From 518a3dd38eee6a4eb1d05bcd3b6bda938c0a4e6d Mon Sep 17 00:00:00 2001
From: Jean28518 <jf_v@gmx.de>
Date: Thu, 19 Oct 2023 10:30:31 +0200
Subject: [PATCH] Add hidden user option and deploy instructions

---
 README.md               | 29 +++++++++++++++++++++++++++++
 cfg.example             |  3 +++
 src/lac/idm/ldap.py     |  4 +++-
 src/lac/lac/settings.py |  2 ++
 4 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3dff263..6c701c5 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,35 @@
 
 Using Samba as domain controller.
 
+## How to deploy
+
+```bash
+# Make sure you have AD domain controler like samba active and ldaps enabled.
+
+wget https://github.com/Jean28518/linux-arbeitsplatz-central/releases/tag/v0.1.0
+sudo apt install ./linux-arbeitsplatz.deb
+
+vim /usr/share/linux-arbeitsplatz/cfg
+# Adjust all variables
+
+systemctl enable linux-arbeitsplatz-web --now
+systemctl enable linux-arbeitsplatz-unix --now
+systemctl restart linux-arbeitsplatz-web
+```
+
+## Caddyfile
+
+```Caddyfile
+central.int.de {
+  handle_path /static* {
+        root * /var/www/linux-arbeitsplatz-static
+        file_server
+        encode zstd gzip
+  }
+  reverse_proxy localhost:11123
+}
+```
+
 ## How to develop
 
 Copy the content of env.example into your ~/.bashrc file and adjust it to your needs. Restart the terminal.
diff --git a/cfg.example b/cfg.example
index 7429d67..5df924b 100644
--- a/cfg.example
+++ b/cfg.example
@@ -15,3 +15,6 @@ export AUTH_LDAP_BIND_PASSWORD="#####"
 export AUTH_LDAP_USER_DN_TEMPLATE="cn=%(user)s,cn=users,dc=int,dc=de"
 export AUTH_LDAP_GROUP_SEARCH_BASE="cn=Groups,dc=int,dc=de"
 export AUTH_LDAP_GROUP_ADMIN_DN="CN=Administrators,CN=Builtin,DC=int,DC=de"
+
+# Separate them with a ,
+export HIDDEN_LDAP_USERS="dns-hostname"
\ No newline at end of file
diff --git a/src/lac/idm/ldap.py b/src/lac/idm/ldap.py
index 3fa5386..4e93bcd 100644
--- a/src/lac/idm/ldap.py
+++ b/src/lac/idm/ldap.py
@@ -182,8 +182,10 @@ def ldap_get_all_users():
     return users
 
 def ldap_is_system_user(cn):
+    hidden_users = hidden_users.lower()
+    hidden_users = hidden_users.split(",")
     cn = cn.lower()
-    return cn == "guest" or cn == "krbtgt" or cn == "administrator" or cn == "admin"
+    return cn == "guest" or cn == "krbtgt" or cn == "administrator" or cn == "admin" or cn in hidden_users
 
 def ldap_is_system_group(cn):
     system_groups = ["administrators", "domain admins", "domain computers", "domain guests", "domain users", "enterprise admins", "group policy creator owners", "schema admins", "cert publishers", "dnsadmins", "dnsupdateproxy", "ras and ias servers", "allowed rodc password replication group", "denied rodc password replication group", "read-only domain controllers", "protected users", "enterprise read-only domain controllers", "domain controllers"]
diff --git a/src/lac/lac/settings.py b/src/lac/lac/settings.py
index f3c80af..9cf8cd7 100644
--- a/src/lac/lac/settings.py
+++ b/src/lac/lac/settings.py
@@ -97,6 +97,8 @@
 # Allow self signed certificates
 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
 
+HIDDEN_LDAP_USERS = os.getenv("HIDDEN_LDAP_USERS")
+
 
 LOGGING = {
     "version": 1,