commit 013d38899d145bebdff2691ad18a4384ef2f656b Author: Badanin Maksim Date: Sun Sep 8 17:42:12 2024 +0300 init diff --git a/README.md b/README.md new file mode 100644 index 0000000..550382c --- /dev/null +++ b/README.md @@ -0,0 +1,128 @@ +## Установка I, Librarian + +Основан на [https://hub.docker.com/r/cgrima/i-librarian](https://hub.docker.com/r/cgrima/i-librarian) +Официальный сайт: [https://i-librarian.net](https://i-librarian.net) + +#### Настройка LDAP `./configs/ilibrarian.ini` + +``` +ldap_active = "1" +ldap_server = "ldap://ldap.example.com:389" +ldap_use_tls = "0" +ldap_basedn = "dc=example,dc=com" +ldap_binduser_dn = "cn=ldapsearch,ou=users,dc=example,dc=com" +ldap_binduser_pw = "password" +ldap_username_attr = "cn" +ldap_userlogin_attr = "cn" +ldap_user_filter = "(objectClass=user)" +ldap_group_rdn = "ou=groups" +ldap_admingroup_cn = "cn=ilib_admins" +ldap_admingroup_dn = "" +ldap_usergroup_cn = "" +ldap_usergroup_dn = "" +ldap_admin_users = "" +ldap_filter = "member" +ldap_version = "3" +ldap_opt_referrals = "0" +ldap_debug_enabled = "0" +ldap_opt_debug_level = "7" + +``` + + +#### Запуск +``` +git clone https://git.badms.ru/bms/ilib.git +cd ilib +# Предварительно отредактировать ./configs/ilibrarian.ini +docker compose up -d +``` + + +#### После запуска +Настроить `NPM` для доступа к `Authentik` по `HTTPS`. +Перейти по ссылке для первоначальной конфигруации: `https://auth.example.com/if/flow/initial-setup/` + +--- + +## Настройка Authentik + +--- + +### Создать пользователей и группы + +`Directory` > `Users` > `Create` + +- ldapseach + +`Directory` > `Groups` > `Create` + +- ldapseach +- ilib_admins +- ilib_users + +Добавить пользователя `ldapseach` в группу `ldapseach` + +Пользователям добавить атрибуты: + +``` +mn: Отчество +sn: Фамилия +name: Имя +givenname: Имя +``` + +Добавить пользователей в группы `ilib_admins` и `ilib_users` + +--- + +### Создание провайдера +`Applications` > `Providers` > `Create` > `LDAP Provider` + +**Name:** Provider for LDAP +**Bind flow:** default-authentication-flow (Welcome to authentik!) +**Search group:** ldapsearch +**Bind mode:** Direct binding +**Search mode:** Direct binding +**Code-based MFA Support:** V (?) + +**Base DN:** DC=example,DC=com +**Certificate:** - +**TLS Server name:** - +**UID start number:** 2000 +**GID start number:** 2000 + +--- + +### Создание приложения +`Applications` > `Applications` > `Create` + +**Name:** LDAP +**Slug:** ldap +**Group:** --- +**Provider:** Provider for LDAP +**Backchannel Providers:** --- +**Policy engine mode:** any + +**Launch URL:** --- +**Icon:** --- +**Publisher:** --- +**Description:** --- + + +--- + +### Создание Outpost +`Applications` > `Applications` > `Outpost` + +**Name:** LDAP outpost +**Tyoe:** LDAP +**Integration:** --- +**Applications:** LDAP + + +### Добавление пользователей и групп +`Applications` > `Applications` > `LDAP`> `Policy/Group/User Bindings` > `Bind existing policy` + +Добавить группы `ilib_admins` и `ilib_users` +Добавить пользователя `ldapseach` \ No newline at end of file diff --git a/configs/ilibrarian.ini b/configs/ilibrarian.ini new file mode 100644 index 0000000..981657a --- /dev/null +++ b/configs/ilibrarian.ini @@ -0,0 +1,119 @@ +; +; Password reset. +; +[reset_password] + +; To enable password reset, change reset_password to 1. Don't +; forget to change the value back to O, after the password +; has been reset. +reset_password = "0" + +; +; Error message level. +; +[error_messages] + +; Set to "debug", for more information. IMPORTANT! Debug