Quentin
3095f1726e
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #87 |
||
|---|---|---|
| integration | ||
| openapi | ||
| static | ||
| templates | ||
| .envrc | ||
| .gitignore | ||
| .woodpecker.yml | ||
| admin.go | ||
| api.go | ||
| cli.go | ||
| config.json.example | ||
| directory.go | ||
| Dockerfile | ||
| flake.lock | ||
| flake.nix | ||
| garage.go | ||
| go.mod | ||
| go.sum | ||
| gomod2nix.toml | ||
| guichet.hcl.example | ||
| invite.go | ||
| LICENSE | ||
| login.go | ||
| main.go | ||
| picture.go | ||
| profile.go | ||
| quotas.go | ||
| README.md | ||
| ssha.go | ||
| website.go | ||
| webui_website.go | ||
Guichet
Guichet is a simple LDAP web interface for the following tasks:
- self-service password change
- administration of the LDAP directory
- inviting new users to create accounts
Guichet works well with the Bottin LDAP server. Currently, Guichet's templates are only in French as it has been created for the Deuxfleurs collective. We would gladly merge a pull request with an English translation !
A Docker image is provided on the Docker hub.
An example for running Guichet on a Nomad cluster can be found in guichet.hcl.example.
Guichet takes a single command line argument, -config <filename>, which is the
path to its config file (defaults to ./config.json).
The configuration file is a JSON file whose contents is described in the following section.
Guichet is licensed under the terms of the GPLv3.
Building Guichet
Guichet requires go 1.13 or later.
Development build:
go build
Production build:
nix build
Production container:
docker run .#docker
Configuration of Guichet
Guichet is configured using a simple JSON config file which is a dictionnary whose keys are described below. An example is provided in a further section.
HTTP listen address
http_bind_addr: which IP and port to bind on for the HTTP web interface. Guichet does not support HTTPS, use a reverse proxy for that.
LDAP server configuration
ldap_server_addr: the address of the LDAP server to useldap_tls(boolean): whether to attempt STARTTLS on the LDAP connectionbase_dn: the base LDAP object under which we are allowed to view and modify objects
User and group configuration
user_base_dn: the base LDAP object that contains user accountsuser_name_attr: the search attribute for user identifiers (usuallyuidorcn)group_base_dnandgroup_name_attr: same for groups
Administration configuration
admin_account: DN of an LDAP account that has administrative privilege. If such an account is set, the admin can log in by entering the full DN in the login form.group_can_admin: DN of a LDAP group whose members are given administrative privilege
Invitation configuration
Guichet supports a mechanism where users can send invitations by email to other users. The ability to send such invitations can be configured to be restricted to a certain group of users. Invitation codes are created as temporary LDAP objects in a special folder.
group_can_invite: the LDAP DN of a group whose members are allowed to send invitations to new usersinvitation_base_dn: the LDAP folder in which invitation codes are storedinvitation_name_attr: just usecninvited_mail_format: automatically set the invited user's email to this string, where{}is replaced by the created username (ex:{}@deuxfleurs.fr)invited_auto_groups(list of strings): a list of DNs of LDAP groups
Email configuration
Guichet can send an invitation link by email. To do so, an SMTP server must be configured:
smtp_server: the host and port of the mail serversmtp_usernameandsmtp_password: the username and password to log in with on the mail servermail_from: the sender email address for the invitation messageweb_address: the base web address of the Guichet service (used for building the invitation link)
Example configuration
This is a subset of the configuration we use on Deuxfleurs:
{
"http_bind_addr": ":9991",
"ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389",
"base_dn": "dc=deuxfleurs,dc=fr",
"user_base_dn": "ou=users,dc=deuxfleurs,dc=fr",
"user_name_attr": "cn",
"group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr",
"group_name_attr": "cn",
"admin_account": "cn=admin,dc=deuxfleurs,dc=fr",
"group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr"
}
Here is an example of Bottin ACLs that may be used to support Guichet invitations:
"acl": [
"*,dc=deuxfleurs,dc=fr::read:*:* !userpassword",
"*::read modify:SELF:*",
"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*",
"ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:",
"*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*"
]
Consult this directory to view the full configuration in use on Deuxfleurs.
Contribute & local development
Guichet needs a few components to work :
- A Bottin server
- that needs a consul server
- And a Garage cluster (of at least one node)
A basic consul / bottin stack is available through the docker compose file you can find in
integrationsubdirectory:
cd integration
docker compose up -d
You can then run Guichet locally :
# First, copy a sample config file
copy config.json.example config.json
# Run the go development server
go run .
It will be available on http://localhost:9991.
First run
How to get my admin password
On first Bottin's run, it is displayed in the logs.
You can easily find it by reading the container logs :
docker compose logs bottin | grep password:
- The username is provided in the log, and should look like this:
cn=admin,dc=bottin,dc=eu. - The password is right after in the same log line.
Garage
⚠️ Be aware at this stage that your local Guichet installation is not 100% working, especially the websites features.
You need to initialise Garage. It can be done in a few commands, coming from the official Garage's documentation:
# Find your Garage node ID
docker compose exec garage /garage
# Your id is eb820c8da5605f78 in the output below
ID Hostname Address Tags Zone Capacity DataAvail
eb820c8da5605f78 9bd710b31be0 127.0.0.1:3901 NO ROLE ASSIGNED
# Then create a cluster layout with this id
docker compose exec garage /garage layout assign -z dc1 -c 1G eb820c8da5605f78
# Finally, apply the layout
docker compose exec garage /garage layout apply
🎉 You now can go to http://localhost:9991/website without getting 503 errors.