4f08a9424a
* Add Docu: QNAP NAS LDAP connect * fix formatting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
191 lines
5.3 KiB
Markdown
191 lines
5.3 KiB
Markdown
---
|
|
title: QNAP NAS
|
|
---
|
|
|
|
## What is QNAP NAS
|
|
|
|
From <https://en.wikipedia.org/wiki/QNAP_Systems>
|
|
|
|
:::note
|
|
QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
|
|
:::
|
|
|
|
Connecting a QNAP NAS to an LDAP Directory is a little bit special
|
|
as it is **not** (well) documented what really is done behind the scenes of QNAP.
|
|
|
|
## Preperation
|
|
|
|
The following placeholders will be used:
|
|
|
|
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
|
|
- `ldap.domain` is (typically) a FQDN for your domain. Usually
|
|
it is just the components of your base DN. For example, if
|
|
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
|
|
might be `ldap.goauthentik.io`.
|
|
- `ldap.searchGroup` is the "Search Group" that can can see all
|
|
users and groups in authentik.
|
|
- `qnap.serviceAccount` is a service account created in authentik
|
|
- `qnap.serviceAccountToken` is the service account token generated
|
|
by authentik.
|
|
|
|
Create an LDAP Provider if you don't already have one setup.
|
|
This guide assumes you will be running with TLS. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side.
|
|
|
|
Remember the `ldap.baseDN` you have configured for the provider as you'll
|
|
need it in the sssd configuration.
|
|
|
|
Create a new service account for all of your hosts to use to connect
|
|
to LDAP and perform searches. Make sure this service account is added
|
|
to `ldap.searchGroup`.
|
|
|
|
:::warning
|
|
It seems that QNAP LDAP client configuration has issues with too long password.
|
|
Max password length <= 66 characters.
|
|
:::
|
|
|
|
## Deployment
|
|
|
|
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
|
|
|
|
The outpost will connect to authentik and configure itself.
|
|
|
|
## NAS Configuration
|
|
|
|
The procedure is a two step setup:
|
|
|
|
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
|
|
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
|
|
|
|
:::note
|
|
The config edit is essential, as QNAP relies on certain not configurable things.
|
|
The search for users and groups relies on a fix filter for
|
|
`objectClass` in `posixAccount` or `posixGroup` classes.
|
|
|
|
Also by default the search scope is set to `one` (`singleLevel`), which can be
|
|
adapted in the config to `sub` (`wholeSubtree`).
|
|
|
|
### Sample LDAP request from QNAP
|
|
|
|
Default search for users
|
|
|
|
```text
|
|
Scope: 1 (singleLevel)
|
|
Deref Aliases: 0 (neverDerefAliases)
|
|
Size Limit: 0
|
|
Time Limit: 0
|
|
Types Only: false
|
|
Filter: (objectClass=posixAccount)
|
|
Attributes:
|
|
uid
|
|
userPassword
|
|
uidNumber
|
|
gidNumber
|
|
cn
|
|
homeDirectory
|
|
loginShell
|
|
gecos
|
|
description
|
|
objectClass
|
|
```
|
|
|
|
Default search for groups
|
|
|
|
```text
|
|
Scope: 1 (singleLevel)
|
|
Deref Aliases: 0 (neverDerefAliases)
|
|
Size Limit: 0
|
|
Time Limit: 0
|
|
Types Only: false
|
|
Filter: (objectClass=posixGroup)
|
|
Attributes:
|
|
cn
|
|
userPassword
|
|
memberUid
|
|
gidNumber
|
|
```
|
|
|
|
:::
|
|
|
|
### QNAP Web UI
|
|
|
|
Configure the following values and "Apply"
|
|
![qnap domain security](./qnap-ldap-configuration.png)
|
|
|
|
:::warning
|
|
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
|
|
:::
|
|
|
|
:::note
|
|
The UI Configuration is necessary, as it will save the Password encrypted
|
|
in `/etc/config/nss_ldap.ensecret`.
|
|
:::
|
|
|
|
### SSH
|
|
|
|
Connect your QNAP NAS via SSH.
|
|
First stop the LDAP Service:
|
|
|
|
```bash
|
|
/sbin/setcfg LDAP Enable FALSE
|
|
/etc/init.d/ldap.sh stop
|
|
```
|
|
|
|
Edit the file at `/etc/config/nss_ldap.conf`:
|
|
|
|
```conf
|
|
host ${ldap.domain}
|
|
base ${ldap.baseDN}
|
|
uri ldaps://${ldap.domain}/
|
|
ssl on
|
|
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
|
|
nss_schema rfc2307bis
|
|
|
|
# remap object classes to authentik ones
|
|
nss_map_objectclass posixAccount user
|
|
nss_map_objectclass shadowAccount user
|
|
nss_map_objectclass posixGroup group
|
|
|
|
# remap attributes
|
|
# uid to cn is essential otherwise only id usernames will occur
|
|
nss_map_attribute uid cn
|
|
# map displayName information into comments field
|
|
nss_map_attribute gecos displayName
|
|
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
|
|
nss_map_attribute uniqueMember member
|
|
|
|
# configure scope per search filter
|
|
nss_base_passwd ou=users,${ldap.baseDN}?one
|
|
nss_base_shadow ou=users,${ldap.baseDN}?one
|
|
nss_base_group ou=groups,${ldap.baseDN}?one
|
|
|
|
tls_checkpeer no
|
|
referrals no
|
|
bind_policy soft
|
|
timelimit 120
|
|
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
|
|
nss_initgroups_ignoreusers admin,akadmin
|
|
```
|
|
|
|
Now start the LDAP Service:
|
|
|
|
```bash
|
|
/sbin/setcfg LDAP Enable TRUE
|
|
/etc/init.d/ldap.sh start
|
|
```
|
|
|
|
To see if connection is working, type
|
|
|
|
```bash
|
|
# list users
|
|
$ getent passwd
|
|
```
|
|
|
|
The output should list local users and authentik accounts.
|
|
|
|
```bash
|
|
# list groups
|
|
$ getent group
|
|
```
|
|
|
|
The output should list local and authentik groups.
|