Types Only: false
|
||||||
|
Filter: (objectClass=posixGroup)
|
||||||
|
Attributes:
|
||||||
|
cn
|
||||||
|
userPassword
|
||||||
|
memberUid
|
||||||
|
gidNumber
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
|
||||||
|
### QNAP Web UI
|
||||||
|
|
||||||
|
Configure the following values and "Apply"
|
||||||
|
![qnap domain security](./qnap-ldap-configuration.png)
|
||||||
|
|
||||||
|
:::warning
|
||||||
|
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
|
||||||
|
:::
|
||||||
|
|
||||||
|
:::note
|
||||||
|
The UI Configuration is necessary, as it will save the Password encrypted
|
||||||
|
in `/etc/config/nss_ldap.ensecret`.
|
||||||
|
:::
|
||||||
|
|
||||||
|
### SSH
|
||||||
|
|
||||||
|
Connect your QNAP NAS via SSH.
|
||||||
|
First stop the LDAP Service:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
/sbin/setcfg LDAP Enable FALSE
|
||||||
|
/etc/init.d/ldap.sh stop
|
||||||
|
```
|
||||||
|
|
||||||
|
Edit the file at `/etc/config/nss_ldap.conf`:
|
||||||
|
|
||||||
|
```conf
|
||||||
|
host ${ldap.domain}
|
||||||
|
base ${ldap.baseDN}
|
||||||
|
uri ldaps://${ldap.domain}/
|
||||||
|
ssl on
|
||||||
|
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
|
||||||
|
nss_schema rfc2307bis
|
||||||
|
|
||||||
|
# remap object classes to authentik ones
|
||||||
|
nss_map_objectclass posixAccount user
|
||||||
|
nss_map_objectclass shadowAccount user
|
||||||
|
nss_map_objectclass posixGroup group
|
||||||
|
|
||||||
|
# remap attributes
|
||||||
|
# uid to cn is essential otherwise only id usernames will occur
|
||||||
|
nss_map_attribute uid cn
|
||||||
|
# map displayName information into comments field
|
||||||
|
nss_map_attribute gecos displayName
|
||||||
|
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
|
||||||
|
nss_map_attribute uniqueMember member
|
||||||
|
|
||||||
|
# configure scope per search filter
|
||||||
|
nss_base_passwd ou=users,${ldap.baseDN}?one
|
||||||
|
nss_base_shadow ou=users,${ldap.baseDN}?one
|
||||||
|
nss_base_group ou=groups,${ldap.baseDN}?one
|
||||||
|
|
||||||
|
tls_checkpeer no
|
||||||
|
referrals no
|
||||||
|
bind_policy soft
|
||||||
|
timelimit 120
|
||||||
|
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
|
||||||
|
nss_initgroups_ignoreusers admin,akadmin
|
||||||
|
```
|
||||||
|
|
||||||
|
Now start the LDAP Service:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
/sbin/setcfg LDAP Enable TRUE
|
||||||
|
/etc/init.d/ldap.sh start
|
||||||
|
```
|
||||||
|
|
||||||
|
To see if connection is working, type
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# list users
|
||||||
|
$ getent passwd
|
||||||
|
```
|
||||||
|
|
||||||
|
The output should list local users and authentik accounts.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# list groups
|
||||||
|
$ getent group
|
||||||
|
```
|
||||||
|
|
||||||
|
The output should list local and authentik groups.
|
Binary file not shown.
After Width: | Height: | Size: 198 KiB |
|
@ -19,6 +19,7 @@ module.exports = {
|
||||||
"services/harbor/index",
|
"services/harbor/index",
|
||||||
"services/hashicorp-vault/index",
|
"services/hashicorp-vault/index",
|
||||||
"services/minio/index",
|
"services/minio/index",
|
||||||
|
"services/qnap-nas/index",
|
||||||
"services/opnsense/index",
|
"services/opnsense/index",
|
||||||
"services/pfsense/index",
|
"services/pfsense/index",
|
||||||
"services/pgadmin/index",
|
"services/pgadmin/index",
|
||||||
|
|
Reference in a new issue