should be used +; exclusively during development, and never in production, as it reveals +; sensitive information. +level = "" + +; +; Override php.ini session settings. +; +[session] + +; If a TLS certificate is set up, set to "1" for increased security. +cookie_secure = "0" + +; +; LDAP. +; +; Enter your LDAP server settings below. There are example settings for +; a free dummy LDAP server at: +; +; www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server +; +; Use einstein:password, euclid:password to test its functionality. +; +; LDAP access does not work from behind a proxy server. +; +[ldap] + +; Activate login via LDAP. Caution: Disables local login. +ldap_active = "0" + +; LDAP server protocol, hostname, and port, e.g. ldap(s)://hostname:port. +;ldap_server = "ldap://ldap.forumsys.com:389" +ldap_server = "ldap://ldap.example.com:389" + +; If the protocol is ldap, a TLS-encrypted connection should be used. Set to 0, +; only if no TLS certificate is configured on your LDAP server. +ldap_use_tls = "0" + +; Base distinguished name (DN). +;ldap_basedn = "dc=example,dc=com" +ldap_basedn = "dc=example,dc=com" + +; Fully qualified bind user DN. +;ldap_binduser_dn = "cn=read-only-admin,dc=example,dc=com" +ldap_binduser_dn = "cn=ldapsearch,ou=users,dc=example,dc=com" + +; Bind user password. +;ldap_binduser_pw = "password" +ldap_binduser_pw = "password" + +; Attribute to use for username lookups. +ldap_username_attr = "cn" + +; Attribute which is used to verify login/password pair. +;ldap_userlogin_attr = "sAMAccountName" +ldap_userlogin_attr = "cn" + +; Custom LDAP Filter to additionally restrict the user search, and with (ldap_userlogin_attr = user) +; ldap_user_filter = "(|(objectClass=user)(objectClass=iNetOrgPerson))" +ldap_user_filter = "(objectClass=user)" + +; +; Authorization. If the below options are provided, a group affiliation +; is checked (admins vs. users) and permissions are set accordingly. +; Otherwise, all LDAP users are given admin permissions. +; + +; Group relative search base without basedn. +;ldap_group_rdn = "ou=groups" +ldap_group_rdn = "ou=groups" + +; Admin group common name. +;ldap_admingroup_cn = "cn=admins" +ldap_admingroup_cn = "cn=ilib_admins" + +; Admin group DN, if building CN with group_rdn and basedn is not possible. +ldap_admingroup_dn = "" + +; User group common name. If only a specific user group can access I, Librarian. +;ldap_usergroup_cn = "cn=users" +ldap_usergroup_cn = "" + +; Use user group DN, if building CN with group_rdn and basedn is not possible. +ldap_usergroup_dn = "" + +; Optional admin users, comma separated list +ldap_admin_users = "" + +; Group filter prefix. +; If you want to do recursive searches with LDAP servers that support it +; (e.g., MS Active Directory), use the correct matching rule. +;ldap_filter = 'member:1.2.840.113556.1.4.1941' +ldap_filter = "member" + +; Change to match your ldap protocol version. +ldap_version = "3" + +; Enable REFERRALS. +ldap_opt_referrals = "0" + +; Enable and set debug level for LDAP authentication. +; Messages are logged into Apache Global Error Log. +ldap_debug_enabled = "0" +ldap_opt_debug_level = "7" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..2c0e54c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,15 @@ +version: "2" + +services: + + ilib: + image: cgrima/i-librarian:5.11.1 + hostname: ilib + container_name: ilib + restart: unless-stopped + ports: + - "80:80" + volumes: + - ./data:/app/data + - ./configs:/app/config + - /etc/localtime:/etc/localtime:ro