feat(docs): add demo, configuration and deployment info

This commit is contained in:
Julian Lobbes 2022-12-03 21:39:02 +01:00
parent 0f2e78c2ac
commit f47da87d03
5 changed files with 158 additions and 26 deletions

155
README.md
View File

@ -1,14 +1,142 @@
# Lumi2 (LDAP user management interface) # LUMI 2
**Lumi2** is a web application for managing users and user groups present on an OpenLDAP server. **Lumi2** is the *LDAP user management interface*, a minimalistic web-ui for managing simple LDAP authentication backends.
It provides a web-interface for administrators to create/read/update/delete organization users and user groups, and to allow basic account self-service for organization members themselves. It lets an administrator create/read/update/delete users and groups in a user-friendly interface:
Lumi is written in Python, using the [Flask](https://flask.palletsprojects.com/en/latest/) web framework.
The motivation for Lumi is for it to provide a more user-friendly interface than [PhpLdapAdmin](https://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page), however it is not a replacement. ![Demo](/docs/demo.gif)
# Documentation Lumi2 eliminates the need for complex LDAP frontends, such as [PhpLdapAdmin](https://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page), or modifying the DIT (directory information tree) through LDIF files.
It is quite opinionated and suitable only for small-scale deployments (such as a homelab or small enterprise), but it works really well there!
Lumi2 can be used with an existing LDAP deployment, but it makes some [core assumptions](#assumptions-and-limitations) about the DIT it works on.
If you are deploying Lumi2 alongside a fresh LDAP instance, it will create the necessary DIT entries for you.
The following frameworks and/or libraries are used: # Deployment
Lumi2 is designed for use and deployment in a microservice environment.
It works well together with a dockerized LDAP server (such as [osixia's OpenLDAP image](https://github.com/osixia/docker-openldap)), and you can use the included `docker-compose.yml` as a reference.
## Assumptions and limitations
Currently, the connection between Lumi2 and your LDAP server **does not encrypt traffic** using TLS.
Your Lumi2 instance and the LDAP server it manages should run on the same host, otherwise it will be possible for a man-in-the-middle to read your user's credentials and personal information.
Lumi2 is simplistic and makes some assumptions about the structure of your LDAP DIT.
The DIT hierarchy it expects (or creates) looks like this:
![LDAP DIT structure](/docs/ldap-dit-structure.svg)
You should be aware of this structure when configuring other applications to use your LDAP backend.
If you point Lumi2 at an existing LDAP server, make sure its DIT has this structure, otherwise Lumi2 will not work with your LDAP instance.
When deploying a new LDAP server, you don't need to pay too much attention to the rest of this section, as Lumi2 will create the DIT entries for you as necessary.
### Users
- All user entries are direct children of a single OU (`organizationalUnit`). The `cn` (name) of this OU is configurable.
- This OU is a direct child entry of your DIT's root entry
- The RDN (relative distinguished name) for users is their `uid` attribute
- User entries are LDAP objects of type `inetOrgPerson`. Lumi2 sets (and expects to find) the following attributes for each user:
- `uid` - username
- `cn` - first name
- `sn` - last name
- `displayName` - preferred name (or nickname)
- `mail` - email address
- `jpegPhoto` - profile picture in JPEG format
- `userPassword` - SHA512 password hash
The `uid` (username) can contain latin characters, digits, underscores, hypens and periods, and must have a letter as the first character.
### Groups
- All group entries are direct children of a single OU (`organizationalUnit`). The `cn` (name) of this OU is configurable.
- This OU is a direct child entry of your DIT's root entry
- The RDN (relative distinguished name) for groups is their `cn` attribute
- Group entries are LDAP objects of type `groupOfUniqueNames`:
- A group always has at least one member (an LDAP limitation)
- Members of the group are listed in its `uniqueMember` attribute
The groupname (`cn`) can contain only latin characters.
## Configuration
Your Lumi2 instance is configured using the `config.py` python file. Edit the file accordingly so that Lumi2 can connect to your LDAP server and bind to it with admin credentials.
Make sure you configure a secure `SECRET_KEY` and `ADMIN_PASSWORD` prior to deployment, as described below.
It is recommended you use `docker-compose` for Lumi2 and your LDAP server. Use the `docker-compose.yml` and `config.py` files in this repo as a starting point for this.
### Security settings
To generate a secret key and a password hash, you first need to import some of Lumi2's dependencies.
The easiest way to do this is by using a virtual environment. In the repo's root folder, run the following shell commands:
```bash
python -m venv .venv
pip install -r requirements.txt
```
Lumi2 uses a private key to encrypt session cookies and secrets.
Generate a strong secret key now, by running the following command:
```bash
python -c 'import secrets; print(secrets.token_hex())'
```
Set the `SECRET_KEY` in your `config.py` to the random string you just generated.
Next, we need to replace the default password hash in `config.py` with a more secure one.
Pick a **strong** password, which you will use later to log in to Lumi2, and generate its hash using the following command:
```bash
python -c 'from werkzeug.security import generate_password_hash as gen; from getpass import getpass as p; print("Hash: " + gen(p("Password: ")))'
