mirror of https://github.com/lldap/lldap.git
docs: Misc updates
Deprecate key_file in favor of key_seed, add a script to generate the secrets
This commit is contained in:
parent
9f8364ca1a
commit
10609b25e9
24
README.md
24
README.md
|
@ -99,8 +99,9 @@ MySQL/MariaDB or PostgreSQL.
|
||||||
### With Docker
|
### With Docker
|
||||||
|
|
||||||
The image is available at `lldap/lldap`. You should persist the `/data`
|
The image is available at `lldap/lldap`. You should persist the `/data`
|
||||||
folder, which contains your configuration, the database and the private key
|
folder, which contains your configuration and the SQLite database (you can
|
||||||
file.
|
remove this step if you use a different DB and configure with environment
|
||||||
|
variables only).
|
||||||
|
|
||||||
Configure the server by copying the `lldap_config.docker_template.toml` to
|
Configure the server by copying the `lldap_config.docker_template.toml` to
|
||||||
`/data/lldap_config.toml` and updating the configuration values (especially the
|
`/data/lldap_config.toml` and updating the configuration values (especially the
|
||||||
|
@ -108,10 +109,12 @@ Configure the server by copying the `lldap_config.docker_template.toml` to
|
||||||
Environment variables should be prefixed with `LLDAP_` to override the
|
Environment variables should be prefixed with `LLDAP_` to override the
|
||||||
configuration.
|
configuration.
|
||||||
|
|
||||||
If the `lldap_config.toml` doesn't exist when starting up, LLDAP will use default one. The default admin password is `password`, you can change the password later using the web interface.
|
If the `lldap_config.toml` doesn't exist when starting up, LLDAP will use
|
||||||
|
default one. The default admin password is `password`, you can change the
|
||||||
|
password later using the web interface.
|
||||||
|
|
||||||
Secrets can also be set through a file. The filename should be specified by the
|
Secrets can also be set through a file. The filename should be specified by the
|
||||||
variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_LDAP_USER_PASS_FILE`, and the file
|
variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_KEY_SEED_FILE`, and the file
|
||||||
contents are loaded into the respective configuration parameters. Note that
|
contents are loaded into the respective configuration parameters. Note that
|
||||||
`_FILE` variables take precedence.
|
`_FILE` variables take precedence.
|
||||||
|
|
||||||
|
@ -121,6 +124,7 @@ Example for docker compose:
|
||||||
- `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.
|
- `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.
|
||||||
- If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.
|
- If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.
|
||||||
- If no `TZ` is set, default `UTC` timezone will be used.
|
- If no `TZ` is set, default `UTC` timezone will be used.
|
||||||
|
- You can generate the secrets by running `./generate_secrets.sh`
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: "3"
|
version: "3"
|
||||||
|
@ -133,8 +137,8 @@ services:
|
||||||
lldap:
|
lldap:
|
||||||
image: lldap/lldap:stable
|
image: lldap/lldap:stable
|
||||||
ports:
|
ports:
|
||||||
# For LDAP
|
# For LDAP, not recommended to expose, see Usage section.
|
||||||
- "3890:3890"
|
#- "3890:3890"
|
||||||
# For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
|
# For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
|
||||||
#- "6360:6360"
|
#- "6360:6360"
|
||||||
# For the web front-end
|
# For the web front-end
|
||||||
|
@ -148,7 +152,7 @@ services:
|
||||||
- GID=####
|
- GID=####
|
||||||
- TZ=####/####
|
- TZ=####/####
|
||||||
- LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
|
- LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
|
||||||
- LLDAP_LDAP_USER_PASS=REPLACE_WITH_PASSWORD
|
- LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
|
||||||
- LLDAP_LDAP_BASE_DN=dc=example,dc=com
|
- LLDAP_LDAP_BASE_DN=dc=example,dc=com
|
||||||
# If using LDAPS, set enabled true and configure cert and key path
|
# If using LDAPS, set enabled true and configure cert and key path
|
||||||
# - LLDAP_LDAPS_OPTIONS__ENABLED=true
|
# - LLDAP_LDAPS_OPTIONS__ENABLED=true
|
||||||
|
@ -171,6 +175,7 @@ using [bootstrap.sh](example_configs/bootstrap/bootstrap.md#kubernetes-job).
