Add hidden user option and deploy instructions

Jean28518 · Oct 19, 2023 · 518a3dd · 518a3dd
1 parent 3100df6
commit 518a3dd
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -2,6 +2,35 @@
 
 Using Samba as domain controller.
 
+## How to deploy
+
+```bash
+# Make sure you have AD domain controler like samba active and ldaps enabled.
+
+wget https://github.com/Jean28518/linux-arbeitsplatz-central/releases/tag/v0.1.0
+sudo apt install ./linux-arbeitsplatz.deb
+
+vim /usr/share/linux-arbeitsplatz/cfg
+# Adjust all variables
+
+systemctl enable linux-arbeitsplatz-web --now
+systemctl enable linux-arbeitsplatz-unix --now
+systemctl restart linux-arbeitsplatz-web
+```
+
+## Caddyfile
+
+```Caddyfile
+central.int.de {
+  handle_path /static* {
+        root * /var/www/linux-arbeitsplatz-static
+        file_server
+        encode zstd gzip
+  }
+  reverse_proxy localhost:11123
+}
+```
+
 ## How to develop
 
 Copy the content of env.example into your ~/.bashrc file and adjust it to your needs. Restart the terminal.

diff --git a/cfg.example b/cfg.example
@@ -15,3 +15,6 @@ export AUTH_LDAP_BIND_PASSWORD="#####"
 export AUTH_LDAP_USER_DN_TEMPLATE="cn=%(user)s,cn=users,dc=int,dc=de"
 export AUTH_LDAP_GROUP_SEARCH_BASE="cn=Groups,dc=int,dc=de"
 export AUTH_LDAP_GROUP_ADMIN_DN="CN=Administrators,CN=Builtin,DC=int,DC=de"
+
+# Separate them with a ,
+export HIDDEN_LDAP_USERS="dns-hostname"
diff --git a/src/lac/idm/ldap.py b/src/lac/idm/ldap.py
@@ -182,8 +182,10 @@ def ldap_get_all_users():
     return users
 
 def ldap_is_system_user(cn):
+    hidden_users = hidden_users.lower()
+    hidden_users = hidden_users.split(",")
     cn = cn.lower()
-    return cn == "guest" or cn == "krbtgt" or cn == "administrator" or cn == "admin"
+    return cn == "guest" or cn == "krbtgt" or cn == "administrator" or cn == "admin" or cn in hidden_users
 
 def ldap_is_system_group(cn):
     system_groups = ["administrators", "domain admins", "domain computers", "domain guests", "domain users", "enterprise admins", "group policy creator owners", "schema admins", "cert publishers", "dnsadmins", "dnsupdateproxy", "ras and ias servers", "allowed rodc password replication group", "denied rodc password replication group", "read-only domain controllers", "protected users", "enterprise read-only domain controllers", "domain controllers"]

diff --git a/src/lac/lac/settings.py b/src/lac/lac/settings.py
@@ -97,6 +97,8 @@
 # Allow self signed certificates
 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
 
+HIDDEN_LDAP_USERS = os.getenv("HIDDEN_LDAP_USERS")
+
 
 LOGGING = {
     "version": 1,