```
Replace the existing `ADMIN_PASSWORD` in your `config.py` with the hash you just generated.
You can deactivate and delete the virtual environment now by running:
```bash
deactivate
rm -rf .venv
```
### LDAP settings
Lumi2 needs to know where to reach your LDAP server. This is set in the `LDAP_HOSTNAME` variable.
What you put here depends on your environment, but if you are using `docker-compose` with both Lumi2 and OpenLDAP running in the same compose-stack, you can simply set the LDAP container's hostname here, optionally prefixed with `ldap://` and/or suffixed with the port on which the LDAP server is listening.
By default, Lumi2 tries to connnect on 389, the standard LDAP port.
**Important:** deploying Lumi2 alongside LDAP using `docker-compose` is highly recommended. Communication between Lumi2 and LDAP is currently not encrypted, so anyone listening to the network traffic between the two can read user information being exchanged between Lumi2 and your LDAP server.
Next, provide the DN (distinguished name) and password for a user with read- and write-access to your LDAP server by setting the `LDAP_BIND_USER_DN` and `LDAP_BIND_USER_PASSWORD` variables respectively.
The `LDAP_BASE_DN` variable tells Lumi2 what the base DN (the root entry) of your LDAP server is called.
The `LDAP_USERS_OU` and `LDAP_GROUPS_OU` variables tell Lumi2 under which OU users and groups can be found or created. Both must be direct children of the root entry.
If they do not exist yet on your LDAP server, they will be newly created by Lumi2 when it first starts.
### Logging
By default, the lumi2 container logs HTTP access information to the console.
You can additionally write the HTTP access logs to a file by specifying `LOG_FILE_PATH`.
Note that the specified path points to *inside* the container, so if you want to persist access logs across container restarts, you should set up a Docker volume accordingly.
Make sure the specified path is writeable by Lumi2.
`LOG_FILE_MAX_SIZE` specifies how large the log file can get before being replaced (log rotation).
Two access log files are kept: the one currently in use, and the previous one which has reached the maximum size. Any older log files are automatically deleted.
To disable log rotation, leave the variable unspecified or set it to `0`.
## Running the server
The `Dockerfile` and `docker-compose.yml` create a Lumi2 instance running behind a [waitress](https://docs.pylonsproject.org/projects/waitress/en/latest/) WSGI server, exposing the Lumi2 web interface on port 80.
It is recommended to use a reverse proxy in front of the waitress server.
Inside the container, Lumi2 and waitress are run by a non-root user. You can specify the `UID`/`GID` of this user by setting the `LUMI2_UID`/`LUMI2_GID` build arguments (see `docker-compose.yml` for reference).
You should make sure your `config.py` file persists across container restarts and is readable by the container's non-root user.
The `LUMI2_CONFIG` environment variable is necessary to tell Lumi2 where `config.py` can be found inside the container.
Once you have configured `docker-compose.yml` and `config.py`, start Lumi2 with
```
sudo docker-compose up -d --build
```
# Development
Lumi2 is a python application, built using the Flask framework. The following frameworks and/or libraries are also used:
- Backend: - Backend:
- [Flask](https://flask.palletsprojects.com/en/2.2.x/) - a python web framework - [Flask](https://flask.palletsprojects.com/en/2.2.x/) - a python web framework
@ -20,26 +148,27 @@ The following frameworks and/or libraries are used:
- [coverage](https://coverage.readthedocs.io/en/6.5.0/) - test code coverage reporting used in conjunction with pytest - [coverage](https://coverage.readthedocs.io/en/6.5.0/) - test code coverage reporting used in conjunction with pytest
- [Pillow](https://pillow.readthedocs.io/en/stable/) - a python image manipulation library - [Pillow](https://pillow.readthedocs.io/en/stable/) - a python image manipulation library
- Frontend: - Frontend:
- [Bootstrap 5](https://getbootstrap.com/docs/5.2/getting-started/introduction/) - a CSS framework - [Bootstrap 5](https://getbootstrap.com/docs/5.2/getting-started/introduction/) - a CSS framework and component library
- [Bootstrap Icons](https://icons.getbootstrap.com/) - an SVG-icon pack used in conjunction with Bootstrap - [Bootstrap Icons](https://icons.getbootstrap.com/) - an SVG-icon pack used in conjunction with Bootstrap
- [jQuery](https://api.jquery.com/) - a JavaScript library for DOM manipulation and AJAX routines - [jQuery](https://api.jquery.com/) - a JavaScript library for DOM manipulation and AJAX routines
- [jQuery tablesorter plugin](https://mottie.github.io/tablesorter/docs/) - a plugin for jQuery used to make sortable HTML tables
## Compiling SASS ## Theming (SASS)
Install a SASS preprocessor: To customize the bootstrap theme, some of Bootstrap 5's SASS variables are modified in `/scss/bootstrap.scss` and then compiled using a SASS preprocessor.
Using a CLI SASS preprocessor:
```bash ```bash
npm install -g sass npm install -g sass
``` ```
Process the custom SASS files: You can modify the SASS variables and then compile into CSS:
``` ```
sass scss/bootstrap.scss lumi2/static/css/bootstrap.css sass scss/bootstrap.scss lumi2/static/css/bootstrap.css
``` ```
# Testing ## Testing
Make sure all dependencies listed in `requirements.txt` are installed. Make sure all dependencies listed in `requirements.txt` are installed.
To run all unit tests, simply run the following from within the repository root: To run all unit tests, simply run the following from within the repository root:

