From ff37f12a839f95ae38fb20ffdbd78949a56c3384 Mon Sep 17 00:00:00 2001 From: Badanin Maksim Date: Sun, 24 Mar 2024 13:14:33 +0300 Subject: [PATCH] init --- .env | 20 +++++ README.md | 200 +++++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 85 +++++++++++++++++++ 3 files changed, 305 insertions(+) create mode 100644 .env create mode 100644 README.md create mode 100644 docker-compose.yml diff --git a/.env b/.env new file mode 100644 index 0000000..c752b02 --- /dev/null +++ b/.env @@ -0,0 +1,20 @@ +AUTHENTIK_TAG= #2024.2.2 +PG_PASS= # (pwgen -s 40 1) (openssl rand -base64 40) +AUTHENTIK_SECRET_KEY= # (pwgen -s 50 1) (openssl rand -base64 50) +COMPOSE_PORT_HTTP=80 +COMPOSE_PORT_HTTPS=443 +COMPOSE_PORT_LDAP=3389 + +# SMTP Host Emails are sent to +#AUTHENTIK_EMAIL__HOST=localhost +#AUTHENTIK_EMAIL__PORT=25 +# Optionally authenticate (don't add quotation marks to your password) +#AUTHENTIK_EMAIL__USERNAME= +#AUTHENTIK_EMAIL__PASSWORD= +# Use StartTLS +#AUTHENTIK_EMAIL__USE_TLS=false +# Use SSL +#AUTHENTIK_EMAIL__USE_SSL=false +#AUTHENTIK_EMAIL__TIMEOUT=10 +# Email address authentik will send from, should have a correct @domain +#AUTHENTIK_EMAIL__FROM=authentik@localhost diff --git a/README.md b/README.md new file mode 100644 index 0000000..d16758f --- /dev/null +++ b/README.md @@ -0,0 +1,200 @@ +## Установка Authentik + +Основан на [https://docs.goauthentik.io/docs/installation/docker-compose](https://docs.goauthentik.io/docs/installation/docker-compose) + +#### Параметры переменных в файле .env +``` +AUTHENTIK_TAG # 2024.2.2 +PG_PASS # пароль для PostgreSQL. Например: $(pwgen -s 40 1) или $(openssl rand -base64 40) +AUTHENTIK_SECRET_KEY # ключ для Authentik. Например: $(pwgen -s 50 1) или $(openssl rand -base64 50) +COMPOSE_PORT_HTTP # 80 +COMPOSE_PORT_HTTPS # 443 +COMPOSE_PORT_LDAP # 3389 + +# Настройка сервера SMTP для отправки сообщений +AUTHENTIK_EMAIL__HOST # имя почтового сервера. Например: mail.example.com +AUTHENTIK_EMAIL__PORT # порт почтового сервера. Например: 25 +AUTHENTIK_EMAIL__USERNAME # учетная запись +AUTHENTIK_EMAIL__PASSWORD # пароль +AUTHENTIK_EMAIL__USE_TLS # использовать StartTLS. Например: false +AUTHENTIK_EMAIL__USE_SSL # использовать SSL. Например: false +AUTHENTIK_EMAIL__TIMEOUT # время ожидания сервера. Например: 10 +AUTHENTIK_EMAIL__FROM # отправдлять от имени. Например: authentik@example.com + +``` + + +#### Запуск +``` +git clone https://git.badms.ru/bms/authentik.git +cd authentik +# Предварительно отредактировать переменные +docker compose up -d +``` + + +#### После запуска +Перейти по ссылке для первоначальной конфигруации: `https://auth.example.com/if/flow/initial-setup/` + + +## Настройка Authentik провайдера LLDAP для ONLYOFFICE + +[LLDAP authentik example](https://github.com/lldap/lldap/blob/main/example_configs/authentik.md) + +--- + +### Создание связей свойст +`Customization` > `Property Mappings` > `Create` + +**Name:** LDAP-email +**Object field:** attributes.email +**Expression:** return list_flatten(ldap.get('mail')) + +**Name:** LDAP-givenname +**Object field:** attributes.givenname +**Expression:** return list_flatten(ldap.get('givenname')) + +**Name:** SAML-mail +**SAML Attribute Name:** mail +**Friendly Name:** mail +**Expression:** return user.attributes.get("email") + +**Name:** SAML-givenName +**SAML Attribute Name:** givenName +**Friendly Name:** name +**Expression:** return user.attributes.get("givenname") + +**Name:** SAML-sn +**SAML Attribute Name:** sn +**Friendly Name:** surename +**Expression:** return user.attributes.get("sn") + + +--- + +### Создание провайдера +`Applications` > `Providers` > `Create` > `SAML Provider` + +**Name:** Provider for ONLYOFFICE +**Authentication flow:** --- +**Authorization flow:** default-provider-authorization-implicit-consent (Authorize Application) + +#### Protocol settings: + +**ACS URL:** https://office.example.com/sso/acs +**Issuer:** https://office.example.com/sso/metadata +**Service Provider Binding:** Post +**Audience:** Audience + +#### Advanced protocol settings: + +**Signing Certificate:** authentik Self-signed Certificate +**Verification Certificate:** --- +**Property mappings:** + - SAML-mail + - SAML-givenName + - SAML-sn +**NameID Property Mapping:** --- +**Assertion valid not before:** minutes=-5 +**Assertion valid not on or after:** minutes=5 +**Session valid not on or after:** minutes=86400 +**Default relay state:** --- +**Digest algorithm:** SHA256 +**Signature algorithm:** SHA256 + +--- + +### Создание приложения +`Applications` > `Applications` > `Create` + +**Name:** onlyoffice +**Slug:** onlyoffice +**Group:** --- +**Provider:** Provider for ONLYOFFICE +**Backchannel Providers:** --- +**Policy engine mode:** any + +#### UI settings: +**Launch URL:** --- +**Icon:** --- +**Publisher:** --- +**Description:** --- + +#### Добавление пользователей и групп +`Applications` > `Applications` > `onlyoffice`> `Policy/Group/User Bindings` > `Bind existing policy` + +--- + +### Создание соединение с LLDAP +`Directory` > `Federation and Social login` > `Create` + +**Name:** LLDAP-example.com +**slug:** lldap_example-com +- [X] Enable +- [X] Sync users +- [ ] User password writeback +- [X] Sync groups + +#### Connection settings: +**Server URI:** ldap://ldap.example.com +- [ ] Enable StartTLS +- [ ] Use Server URI for SNI verification +**TLS Verification Certificate:** --- +**TLS Client authentication certificate:** --- +**Bind CN:** uid=auth,ou=people,dc=example,dc=com +**Bind Password:** +**Base DN:** dc=example,dc=com + +#### LDAP Attribute mapping: +**User Property Mappings:** + - authentik default LDAP Mapping: mail + - authentik default Active Directory Mapping: sn + - authentik default OpenLDAP Mapping: cn + - authentik default OpenLDAP Mapping: uid + - LDAP-email + - LDAP-givenname +**Group Property Mappings:** + - authentik default OpenLDAP Mapping: cn + + +#### Additional settings: + +**Group:** --- +**User path:** LDAP/users +**Addition User DN:** ou=people +**Addition Group DN:** ou=groups +**User object filter:** (objectClass=person) +**Group object filter:** (objectClass=groupOfUniqueNames) +**Group membership field:** member +**Object uniqueness field:** uid + +--- + +### Настройка ONLYOFFICE +**Сохранить XML файл из `Authentik`:** `Applications` > `Providers` > `Provider for ONLYOFFICE` > `Copy download URL` + +**Загрузить полученный файл в `ONLYOFFICE`:** `Настройки` > `Интеграция` > `Единый вход` +- [X] Включить аутентификацию с помощью технологии единого входа + +#### Настройки поставщика сервиса: +`Выбрать файл` загруженный ранее XML + +**Пользовательская надпись для кнопки входа:** Single Sign-on +**Идентификатор сущности поставщика учетных данных записей:** https://office.example.com/sso/metadata +**URL-адрес конечной точки единого входа idP:** Привязка: POST - https://auth.example.com/application/saml/onlyoffice/sso/binding/post/ +**URL-адрес конечной точки единого выхода idP:** Привязка: POST - https://auth.example.com/application/saml/onlyoffice/slo/binding/post/ +**Формат NameID:** urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + +#### Открытые сертификаты поставщика учетных записей: +**Добавить сертификат:** authentik Self-signed Certificate +- [X] Проверять подпись ответов аутентификации +- [X] Проверять подпись запросов выхода +- [ ] Проверять подпись ответов выхода +**Стандартный алгоритм проверки подписи:** rsa-sha1 + +#### Сертификаты поставщика сервиса: + +#### Сопоставление аттрибутов: +**Имя:** givenName +**Фамилия:** sn +**Email:** mail diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..e77fb54 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,85 @@ +--- +version: "3.4" + +services: + postgresql: + image: docker.io/library/postgres:12-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - ./data/database:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${PG_PASS:?database password required} + POSTGRES_USER: ${PG_USER:-authentik} + POSTGRES_DB: ${PG_DB:-authentik} + env_file: + - .env + + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - ./data/redis:/data + + server: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2} + restart: unless-stopped + command: server + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + volumes: + - ./data/media:/media + - ./data/custom-templates:/templates + env_file: + - .env + ports: + - "${COMPOSE_PORT_HTTP:-9000}:9000" + - "${COMPOSE_PORT_HTTPS:-9443}:9443" + - "${COMPOSE_PORT_LDAP:-3389}:3389" + depends_on: + - postgresql + - redis + + worker: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2} + restart: unless-stopped + command: worker + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./data/media:/media + - ./data/certs:/certs + - ./data/custom-templates:/templates + env_file: + - .env + depends_on: + - postgresql + - redis + +volumes: + database: + driver: local + redis: + driver: local