Skip to content

Commit

Permalink
bump dependencies & update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
ahaenggli committed Jan 11, 2024
1 parent 28eeefb commit 0307d11
Show file tree
Hide file tree
Showing 26 changed files with 838 additions and 419 deletions.
18 changes: 16 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased] (in 'dev')

### Changed

- updated npm dependencies
- renamed Azure, AzureAD, ... to Microsoft Entra ID

### Fixed

- checked and fixed all links

### Added

- example [customizer](./customizer/customizer_DSM7_IDs_string2int_filterUserByGroups.js) to sync only users within specified groups
- usage examples for `Portainer`, `Authelia` and `Synology Radius with UniFi` in the [documentation](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/)

## [2.0.1] - 2023-07-21

### Changed
Expand Down Expand Up @@ -57,7 +71,7 @@ As a result, existing customizers (mapped `/app/customizer/ldap_customizer.js`)
### Added
- Env var `GRAPH_IGNORE_MFA_ERRORS` to allow logins despite required MFA. When set to true, some MFA-related error codes are treated as successful logins. Attention, this is only a first attempt and may not work in all cases. Please open an issue if you encounter any problems with this.
- Deleted users and groups in Azure are now also removed from the LDAP entries. The number of days these entries should be kept in this wrapper before deletion can be specified with the env var `LDAP_DAYSTOKEEPDELETEDUSERS`. (see [FAQ](./FAQ.md#are-deleted-users-or-groups-in-azure-also-removed-from-the-ldap-entries) for more details)
- Deleted users and groups in Azure are now also removed from the LDAP entries. The number of days these entries should be kept in this wrapper before deletion can be specified with the env var `LDAP_DAYSTOKEEPDELETEDUSERS`. (see [FAQ](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/troubleshooting/#are-deleted-users-or-groups-in-azure-also-removed-from-the-ldap-entries) for more details)
- Env var `LDAP_PORT` to set a custom port for the listener (e.g. 389 for running the container directly on the host network)
- Print version at start-up, so you don't have to remember which version you are currently using.
- Check if the volume /app/.cache is mapped inside a docker container
Expand Down Expand Up @@ -268,7 +282,7 @@ if set to true and the login is failed, the login is retried against the sambaNT
- Dockerfile
- Container on hub.docker.cm
[Unreleased]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/projects/1
[Unreleased]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/
[2.0.1]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v2.0.1
[2.0.0]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v2.0.0
[1.8.2]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v1.8.2
Expand Down
66 changes: 34 additions & 32 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# LDAP-wrapper for AzureAD users/groups [![GitHub release (latest by date)](https://img.shields.io/github/v/release/ahaenggli/AzureAD-LDAP-wrapper?style=social)](https://github.com/ahaenggli/AzureAD-LDAP-wrapper) <a href="https://www.buymeacoffee.com/ahaenggli" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" width="90px"></a>
# LDAP-wrapper for Microsoft Entra ID users/groups [![GitHub release (latest by date)](https://img.shields.io/github/v/release/ahaenggli/AzureAD-LDAP-wrapper?style=social)](https://github.com/ahaenggli/AzureAD-LDAP-wrapper) <a href="https://www.buymeacoffee.com/ahaenggli" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" width="90px"></a>

AzureAD-LDAP-wrapper is a Node.js LDAP server built on top of ([ldapjs](https://github.com/ldapjs/node-ldapjs)) that allows users and groups from Azure Active Directory to be accessed through the LDAP protocol. User authentication is performed using Microsoft Graph API on every login attempt. This enables other applications to connect to the LDAP server and utilize AzureAD login credentials, making it a possible solution for older applications that lack AzureAD support or for scenarios where managing a local AD controller is undesirable.
LDAP-wrapper is a Node.js LDAP server built on top of ([ldapjs](https://github.com/ldapjs/node-ldapjs)) that allows users and groups from `Microsoft Entra ID` (formerly `Azure Active Directory`) to be accessed through the LDAP protocol. User authentication is performed using Microsoft Graph API on every login attempt. This allows your other applications to connect to the LDAP server and thus allows your end users to authenticate with a work or school account.

This it a possible workaround for older applications that lack Microsoft Entra ID support or for scenarios where managing a local AD controller is undesirable.