View File

@ -7,15 +7,6 @@ SECRET_KEY = 'CHANGEME'
# Replace this with the hash of a STRONG password. # Replace this with the hash of a STRONG password.
ADMIN_PASSWORD = 'pbkdf2:sha256:260000$J9yKJOAvWfvaO9Op$f959d88402f67a5143808a00e35d17e636546f1caf5a85c1b6ab1165d1780448' ADMIN_PASSWORD = 'pbkdf2:sha256:260000$J9yKJOAvWfvaO9Op$f959d88402f67a5143808a00e35d17e636546f1caf5a85c1b6ab1165d1780448'
# The hostname and port number where this LUMI2 instance can be reached.
#SERVER_NAME = 'lumi2.example.com:80'
# The title of pages as displayed in the browser.
SITE_TITLE = 'LUMI 2'
# Site metadata as displayed by search engines.
SITE_AUTHOR = 'LUMI 2 Development Team'
SITE_DESCRIPTION = 'A simple frontend for LDAP account management.'
# URL or hostname of the LDAP server. # URL or hostname of the LDAP server.
# Currently, only unencrypted connections are supported. # Currently, only unencrypted connections are supported.
LDAP_HOSTNAME = 'ldap://openldap' LDAP_HOSTNAME = 'ldap://openldap'
@ -30,13 +21,21 @@ LDAP_USERS_OU = 'ou=users,dc=example,dc=com'
# DN of the organizational unit beneath which groups are located. # DN of the organizational unit beneath which groups are located.
LDAP_GROUPS_OU = 'ou=groups,dc=example,dc=com' LDAP_GROUPS_OU = 'ou=groups,dc=example,dc=com'
# If specified, the HTTP access log is saved to this file. # The hostname and port number where this LUMI2 instance can be reached.
#SERVER_NAME = 'lumi2.example.com:80'
# Maximum size in Bytes for incoming requests.
# Limits the size of uploaded user profile pictures.
MAX_CONTENT_LENGTH = 8_000_000
# If specified, an HTTP access log is saved to this file.
# Make sure the directory for the log file exists and is writeable by lumi2. # Make sure the directory for the log file exists and is writeable by lumi2.
#LOG_FILE_PATH = '/path/to/file.log' #LOG_FILE_PATH = '/path/to/file.log'
# Maximum log file size in Bytes. When exceeded, the log gets rotated. # Maximum log file size in Bytes. When exceeded, the log gets rotated.
# Set to 0 to disable log file rotation (can eat up disk space!) # Set to 0 to disable log file rotation (can eat up disk space!)
#LOG_FILE_MAX_SIZE = 32_000_000 #LOG_FILE_MAX_SIZE = 32_000_000
# Maximum size in Bytes for incoming requests, both for improved security and # The title of pages as displayed in the browser.
# to limit the size of uploaded user profile pictures. SITE_TITLE = 'LUMI 2'
MAX_CONTENT_LENGTH = 8_000_000 # Additional metadata as displayed by browsers, search engines, etc.
SITE_AUTHOR = 'LUMI 2 Development Team'
SITE_DESCRIPTION = 'A simple frontend for LDAP account management.'

