search

ahaenggli / AzureAD-LDAP-wrapper

LDAP-Wrapper for 'microsoft 365' work or school accounts/users (former 'office 365' - via Entra ID, former AzureAD without AADDS)
https://ahaenggli.github.io/AzureAD-LDAP-wrapper/
MIT License
121 stars 30 forks source link

Non Synology non container setup #50

Closed doubleddav closed 1 year ago

doubleddav commented 1 year ago

Hi,

I've been experimenting with this on an Alpine VM. So far so good, I have the wrapper running happily in the background.

I was wondering how to link this to the system, such that either:

I'm assuming Synology are using an openldap client and maybe something like sssd to link all of this together?

Thanks

ahaenggli commented 1 year ago

Hey, I think you are on the right track. Synology uses a few of its own implementations for the permissions (because the users might be "mixed" locally and externally). I would consider the LDAP-wrapper like an openldap server and google accordingly how you could use an openldap server to connect SSH and samba... If I read the Synology samba config correctly, they use NT4 mode and as you guessed SSSD seems also to be configured. Hope this gets you further! :)

doubleddav commented 1 year ago

Thanks for getting back to me :-)

I'll do a bit more digging as I have time and see if I can get this working - sans Synology. I might document what I do as well somewhere.

To get some hints, I don't suppose you could pull out the samba and sssd config files from the Synology for me to have a look at?

Thanks

ahaenggli commented 1 year ago

Sure, hope it helps you:

smb.conf ```conf [global] printcap name=cups winbind enum groups=yes include=/var/tmp/nginx/smb.netbios.aliases.conf ldap admin dn=uid=root encrypt passwords=yes workgroup=WORKGROUP min protocol=SMB2 ldap ssl=Off security=user local master=no realm=* ldap passwd sync=yes ldap suffix=dc=domain,dc=tld passdb backend=multi:smbpasswd,ldapsam:ldap://127.0.0.1 syno ldap support=yes printing=cups max protocol=SMB3 winbind enum users=yes load printers=yes admin users=@WORKGROUP\Domain Admins,@WORKGROUP\Enterprise Admins ```
sssd.conf ```conf [sssd] reconnection_retries = 3 sbus_timeout = 30 domains = domain.tld config_file_version = 2 debug_level = 1 services = nss, pam [nss] filter_groups=root filter_users=root reconnection_retries=2 memcache_timeout=300 entry_cache_nowait_percentage=50 debug_level=1 [pam] reconnection_retries=3 offline_credentials_expiration=2 offline_failed_login_attempts=2 offline_failed_login_delay=50 debug_level=1 # Example LDAP domain [domain/domain.tld] id_provider = ldap nss_nested_groups = yes auth_provider = ldap ldap_schema = rfc2307bis entry_cache_timeout = 5400 ldap_default_authtok_type = syno_secret gidmap_max = 0 case_sensitive = preserving ldap_search_base = dc=domain,dc=tld ldap_id_use_start_tls = false uidmap_max = 0 debug_level = 1 ssl = no ldap_group_nesting_level = 5 ldap_pwd_policy = shadow ldap_auth_disable_tls_never_use_in_production = true ldap_tls_reqcert = never gidmap_min = 0 ldap_uri = ldap://127.0.0.1 ldap_tls_cacertdir = /etc/ssl/certs uidmap_min = 0 ldap_default_bind_dn = uid=root # ldap_tls_key=/var/lib/ldap/ldapclient.key # ldap_tls_cert=/var/lib/ldap/ldapclient.crt ```