habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7963e4af760589cf3beef173f57fb9341fed9d6
authentik/website/integrations/services/qnap-nas/index.md
Teffen Ellis a714c781a6 website: Use Docusaurus Frontmatter for badges (#12893) 
website/docs: Reduce redundant usage of badges. Move badge logic to components.

- Fix JSX class name warning.
- Remove duplicate titles.
- Flesh out `support_level` frontmatter.
2025-02-19 18:03:05 +00:00

193 lines
5.6 KiB
Markdown
Raw Blame History

---
title: Integrate with QNAP NAS
sidebar_label: QNAP NAS
---
## What is QNAP NAS
> QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
>
> -- https://en.wikipedia.org/wiki/QNAP_Systems
Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP.
## Preparation
The following placeholders are used in this guide:
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) a FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `qnap.serviceAccount` is a service account created in authentik
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side.
Remember the `ldap.baseDN` you have configured for the provider as you'll
need it in the sssd configuration.
Create a new service account for all of your hosts to use to connect
to LDAP and perform searches. Make sure this service account is added
to `ldap.searchGroup`.
:::caution
It seems that QNAP LDAP client configuration has issues with too long password.
Max password length \<= 66 characters.
:::
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](https://docs.goauthentik.io/docs/add-secure-apps/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
The outpost will connect to authentik and configure itself.
## NAS Configuration
The procedure is a two step setup:
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
:::note
The config edit is essential, as QNAP relies on certain not configurable things.
The search for users and groups relies on a fix filter for
`objectClass` in `posixAccount` or `posixGroup` classes.
Also by default the search scope is set to `one` (`singleLevel`), which can be
adapted in the config to `sub` (`wholeSubtree`).
### Sample LDAP request from QNAP
Default search for users
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixAccount)
Attributes:
uid
userPassword
uidNumber
gidNumber
cn
homeDirectory
loginShell
gecos
description
objectClass
```
Default search for groups
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixGroup)
Attributes:
cn
userPassword
memberUid
gidNumber
```
:::
### QNAP Web UI
Configure the following values and "Apply"
![qnap domain security](./qnap-ldap-configuration.png)
:::caution
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
:::
:::note
The UI Configuration is necessary, as it will save the Password encrypted
in `/etc/config/nss_ldap.ensecret`.
:::
### SSH
Connect your QNAP NAS via SSH.
First stop the LDAP Service:
```bash
/sbin/setcfg LDAP Enable FALSE
/etc/init.d/ldap.sh stop
```
Edit the file at `/etc/config/nss_ldap.conf`:
```conf
host ${ldap.domain}
base ${ldap.baseDN}
uri ldaps://${ldap.domain}/
ssl on
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
nss_schema rfc2307bis
# remap object classes to authentik ones
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# remap attributes
# uid to cn is essential otherwise only id usernames will occur
nss_map_attribute uid cn
# map displayName information into comments field
nss_map_attribute gecos displayName
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
nss_map_attribute uniqueMember member
# configure scope per search filter
nss_base_passwd ou=users,${ldap.baseDN}?one
nss_base_shadow ou=users,${ldap.baseDN}?one
nss_base_group ou=groups,${ldap.baseDN}?one
tls_checkpeer no
referrals no
bind_policy soft
timelimit 120
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
nss_initgroups_ignoreusers admin,akadmin
```
Now start the LDAP Service:
```bash
/sbin/setcfg LDAP Enable TRUE
/etc/init.d/ldap.sh start
```
To see if connection is working, type
```bash
# list users
$ getent passwd
```
The output should list local users and authentik accounts.
```bash
# list groups
$ getent group
```
The output should list local and authentik groups.
Reference in New Issue View Git Blame Copy Permalink