This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/qnap-nas/index.md

191 lines
5.3 KiB
Markdown
Raw Permalink Normal View History

---
title: QNAP NAS
---
## What is QNAP NAS
From <https://en.wikipedia.org/wiki/QNAP_Systems>
:::note
QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
:::
Connecting a QNAP NAS to an LDAP Directory is a little bit special
as it is **not** (well) documented what really is done behind the scenes of QNAP.
## Preparation
The following placeholders will be used:
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) a FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `qnap.serviceAccount` is a service account created in authentik
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side.
Remember the `ldap.baseDN` you have configured for the provider as you'll
need it in the sssd configuration.
Create a new service account for all of your hosts to use to connect
to LDAP and perform searches. Make sure this service account is added
to `ldap.searchGroup`.
:::caution
It seems that QNAP LDAP client configuration has issues with too long password.
Max password length <= 66 characters.
:::
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
The outpost will connect to authentik and configure itself.
## NAS Configuration
The procedure is a two step setup:
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
:::note
The config edit is essential, as QNAP relies on certain not configurable things.
The search for users and groups relies on a fix filter for
`objectClass` in `posixAccount` or `posixGroup` classes.
Also by default the search scope is set to `one` (`singleLevel`), which can be
adapted in the config to `sub` (`wholeSubtree`).
### Sample LDAP request from QNAP
Default search for users
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixAccount)
Attributes:
uid
userPassword
uidNumber
gidNumber
cn
homeDirectory
loginShell
gecos
description
objectClass
```
Default search for groups
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixGroup)
Attributes:
cn
userPassword
memberUid
gidNumber
```
:::
### QNAP Web UI
Configure the following values and "Apply"
![qnap domain security](./qnap-ldap-configuration.png)
:::caution
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
:::
:::note
The UI Configuration is necessary, as it will save the Password encrypted
in `/etc/config/nss_ldap.ensecret`.
:::
### SSH
Connect your QNAP NAS via SSH.
First stop the LDAP Service:
```bash
/sbin/setcfg LDAP Enable FALSE
/etc/init.d/ldap.sh stop
```
Edit the file at `/etc/config/nss_ldap.conf`:
```conf
host ${ldap.domain}
base ${ldap.baseDN}
uri ldaps://${ldap.domain}/
ssl on
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
nss_schema rfc2307bis
# remap object classes to authentik ones
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# remap attributes
# uid to cn is essential otherwise only id usernames will occur
nss_map_attribute uid cn
# map displayName information into comments field
nss_map_attribute gecos displayName
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
nss_map_attribute uniqueMember member
# configure scope per search filter
nss_base_passwd ou=users,${ldap.baseDN}?one
nss_base_shadow ou=users,${ldap.baseDN}?one
nss_base_group ou=groups,${ldap.baseDN}?one
tls_checkpeer no
referrals no
bind_policy soft
timelimit 120
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
nss_initgroups_ignoreusers admin,akadmin
```
Now start the LDAP Service:
```bash
/sbin/setcfg LDAP Enable TRUE
/etc/init.d/ldap.sh start
```
To see if connection is working, type
```bash
# list users
$ getent passwd
```
The output should list local users and authentik accounts.
```bash
# list groups
$ getent group
```
The output should list local and authentik groups.