Configure OpenLDAP appliance to authenticating other TurnKey appliances

[JedMeister]

Jonathan Struebel posted some good feedback and suggestions re the OpenLDAP appliance on the TKL forums.

Ideally the points probably should be pulled apart into individual feature requests (so they can be considered in isolation), but for now I have just posted this (if someone gets around to it before I do then please comment here and I'll close this one).

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[jstruebel]

I'd be willing to open the separate feature requests, but I couldn't see how to tag them properly. Or do I just create it and someone else applies the proper tags?

[JedMeister]

Thanks mate. I'm not sure why but tagging can't be done by anyone... So if you create them as separate issues/feature requests I can tag them. I'll probably be away a couple days but I'll sort it when I'm back.

[JedMeister]

Hey @jstruebel - if I get some clarity from Alon and/or Liraz regarding your suggestions would you be interested (and able) to have a go at implementing some of your ideas for v14.1?

We are starting focus on v14.1 now. It will mostly be a "maintenance release" (including updated security packages and bugfixes) but adding some features would be cool too!

We don't have a clear timeframe for v14.1 release but we hope it won't take us too long to get out. So even if you don't have time for v14.1; then maybe v14.2!?

[JedMeister]

I have been re-reading and perhaps this is too much to ask for for v14.1!? I will comment on the original forum post...

[JedMeister]

I just found https://github.com/jstruebel/core-ldap so it looks like the OpenLDAP side is done!?

Does https://github.com/jstruebel/samba-ldap also work with Samba4 config? Or only Samba3/NT type domain setup? To answer my own question: https://wiki.samba.org/index.php/Samba4/LDAP_Backend

[jstruebel]

@JedMeister I've successfully used the https://github.com/jstruebel/samba-ldap with the new fileserver appliance. So far I only had to make a few minor tweaks, and I discovered an issue with the SysVinit scripts that I need to track down. However, I'm not using it in an Active Directory mode, it's basically in the same mode as Samba3 used it. It sounds like from the link you posted that OpenLDAP as the directory for Samba4 as part of an Active Domain isn't supported.

The https://github.com/jstruebel/core-ldap patch is to add the appropriate packages/hooks (pam_ldap, nss_ldap) so that linux logins can authenticate against an OpenLDAP directory. I do have most of my suggestions implemented as patches, so integrating them into the appliance shouldn't be too challenging. The main thing would probably be testing since I've mostly just tested to ensure it worked for me.

[jstruebel]

Since you've seen some of my patches, here is a quick list and description of the OpenLDAP related ones.

https://github.com/jstruebel/openldap-nsspam - Adds the required schema/configs to OpenLDAP for use by NSS/PAM as an authentication source
https://github.com/jstruebel/openldap-pla - Adds some custom templates and configures phpLDAPadmin
https://github.com/jstruebel/openldap-samba - Adds the required schema/configs to OpenLDAP for use by Samba as an authentication source
https://github.com/jstruebel/core-ldap - Adds NSS/PAM to all core Turnkey Linux appliances to authenticate against an OpenLDAP server (The openldap-nsspam configs are required on the OpenLDAP server)
https://github.com/jstruebel/samba-ldap - Adds LDAP as the database backend to Samba. Originally developed for Samba3, but works on Samba4 when used in the same type of environment, i.e. NOT Active Directory.
https://github.com/jstruebel/headless-ldap - Adds inithooks preseeding options used by the core-ldap and samba-ldap patches. Deprecated since the headless configurations are part of buildtasks now. I added these to the headless patch in my fork of https://github.com/turnkeylinux/buildtasks
https://github.com/jstruebel/nginx-ldap-pam - Adds LDAP and PAM as authentication sources for NGINX basic auth

As you can see, I've tried to name them with the appliance they modify followed by what they add. As I get some time I'll try to add some more description to them so that someone browsing them understands them. I really didn't expect anyone to look at them so I haven't done much to document them for someone who isn't familiar with them.

[JedMeister]

Awesome! Love your work! 👍

TBH I'm inclined to add your OpenLDAP patch to the OpenLDAP appliance. From what I can see it adds potential functionality; with no real downside for other usage.

I'm not quite so sure about adding all your other patches to the appliances though. I think that they definitely add value and it's awesome that you've published them on GitHub (so others can use them). But it also adds complexity that may not be relevant to many users. I'm thinking particularly for those hosting in the cloud. Out of interest have you tried applying them directly to a running instance (as a TKLPatch)? That might be the easiest way for other users to install them?

Regardless I think that we need to advertise the brilliant work you've done at the very least! Would you be interested in writing a guest blog post about them? I think that would be pretty cool! 😄 Obviously no pressure though...

[JedMeister]

We can close this now I think. Please reopen if I got that wrong.