website/integrations: add QNAP NAS using LDAP (#2614)
* Add Docu: QNAP NAS LDAP connect * fix formatting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
cca0f60bda
commit
4f08a9424a
190
website/integrations/services/qnap-nas/index.md
Normal file
190
website/integrations/services/qnap-nas/index.md
Normal file
|
@ -0,0 +1,190 @@
|
|||
---
|
||||
title: QNAP NAS
|
||||
---
|
||||
|
||||
## What is QNAP NAS
|
||||
|
||||
From <https://en.wikipedia.org/wiki/QNAP_Systems>
|
||||
|
||||
:::note
|
||||
QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
|
||||
:::
|
||||
|
||||
Connecting a QNAP NAS to an LDAP Directory is a little bit special
|
||||
as it is **not** (well) documented what really is done behind the scenes of QNAP.
|
||||
|
||||
## Preperation
|
||||
|
||||
The following placeholders will be used:
|
||||
|
||||
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
|
||||
- `ldap.domain` is (typically) a FQDN for your domain. Usually
|
||||
it is just the components of your base DN. For example, if
|
||||
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
|
||||
might be `ldap.goauthentik.io`.
|
||||
- `ldap.searchGroup` is the "Search Group" that can can see all
|
||||
users and groups in authentik.
|
||||
- `qnap.serviceAccount` is a service account created in authentik
|
||||
- `qnap.serviceAccountToken` is the service account token generated
|
||||
by authentik.
|
||||
|
||||
Create an LDAP Provider if you don't already have one setup.
|
||||
This guide assumes you will be running with TLS. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side.
|
||||
|
||||
Remember the `ldap.baseDN` you have configured for the provider as you'll
|
||||
need it in the sssd configuration.
|
||||
|
||||
Create a new service account for all of your hosts to use to connect
|
||||
to LDAP and perform searches. Make sure this service account is added
|
||||
to `ldap.searchGroup`.
|
||||
|
||||
:::warning
|
||||
It seems that QNAP LDAP client configuration has issues with too long password.
|
||||
Max password length <= 66 characters.
|
||||
:::
|
||||
|
||||
## Deployment
|
||||
|
||||
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
|
||||
|
||||
The outpost will connect to authentik and configure itself.
|
||||
|
||||
## NAS Configuration
|
||||
|
||||
The procedure is a two step setup:
|
||||
|
||||
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
|
||||
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
|
||||
|
||||
:::note
|
||||
The config edit is essential, as QNAP relies on certain not configurable things.
|
||||
The search for users and groups relies on a fix filter for
|
||||
`objectClass` in `posixAccount` or `posixGroup` classes.
|
||||
|
||||
Also by default the search scope is set to `one` (`singleLevel`), which can be
|
||||
adapted in the config to `sub` (`wholeSubtree`).
|
||||
|
||||
### Sample LDAP request from QNAP
|
||||
|
||||
Default search for users
|
||||
|
||||
```text
|
||||
Scope: 1 (singleLevel)
|
||||
Deref Aliases: 0 (neverDerefAliases)
|
||||
Size Limit: 0
|
||||
Time Limit: 0
|
||||
Types Only: false
|
||||
Filter: (objectClass=posixAccount)
|
||||
Attributes:
|
||||
uid
|
||||
userPassword
|
||||
uidNumber
|
||||
gidNumber
|
||||
cn
|
||||
homeDirectory
|
||||
loginShell
|
||||
gecos
|
||||
description
|
||||
objectClass
|
||||
```
|
||||
|
||||
Default search for groups
|
||||
|
||||
```text
|
||||
Scope: 1 (singleLevel)
|
||||
Deref Aliases: 0 (neverDerefAliases)
|
||||
Size Limit: 0
|
||||
Time Limit: 0
|
||||
Types Only: false
|
||||
Filter: (objectClass=posixGroup)
|
||||
Attributes:
|
||||
cn
|
||||
userPassword
|
||||
memberUid
|
||||
gidNumber
|
||||
```
|
||||
|
||||
:::
|
||||
|
||||
### QNAP Web UI
|
||||
|
||||
Configure the following values and "Apply"
|
||||
![qnap domain security](./qnap-ldap-configuration.png)
|
||||
|
||||
:::warning
|
||||
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
|
||||
:::
|
||||
|
||||
:::note
|
||||
The UI Configuration is necessary, as it will save the Password encrypted
|
||||
in `/etc/config/nss_ldap.ensecret`.
|
||||
:::
|
||||
|
||||
### SSH
|
||||
|
||||
Connect your QNAP NAS via SSH.
|
||||
First stop the LDAP Service:
|
||||
|
||||
```bash
|
||||
/sbin/setcfg LDAP Enable FALSE
|
||||
/etc/init.d/ldap.sh stop
|
||||
```
|
||||
|
||||
Edit the file at `/etc/config/nss_ldap.conf`:
|
||||
|
||||
```conf
|
||||
host ${ldap.domain}
|
||||
base ${ldap.baseDN}
|
||||
uri ldaps://${ldap.domain}/
|
||||
ssl on
|
||||
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
|
||||
nss_schema rfc2307bis
|
||||
|
||||
# remap object classes to authentik ones
|
||||
nss_map_objectclass posixAccount user
|
||||
nss_map_objectclass shadowAccount user
|
||||
nss_map_objectclass posixGroup group
|
||||
|
||||
# remap attributes
|
||||
# uid to cn is essential otherwise only id usernames will occur
|
||||
nss_map_attribute uid cn
|
||||
# map displayName information into comments field
|
||||
nss_map_attribute gecos displayName
|
||||
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
|
||||
nss_map_attribute uniqueMember member
|
||||
|
||||
# configure scope per search filter
|
||||
nss_base_passwd ou=users,${ldap.baseDN}?one
|
||||
nss_base_shadow ou=users,${ldap.baseDN}?one
|
||||
nss_base_group ou=groups,${ldap.baseDN}?one
|
||||
|
||||
tls_checkpeer no
|
||||
referrals no
|
||||
bind_policy soft
|
||||
timelimit 120
|
||||
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
|
||||
nss_initgroups_ignoreusers admin,akadmin
|
||||
```
|
||||
|
||||
Now start the LDAP Service:
|
||||
|
||||
```bash
|
||||
/sbin/setcfg LDAP Enable TRUE
|
||||
/etc/init.d/ldap.sh start
|
||||
```
|
||||
|
||||
To see if connection is working, type
|
||||
|
||||
```bash
|
||||
# list users
|
||||
$ getent passwd
|
||||
```
|
||||
|
||||
The output should list local users and authentik accounts.
|
||||
|
||||
```bash
|
||||
# list groups
|
||||
$ getent group
|
||||
```
|
||||
|
||||
The output should list local and authentik groups.
|
Binary file not shown.
After Width: | Height: | Size: 198 KiB |
|
@ -19,6 +19,7 @@ module.exports = {
|
|||
"services/harbor/index",
|
||||
"services/hashicorp-vault/index",
|
||||
"services/minio/index",
|
||||
"services/qnap-nas/index",
|
||||
"services/opnsense/index",
|
||||
"services/pfsense/index",
|
||||
"services/pgadmin/index",
|
||||
|
|
Reference in a new issue