## Table of Contents

Expand All @@ -10,7 +12,7 @@ AzureAD-LDAP-wrapper is a Node.js LDAP server built on top of ([ldapjs](https://
* [Run the LDAP-wrapper](#run-the-ldap-wrapper)
* [Usage](#usage)
* [Settings](#settings)
* [Troubleshooting](#troubleshooting)
* [Troubleshooting / FAQ](#troubleshooting-/-faq)
* [Security](#security)
* [Contributing](#contributing)
* [Support this project](#support-this-project)
Expand All @@ -22,49 +24,49 @@ AzureAD-LDAP-wrapper is a Node.js LDAP server built on top of ([ldapjs](https://
sequenceDiagram
autonumber
participant LDAP client
participant AzureAD-LDAP-wrapper
participant AAD (Graph API)
participant LDAP-wrapper
participant ME-ID (Graph API)
Note over AzureAD-LDAP-wrapper: start LDAP server
AzureAD-LDAP-wrapper->>AAD (Graph API): Fetch users and groups
Note over AzureAD-LDAP-wrapper: cache users and groups locally
Note over LDAP-wrapper: start LDAP server
LDAP-wrapper->>ME-ID (Graph API): Fetch users and groups
Note over LDAP-wrapper: cache users and groups locally
LDAP client->>+AzureAD-LDAP-wrapper: Attempt to bind with user credentials
AzureAD-LDAP-wrapper->>+AAD (Graph API): Check user credentials
AAD (Graph API)-->>-AzureAD-LDAP-wrapper: Valid credentials
LDAP client->>+LDAP-wrapper: Attempt to bind with user credentials
LDAP-wrapper->>+ME-ID (Graph API): Check user credentials
ME-ID (Graph API)-->>-LDAP-wrapper: Valid credentials
Note over AzureAD-LDAP-wrapper: save password hash locally in the cache
AzureAD-LDAP-wrapper->>-LDAP client: Successful bind/authenticate
Note over LDAP-wrapper: save password hash locally in the cache
LDAP-wrapper->>-LDAP client: Successful bind/authenticate
loop every 30 minutes
AzureAD-LDAP-wrapper->>AAD (Graph API): Fetch users and groups again
Note over AzureAD-LDAP-wrapper: merge and cache users and groups locally
LDAP-wrapper->>ME-ID (Graph API): Fetch users and groups again
Note over LDAP-wrapper: merge and cache users and groups locally
end
```

The AzureAD-LDAP-wrapper starts an LDAP server and fetches users and groups from the AAD Graph API. These are cached and merged locally.
The LDAP-wrapper starts an LDAP server and fetches users and groups from the Microsoft Graph API. These are cached and merged locally.

When an LDAP client attempts to bind with user credentials, the AzureAD-LDAP-wrapper checks these credentials by communicating with the AAD Graph API. If the credentials are valid, the AAD Graph API sends a success response to the AzureAD-LDAP-wrapper, which then sends a successful bind message to the user's LDAP client. Additionally, the AzureAD-LDAP-wrapper saves the user's password hash in the sambaNTPassword attribute and sets the sambaPwdLastSet attribute to "now". This allows the user to access samba shares, such as those on a NAS, from Windows PCs.
When an LDAP client attempts to bind with user credentials, the LDAP-wrapper checks these credentials by communicating with the Microsoft Graph API. If the credentials are valid, the Microsoft Graph API sends a success response to the LDAP-wrapper, which then sends a successful bind message to the user's LDAP client. Additionally, the LDAP-wrapper saves the user's password hash in the sambaNTPassword attribute and sets the sambaPwdLastSet attribute to "now". This allows the user to access samba shares, such as those on a NAS, from Windows PCs.

The AzureAD-LDAP-wrapper periodically fetches user and group information from the AAD Graph API every 30 minutes, merging and caching the results locally. This process preserves attributes like uid, gid, sambaNTPassword, and sambaPwdLastSet.
The LDAP-wrapper periodically fetches user and group information from the Microsoft Graph API every 30 minutes, merging and caching the results locally. This process preserves attributes like uid, gid, sambaNTPassword, and sambaPwdLastSet.

## Getting Started

### Requirements

To use the AzureAD-LDAP-wrapper, you will need:
To use the LDAP-wrapper, you will need:

* An Azure Active Directory (AD) tenant with at least one registered user.
* An Azure AD application registered in your tenant, with the following permissions:
* A Microsoft Entra tenant with at least one registered user.
* A Microsoft Entra application registered in your tenant, with the following permissions:
* For type `Application` grant `User.Read.All` and `Group.Read.All`.
* For type `Delegated` grant `User.Read`.

You can follow the instructions in the [installation guide](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/create-azuread-application) to set up your application.

To run the AzureAD-LDAP-wrapper, you'll need to have your Tenant ID, Application ID, and Application Secret available. These values are required to authenticate and authorize the application to access your Azure AD resources. You can find these values in the Azure portal.
To run the LDAP-wrapper, you'll need to have your Tenant ID, Application ID, and Application Secret available. These values are required to authenticate and authorize the application to access your resources. You can find these values in the Microsoft Entra ID portal.

Once you have created your Azure AD application, you can run the LDAP wrapper on your local machine, on a server or even a Synology NAS. Depending on your setup you will either need:
Once you have created your Microsoft Entra application, you can run the LDAP-wrapper on your local machine, on a server or even a Synology NAS. Depending on your setup you will either need:

* Node.js version 17 or higher, which can be downloaded from the official [Node.js website](https://nodejs.org/en/download/).

Expand Down Expand Up @@ -93,7 +95,7 @@ Use "bridge" as your network.
4. Give your container a name and enable auto-restart.
![grafik](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/syno/syno_docker_name.png)

5. Configure the environment variables in "Advanced Settings". Be sure to double check your Azure values and define at least one binduser. The binduser (superuser like root) does not need to exist in your AzureAD. Replace example.com with your domain. Here is an example of a minimum required configuration:
5. Configure the environment variables in "Advanced Settings". Be sure to double check your Microsoft Entra values and define at least one binduser. The binduser (superuser like root) does not need to exist in your tenant. Replace example.com with your domain. Here is an example of a minimum required configuration:

