Deuxfleurs/guichet
18
4
Fork 4
Code Issues 43 Pull requests 3 Projects 2 Releases Wiki Activity
guichet/README.md
Quentin 492be02f59
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Merge pull request 'Add instructions about how to run Guichet locally' (#81) from fabientot/guichet:improve-local-development into main 
Reviewed-on: #81
2025-03-24 15:41:28 +00:00

204 lines
7.3 KiB
Markdown
Raw Blame History

# Guichet
[![status-badge](https://woodpecker.deuxfleurs.fr/api/badges/37/status.svg)](https://woodpecker.deuxfleurs.fr/repos/37)
Guichet is a simple LDAP web interface for the following tasks:
- self-service password change
- administration of the LDAP directory
- inviting new users to create accounts
Guichet works well with the [Bottin](https://git.deuxfleurs.fr/deuxfleurs/bottin) LDAP server.
Currently, Guichet's templates are only in French as it has been created for
the [Deuxfleurs](https://deuxfleurs.fr) collective.
We would gladly merge a pull request with an English translation !
A Docker image is provided on the [Docker hub](https://hub.docker.com/r/lxpz/guichet_amd64).
An example for running Guichet on a Nomad cluster can be found in `guichet.hcl.example`.
Guichet takes a single command line argument, `-config <filename>`, which is the
path to its config file (defaults to `./config.json`).
The configuration file is a JSON file whose contents is described in the following section.
Guichet is licensed under the terms of the GPLv3.
## Building Guichet
Guichet requires go 1.13 or later.
Development build:
```
go build
```
Production build:
```
nix build
```
Production container:
```
docker run .#docker
```
## Configuration of Guichet
Guichet is configured using a simple JSON config file which is a dictionnary whose keys
are described below. An example is provided in a further section.
### HTTP listen address
- `http_bind_addr`: which IP and port to bind on for the HTTP web interface. Guichet does not support HTTPS, use a reverse proxy for that.
### LDAP server configuration
- `ldap_server_addr`: the address of the LDAP server to use
- `ldap_tls` (boolean): whether to attempt STARTTLS on the LDAP connection
- `base_dn`: the base LDAP object under which we are allowed to view and modify objects
### User and group configuration
- `user_base_dn`: the base LDAP object that contains user accounts
- `user_name_attr`: the search attribute for user identifiers (usually `uid` or `cn`)
- `group_base_dn` and `group_name_attr`: same for groups
### Administration configuration
- `admin_account`: DN of an LDAP account that has administrative privilege. If such an account is set, the admin can log in by entering the full DN in the login form.
- `group_can_admin`: DN of a LDAP group whose members are given administrative privilege
### Invitation configuration
Guichet supports a mechanism where users can send invitations by email to other users.
The ability to send such invitations can be configured to be restricted to a certain group of users.
Invitation codes are created as temporary LDAP objects in a special folder.
- `group_can_invite`: the LDAP DN of a group whose members are allowed to send invitations to new users
- `invitation_base_dn`: the LDAP folder in which invitation codes are stored
- `invitation_name_attr`: just use `cn`
- `invited_mail_format`: automatically set the invited user's email to this string, where `{}` is replaced by the created username (ex: `{}@deuxfleurs.fr`)
- `invited_auto_groups` (list of strings): a list of DNs of LDAP groups
#### Email configuration
Guichet can send an invitation link by email. To do so, an SMTP server must be configured:
- `smtp_server`: the host and port of the mail server
- `smtp_username` and `smtp_password`: the username and password to log in with on the mail server
- `mail_from`: the sender email address for the invitation message
- `web_address`: the base web address of the Guichet service (used for building the invitation link)
## Example configuration
This is a subset of the configuration we use on Deuxfleurs:
```
{
"http_bind_addr": ":9991",
"ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389",
"base_dn": "dc=deuxfleurs,dc=fr",
"user_base_dn": "ou=users,dc=deuxfleurs,dc=fr",
"user_name_attr": "cn",
"group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr",
"group_name_attr": "cn",
"admin_account": "cn=admin,dc=deuxfleurs,dc=fr",
"group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr"
}
```
Here is an example of Bottin ACLs that may be used to support Guichet invitations:
```
"acl": [
"*,dc=deuxfleurs,dc=fr::read:*:* !userpassword",
"*::read modify:SELF:*",
"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*",
"ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:",
"*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*"
]
```
Consult [this directory](https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/directory/config)
to view the full configuration in use on Deuxfleurs.
## Contribute & local development
Guichet needs a few components to work :
- A Bottin server
- that needs a consul server
- And a Garage cluster (of at least one node)
A basic consul / bottin stack is available through the docker compose file you can find in `integration` subdirectory:
```sh
cd integration
docker compose up -d
```
You can then run Guichet locally :
```sh
# First, copy a sample config file
copy config.json.example config.json
# Run the go development server
go run .
```
It will be available on http://localhost:9991.
### First run
#### How to get my admin password
On first Bottin's run, it is displayed in the logs.
You can easily find it by reading the container logs :
```sh
docker compose logs bottin | grep password:
```
- The **username** is provided in the log, and should look like this: `cn=admin,dc=bottin,dc=eu`.
- The **password** is right after in the same log line.
#### Garage
⚠️ Be aware at this stage that your local Guichet installation is not 100% working, especially the websites features.
You need to initialise Garage. It can be done in a few commands, coming from [the official Garage's documentation](https://garagehq.deuxfleurs.fr/documentation/quick-start/):
```sh
# Find your Garage node ID
docker compose exec garage /garage
# Your id is eb820c8da5605f78 in the output below
ID Hostname Address Tags Zone Capacity DataAvail
eb820c8da5605f78 9bd710b31be0 127.0.0.1:3901 NO ROLE ASSIGNED
# Then create a cluster layout with this id
docker compose exec garage /garage layout assign -z dc1 -c 1G eb820c8da5605f78
# Finally, apply the layout
docker compose exec garage /garage layout apply
```
🎉 You now can go to http://localhost:9991/website without getting 503 errors.
Reference in a new issue View git blame Copy permalink