feat(ldap): alter external LDAP domains (#806)

NethServer/dev#7298
NethServer · Feb 19, 2025 · 1295414 · 1295414
1 parent 1531e1d
commit 1295414
Show file tree

Hide file tree

Showing 7 changed files with 488 additions and 4 deletions.
diff --git a/...ageroot/var/lib/nethserver/cluster/actions/alter-external-domain/10validate_ldap_provider b/...ageroot/var/lib/nethserver/cluster/actions/alter-external-domain/10validate_ldap_provider
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import sys
+import json
+import agent
+import os
+import cluster.userdomains
+
+#
+# Sample request:
+# {
+# "domain":"example.com",
+# "protocol": "ldap",
+# "bind_dn": "cn=ldapservice,dc=example,dc=com",
+# "bind_password": "s3cret",
+# "tls": true,
+# "tls_verify": true
+# }
+request = json.load(sys.stdin)
+domain = request['domain']
+protocol = request['protocol']
+rdb = agent.redis_connect(privileged=False)
+
+agent.set_weight(os.path.basename(__file__), 0) # Validation step, no task progress at all
+
+if protocol == 'ldap':
+    conf = rdb.hgetall(f"cluster/user_domain/ldap/{domain}/conf")
+    # Get the first provider: ["x.x.x.x:636"]
+    providers = rdb.lrange(f"cluster/user_domain/ldap/{domain}/providers", 0, -1)
+    host = providers[0].split(':')[0]
+    port = providers[0].split(':')[1]
+
+    validate= {
+        'bind_dn': request['bind_dn'],
+        'bind_password': request['bind_password'],
+        'tls': request['tls'],
+        'tls_verify': request['tls_verify'],
+        'domain': domain,
+        'protocol': protocol,
+        'host': host,
+        'port': int(port),
+        'schema':conf['schema'],
+        'base_dn': conf['base_dn']
+    }
+
+    errors, logex = cluster.userdomains.validate_ldap(validate)
+
+    if logex:
+        print(agent.SD_ERR + f"{logex.__class__.__name__}: {logex}", file=sys.stderr)
+
+    if errors:
+        agent.set_status('validation-failed')
+        json.dump(errors, fp=sys.stdout)
+        sys.exit(3)
diff --git a/core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/50alter_ldap_domain b/core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/50alter_ldap_domain
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import sys
+import json
+import agent
+import os
+
+#
+# Sample request:
+# {
+# "domain":"example.com",
+# "protocol": "ldap",
+# "bind_dn": "cn=ldapservice,dc=example,dc=com",
+# "bind_password": "s3cret",
+# "tls": true,
+# "tls_verify": true
+# }
+request = json.load(sys.stdin)
+domain = request['domain']
+protocol = request['protocol']
+
+rdb = agent.redis_connect(privileged=True)
+
+if protocol == 'ldap':
+    conf = rdb.hgetall(f"cluster/user_domain/ldap/{domain}/conf")
+    rdb.hset(f"cluster/user_domain/ldap/{domain}/conf", mapping={
+        'bind_dn': request['bind_dn'],
+        'bind_password': request['bind_password'],
+        'tls': 'on' if request['tls'] else 'off',
+        'tls_verify': 'on' if request['tls_verify'] else 'off',
+    })
+
+    #
+    # Advertise new account provider setup
+    #
+    rdb.publish(os.getenv('AGENT_ID') + '/event/ldap-provider-changed', json.dumps({
+        'domain': domain,
+        'key': f"cluster/user_domain/ldap/{domain}/providers",
+    }))
+    # Advertise new user domain setup
+    rdb.publish(os.getenv('AGENT_ID') + '/event/user-domain-changed', json.dumps({
+        'domain': domain
+    }))
diff --git a/core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/validate-input.json b/core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/validate-input.json
@@ -0,0 +1,65 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "alter-external-domain input",
+    "description": "Configure an external user domain",
+    "$id": "http://schema.nethserver.org/cluster/alter-external-domain-input.json",
+    "examples": [
+        {
+            "domain": "example.com",
+            "protocol": "ldap",
+            "bind_dn": "cn=ldapservice,dc=example,dc=com",
+            "bind_password": "s3cret",
+            "tls": true,
+            "tls_verify": true
+        }
+    ],
+    "type": "object",
+    "required": [
+        "domain",
+        "protocol"
+    ],
+    "properties": {
+        "domain": {
+            "type": "string",
+            "title": "User domain name",
+            "minLength": 1
+        },
+        "protocol": {
+            "type": "string",
+            "title": "Provider protocol",
+            "description": "Protocol used to communicate with the domain providers.",
+            "enum": [
+                "ldap"
+            ]
+        }
+    },
+    "$defs": {
+        "additional-properties-of-ldap": {
+            "type": "object",
+            "title": "LDAP domain properties",
+            "description": "Additional required properties of LDAP-based domains",
+            "properties": {
+                "bind_dn": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "bind_password": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "tls": {
+                    "type": "boolean"
+                },
+                "tls_verify": {
+                    "type": "boolean"
+                }
+            },
+            "required": [
+                "bind_dn",
+                "bind_password",
+                "tls",
+                "tls_verify"
+            ]
+        }
+    }
+}
diff --git a/core/ui/public/i18n/en/translation.json b/core/ui/public/i18n/en/translation.json
@@ -1171,7 +1171,9 @@
         "users_admin_page_description": "User administration self service portal",
         "host_format": "Must be a valid domain name or IP address",
         "provider_already_installed": "Provider already installed",
-        "no_node_eligible_for_provider_installation": "No node is eligible for provider installation"
+        "no_node_eligible_for_provider_installation": "No node is eligible for provider installation",
+        "domain_settings": "Domain settings",
+        "edit_external_domain": "Edit external domain"
     },
     "samba": {
         "adminuser": "Samba admin username",
@@ -1276,7 +1278,8 @@
         "provider_label_tooltip": "You can assign the provider an easy to remember name",
         "unconfigured_provider": "Unconfigured provider",
         "unconfigured_providers_title": "There are unconfigured providers",
-        "unconfigured_providers_description": "You can resume their configuration or delete them"
+        "unconfigured_providers_description": "You can resume their configuration or delete them",
+        "external_providers_tooltip_description": "Providers are the services that manage users and groups in a domain. You can have more than one provider in an external domain, but only if 'TLS verify' is disabled"
     },
     "nodes": {
         "title": "Nodes",

diff --git a/core/ui/src/components/domains/CreateDomainModal.vue b/core/ui/src/components/domains/CreateDomainModal.vue
@@ -138,9 +138,12 @@
           </cv-text-input>
           <cv-text-input
             :label="$t('domains.bind_password')"
+            type="password"
             v-model="external.bind_password"
             :invalid-message="$t(error.external.bind_password)"
             :disabled="loading.external.addExternalDomain"
+            :password-hide-label="$t('password.hide_password')"
+            :password-show-label="$t('password.show_password')"
             ref="bind_password"
           >
           </cv-text-input>