```bash
TZ: "Europe/Zurich" # optional
Expand All @@ -109,7 +111,7 @@ Use "bridge" as your network.
```

![env vars](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/syno/syno_docker_env.png)
A full list of all environment variables can be found [here](../../configuration/settings/).
A full list of all environment variables can be found [here](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/configuration/settings/).

6. Set local Port 389 to the Container Port 13389. If you receive the error Local port 389 conflicts with other ports used by other services, make sure that Synology Directory Service and Synology LDAP Server are not installed - they also use this port.
![syno port](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/syno/syno_docker_port.png)
Expand All @@ -122,7 +124,7 @@ Use "bridge" as your network.

### Usage

To enable users to log in to Synology NAS with their Azure credentials, you need to connect the NAS to the AzureAD-LDAP-wrapper. Here are the steps:
To enable end users to log in to Synology NAS with their work or school account, you need to connect the NAS to the LDAP-wrapper. Here are the steps:

1. Go to Control Panel > Domain/LDAP and click "Join".
![ldap join](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/use/syno_ldap_join.png)
Expand All @@ -136,10 +138,10 @@ To enable users to log in to Synology NAS with their Azure credentials, you need
4. If you see a warning about a local group having the same name as a synchronized group, you can ignore it and skip the warning in "Details".
![skip warning](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/use/syno_ldap_skipwarning.png)

5. Your NAS should now be connected successfully to the Azure AD LDAP-wrapper.
5. Your NAS should now be connected successfully to the LDAP-wrapper.
![nas connected](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/use/syno_ldap_connected.png)

6. Check the "LDAP User" and "LDAP Group" tabs to ensure that all entries are fully synced. Assign the desired permissions to your synchronized users and groups. You can now log in with your Azure AD credentials.
6. Check the "LDAP User" and "LDAP Group" tabs to ensure that all entries are fully synced. Assign the desired permissions to your synchronized users and groups. You can now log in with your Microsoft Entra account (work or school account).
![check users](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/use/syno_ldap_check.png)

7. Note that before accessing shared folders or files via network or Samba, each user must log in to DSM web GUI or another tool directly connected to the LDAP server. This step is also required after a password change, as the password hash for Samba is only set after a successful login.
Expand All @@ -148,19 +150,19 @@ To enable users to log in to Synology NAS with their Azure credentials, you need

To configure the LDAP-wrapper, you can use environment variables as it is intended to be used with Docker. A complete list of available variables can be found in the [configuration settings page](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/configuration/settings) of the documentation.

## Troubleshooting
## Troubleshooting / FAQ

If you encounter any issues, start by checking the Docker log. Many errors are logged there, and this can help you identify the root cause of the problem. Additionally, the [troubleshooting page](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/troubleshooting/) in the documentation provides further guidance on debugging common issues, including Samba-related ones. If you're still stuck, don't hesitate to open an issue, but be sure to attach relevant log files to help others diagnose the issue.

## Security

It's important to note that the AzureAD-LDAP-wrapper involves transferring sensitive user information, so it's essential to ensure that it's used securely. There are several potential security risks to be aware of when using this wrapper. For more information on these risks and how to mitigate them, please read the [security page](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/security/) in the documentation.
It's important to note that the LDAP-wrapper involves transferring sensitive user information, so it's essential to ensure that it's used securely. There are several potential security risks to be aware of when using this wrapper. For more information on these risks and how to mitigate them, please read the [security page](https://ahaenggli.github.io/AzureAD-LDAP-wrapper/security/) in the documentation.
If you discover any security vulnerabilities, please refer to the instructions in [SECURITY.md](SECURITY.md) on how to report them.
## Contributing
Contributions to the AzureAD-LDAP-wrapper are always welcome! If you have any suggestions, bug reports, or pull requests, please feel free to open an issue or a pull request on the project's GitHub repository.
Contributions to the LDAP-wrapper are always welcome! If you have any suggestions, bug reports, or pull requests, please feel free to open an issue or a pull request on the project's GitHub repository.

## Support this project

Expand All @@ -170,4 +172,4 @@ Your support helps me maintain and improve this project. Thank you!

## License

The AzureAD-LDAP-wrapper is licensed under the [MIT License](LICENSE).
The LDAP-wrapper is licensed under the [MIT License](LICENSE).
Loading

0 comments on commit 0307d11

Please sign in to comment.