BIN
docs/demo.gif Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.6 MiB

View File

@ -0,0 +1 @@
<mxfile host="Electron" modified="2022-12-03T12:41:26.469Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/20.3.0 Chrome/104.0.5112.114 Electron/20.1.3 Safari/537.36" etag="hW4hZfNtdAPsV38uLWIx" version="20.3.0" type="device"><diagram id="y0q7_5OBH_WIh0eJqhVD" name="Page-1">7Vtdd6I6FP01Pl6XEPDj0Wpn7oOdcS1n1tx5jBAhHSDcEKr0198EEj5FbWvV3tKHlnNOEuDsfZKdaHtg5u++Uhi6D8RGXk8f2LsemPd0XRtOxvyP8CSZZzKWDodiWzYqHCv8jKRzIL0xtlFUacgI8RgOq06LBAGyWMUHKSXbarMN8ap3DaGDGo6VBb2m9xe2mSu9/MWKwN8IO6689VgfZQEfqsbyTSIX2mRbcoH7HphRQlh25e9myBPJU3nJ+n1pieYPRlHATunwpH8zHxbhPF6QYL2a7YCxfPxLvsUT9GL5wj196PHx7tb8whEXjITKxwfP3cqH6441rXt4t1KrNBcsUQmmJA5sJJ5R4+GtixlahdAS0S2nFPe5zPdk+AlRhjk4Uw87Aff52LbFQHJYEUa71vxoedY5XRHxEaMJbyI7mAMJVKLszNwWsA+lyy0BruCFkmhOPnCBBb+QcLwAGm10IFcD/s6EMpc4JIDegnCMsgw9IsYSWUYwZqSaP7TD7B/RvW9K67ccTFzPd2UjUUbA36bUSZi/1XjCKLqlVtHPnooC5GZAApR5vmCRhDSevR2yG/VXA4xngMTUQodSZcqZAVIHsWN0bzKAIg8y/FR9kPMDah4vNkIdGOBn/jQC158BZp+i9vRa7WmgWXyaftHqGzeyJai6kqZkdFeQLdkbfoiCHHYF2VKQo8mkb95YSaqB98CVZzSWI9RQ5KNjwjQARvvRm5GYd4sjRCNu2BY30A76IU+nNC3in4QgTzmrwhQxSv6gGfEILSpvw8uu5oISRotDhOghfPfxojoTbUjA1PA9HQzTn3NN1RVaAMNo0EIHF6WFfpwWKbwNVki89xKi48ABDoATVuvRRTlgHOdAh+gBRI1RrayvPtm3r81HqtrhSQu7sn4FCSbaSYv+2LwgD8Dwf6fDBYLyQTT9srpcHU4d1eXZXvVawlw9Zqn4cYDYd+os+YpNggYloi32PZjmznKxZy9gQmLxfhGD1h9l3bmE4meefVgUMKQKCzCotFiJnhKBqiyv45fa8lmKWUGdFooWFEW8/VIBNshdCxgx1UsdD4qoDSM3p3Nj9jhDqZvV6T7ffx9bwTXj3Sb8cQPzVMxPBffL8p1PeppIixVkwfs0WApEMjD1bMmWPGTjKPRg8g36qKWzD7Enb9qHagBjgCxCw362UqimjyFyli4RU4lo3+/3S0GhLZcwiraE2qV4jbcKWg9t2AvWk4gvEDhwFmmvubGHk/UFRhziStLBdXr3jNcMspLN+aPoeBLHDhRvk3kHlMVepmnvtqSA49KiZR/JEpreoNtDvm0PWVebV99EguZheyczXi0zgPEhZAZo7ho7mXFWmQEGN6czQPNTmFxn5NN7XWP8qAeUxvglpAkH8IDE+JHslResv5V9O3XxAnWR1ewtq4umjm2oC0GrPYfUXCuQBKG2s4tUX6jTjU5gHNzejKrnGADsERgX/TRfKZxOYJxFYExOFRjDqwqM5tdr0vr9vvkZ4H9jJBaJqFMZb6/2msrQm6uAftlVQMmXEvJKS5Sn+Xw9T+nwgPy1yIlo1TPvSvHeTO9NB8KdXaS/sz1q+Wzk1C3oCcMqKfTiIc3559AhLd9caNchexk4fjcCaq+VIdD2cdBpkDfPSuOx3r85FWJ2KuR8KsTQP4QKUY/ZqZB3VSHj0eTmVEjzpFupkHyWv7YE+SR6ISvCa+gFbhb/ZJDGSv+qAe7/Aw==</diagram></mxfile>

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 16 KiB