|
||||||
It can be run by Argo CD for managing users in git-opt way, or as a one-shot job.
|
It can be run by Argo CD for managing users in git-opt way, or as a one-shot job.
|
||||||
|
|
||||||
### From a package repository
|
### From a package repository
|
||||||
|
|
||||||
**Do not open issues in this repository for problems with third-party
|
**Do not open issues in this repository for problems with third-party
|
||||||
pre-built packages. Report issues downstream.**
|
pre-built packages. Report issues downstream.**
|
||||||
|
|
||||||
|
@ -179,6 +184,7 @@ from a package repository, officially supported by the distribution or
|
||||||
community contributed.
|
community contributed.
|
||||||
|
|
||||||
#### Debian, CentOS Fedora, OpenSUSE, Ubuntu
|
#### Debian, CentOS Fedora, OpenSUSE, Ubuntu
|
||||||
|
|
||||||
The package for these distributions can be found at [LLDAP OBS](https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap).
|
The package for these distributions can be found at [LLDAP OBS](https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap).
|
||||||
- When using the distributed package, the default login is `admin/password`. You can change that from the web UI after starting the service.
|
- When using the distributed package, the default login is `admin/password`. You can change that from the web UI after starting the service.
|
||||||
|
|
||||||
|
@ -223,9 +229,7 @@ just run `cargo run -- run` to run the server.
|
||||||
#### Frontend
|
#### Frontend
|
||||||
|
|
||||||
To bring up the server, you'll need to compile the frontend. In addition to
|
To bring up the server, you'll need to compile the frontend. In addition to
|
||||||
`cargo`, you'll need:
|
`cargo`, you'll need WASM-pack, which can be installed by running `cargo install wasm-pack`.
|
||||||
|
|
||||||
- WASM-pack: `cargo install wasm-pack`
|
|
||||||
|
|
||||||
Then you can build the frontend files with
|
Then you can build the frontend files with
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
function print_random () {
|
||||||
|
LC_ALL=C tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32
|
||||||
|
}
|
||||||
|
|
||||||
|
/bin/echo -n "LLDAP_JWT_SECRET='"
|
||||||
|
print_random
|
||||||
|
echo "'"
|
||||||
|
/bin/echo -n "LLDAP_KEY_SEED='"
|
||||||
|
print_random
|
||||||
|
echo "'"
|
|
@ -98,21 +98,20 @@
|
||||||
database_url = "sqlite:///data/users.db?mode=rwc"
|
database_url = "sqlite:///data/users.db?mode=rwc"
|
||||||
|
|
||||||
## Private key file.
|
## Private key file.
|
||||||
|
## Not recommended, use key_seed instead.
|
||||||
## Contains the secret private key used to store the passwords safely.
|
## Contains the secret private key used to store the passwords safely.
|
||||||
## Note that even with a database dump and the private key, an attacker
|
## Note that even with a database dump and the private key, an attacker
|
||||||
## would still have to perform an (expensive) brute force attack to find
|
## would still have to perform an (expensive) brute force attack to find
|
||||||
## each password.
|
## each password.
|
||||||
## Randomly generated on first run if it doesn't exist.
|
## Randomly generated on first run if it doesn't exist.
|
||||||
## Alternatively, you can use key_seed to override this instead of relying on
|
|
||||||
## a file.
|
|
||||||
## Env variable: LLDAP_KEY_FILE
|
## Env variable: LLDAP_KEY_FILE
|
||||||
key_file = "/data/private_key"
|
#key_file = "/data/private_key"
|
||||||
|
|
||||||
## Seed to generate the server private key, see key_file above.
|
## Seed to generate the server private key, see key_file above.
|
||||||
## This can be any random string, the recommendation is that it's at least 12
|
## This can be any random string, the recommendation is that it's at least 12
|
||||||
## characters long.
|
## characters long.
|
||||||
## Env variable: LLDAP_KEY_SEED
|
## Env variable: LLDAP_KEY_SEED
|
||||||
#key_seed = "RanD0m STR1ng"
|
key_seed = "RanD0m STR1ng"
|
||||||
|
|
||||||
## Ignored attributes.
|
## Ignored attributes.
|
||||||
## Some services will request attributes that are not present in LLDAP. When it
|
## Some services will request attributes that are not present in LLDAP. When it
|
||||||
|
|
Loading…
Reference in New Issue