Improve LDAP configuration and authentication consistency

gsanchietti commented 2 weeks ago

Enhance LDAP configuration to address inconsistencies between Samba AD and MS AD, clarify field usage, and improve migration processes.

Purpose of the feature

Streamline LDAP configuration across different directory services (Samba AD, MS AD, OpenLDAP)
Clarify the purpose and usage of configuration fields
Improve consistency in migration processes
Enhance LDAP response parsing for more reliable authentication

Current problems

Proposed solution Frontend changes:

Rename "User CN field" to "User display name attribute"
Add tooltip for "User display name attribute": "Display name attribute for the user. The display name typically represents the user's full name like 'John Doe'. Example: 'displayName' for Active Directory or 'cn' for NethServer OpenLDAP"
Add tooltip for "User attribute field": "LDAP attribute that corresponds to the user's identity. This attribute is used to uniquely identify users within the LDAP directory. Example: 'uid' for OpenLDAP or 'sAMAccountname' for Active Directory"

Backend changes:

Implement a new library for parsing LDAP responses to ensure more consistent decoding
Update migration processes to handle Samba AD and MS AD consistently

Other changes:

Update documentation to reflect new field names and provide clear guidance on configuration for different LDAP systems
Conduct thorough QA testing to ensure compatibility and consistency across various LDAP setups

See also

gsanchietti commented 2 weeks ago

Migration testing package for NS7: nethserver-firewall-migration-0.0.19-1.2.gfd6fcf6.ns7.noarch.rpm

github-actions[bot] commented 2 weeks ago

gsanchietti commented 2 weeks ago

Test case 1

Configure a new remote database connected OpenLDAP server running on NS7, do not specify the Custom user bind DN field
Connect the OpenVPN road warrior server to the remote database
Configure the OpenVPN road warrior with user and password authentication
Verify the clients can connect and authenticate to the OpenVPN server

Test case 2

Test case 3

Configure a new remote database connected Active Directory server running on NS7
Specify the Custom user bind DN field as %u@domain
Set User attribute field to sAMAccountName
Set User display name field to displayName
Connect the OpenVPN road warrior server to the remote database
Configure the OpenVPN road warrior with user and password authentication
Verify the clients can connect and authenticate to the OpenVPN server

Test case 4

Test case 5 (migration)

Configure a NS7 machine and connect it to a remote NethServer Active Directory
Make sure to have installed the latest migration package from testing repository
Configure the OpenVPN road warrior with user and password authentication
Migrate the machine
Verify the user page display all Active Directory users
Verify clients can connect and authenticate to the OpenVPN server using %u@domain
Verify User attribute field is set to samAccountName
Verify User display name field is set to displayName

Test case 6 (migration)

Test case 7

Test case 8

Test case 9

github-actions[bot] commented 1 week ago

gsanchietti commented 1 week ago

Test cases 1,2,3,4,5,6 verified by Luca D and @cotosso

gsanchietti commented 1 week ago

Verified

NethServer / nethsecurity