ahaenggli/AzureAD-LDAP-wrapper

Non Synology non container setup

doubleddav opened this issue · 3 comments

Hi,

I've been experimenting with this on an Alpine VM. So far so good, I have the wrapper running happily in the background.

I was wondering how to link this to the system, such that either:

  • Azure AD users could log in via ssh
  • This could be integrated into Samba

I'm assuming Synology are using an openldap client and maybe something like sssd to link all of this together?

Thanks

Hey,
I think you are on the right track. Synology uses a few of its own implementations for the permissions (because the users might be "mixed" locally and externally). I would consider the LDAP-wrapper like an openldap server and google accordingly how you could use an openldap server to connect SSH and samba... If I read the Synology samba config correctly, they use NT4 mode and as you guessed SSSD seems also to be configured. Hope this gets you further! :)

Thanks for getting back to me :-)

I'll do a bit more digging as I have time and see if I can get this working - sans Synology. I might document what I do as well somewhere.

To get some hints, I don't suppose you could pull out the samba and sssd config files from the Synology for me to have a look at?

Thanks

Sure, hope it helps you:

smb.conf
[global]
        printcap name=cups
        winbind enum groups=yes
        include=/var/tmp/nginx/smb.netbios.aliases.conf
        ldap admin dn=uid=root
        encrypt passwords=yes
        workgroup=WORKGROUP
        min protocol=SMB2
        ldap ssl=Off
        security=user
        local master=no
        realm=*
        ldap passwd sync=yes
        ldap suffix=dc=domain,dc=tld
        passdb backend=multi:smbpasswd,ldapsam:ldap://127.0.0.1
        syno ldap support=yes
        printing=cups
        max protocol=SMB3
        winbind enum users=yes
        load printers=yes
        admin users=@WORKGROUP\Domain Admins,@WORKGROUP\Enterprise Admins

sssd.conf
[sssd]
reconnection_retries = 3
sbus_timeout = 30
domains = domain.tld
config_file_version = 2
debug_level = 1
services = nss, pam
[nss]
filter_groups=root
filter_users=root
reconnection_retries=2
memcache_timeout=300
entry_cache_nowait_percentage=50
debug_level=1

[pam]
reconnection_retries=3
offline_credentials_expiration=2
offline_failed_login_attempts=2
offline_failed_login_delay=50
debug_level=1

# Example LDAP domain
[domain/domain.tld]
id_provider = ldap
nss_nested_groups = yes
auth_provider = ldap
ldap_schema = rfc2307bis
entry_cache_timeout = 5400
ldap_default_authtok_type = syno_secret
gidmap_max = 0
case_sensitive = preserving
ldap_search_base = dc=domain,dc=tld
ldap_id_use_start_tls = false
uidmap_max = 0
debug_level = 1
ssl = no
ldap_group_nesting_level = 5
ldap_pwd_policy = shadow
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
gidmap_min = 0
ldap_uri = ldap://127.0.0.1
ldap_tls_cacertdir = /etc/ssl/certs
uidmap_min = 0
ldap_default_bind_dn = uid=root
# ldap_tls_key=/var/lib/ldap/ldapclient.key
# ldap_tls_cert=/var/lib/ldap/ldapclient.crt