Remove ldap auth

syncthing is fundamentally a single user app and it's confusing that
one can LDAP login giving the impression it is somehow multi-user.
This commit is contained in:
Girish Ramakrishnan 2018-02-26 10:30:48 -08:00
parent cdca87ef50
commit 94520d61bf
5 changed files with 4 additions and 95 deletions

View File

@ -7,10 +7,9 @@
"tagline": "Decentralized file synchronization", "tagline": "Decentralized file synchronization",
"version": "0.5.0", "version": "0.5.0",
"healthCheckPath": "/check", "healthCheckPath": "/check",
"httpPort": 8000, "httpPort": 3000,
"addons": { "addons": {
"localstorage": {}, "localstorage": {}
"ldap": {}
}, },
"tcpPorts": { "tcpPorts": {
"PORT": { "PORT": {

View File

@ -1,33 +1,6 @@
FROM cloudron/base:0.10.0 FROM cloudron/base:0.10.0
MAINTAINER Syncthing Developers <support@cloudron.io> MAINTAINER Syncthing Developers <support@cloudron.io>
EXPOSE 8000
RUN apt-get update && apt-get -y install busybox
ENV NGINX_VERSION=1.12.0
ENV NGINX_LDAP_VERSION=b80942160417e95adbadb16adc41aaa19a6a00d9
# Build a custom nginx with ldap support
RUN apt-get remove -y nginx-full && apt-get autoremove -y && apt-get -y install libldap2-dev libpcre3-dev
RUN mkdir -p /tmp/nginx-ldap
WORKDIR /tmp/nginx-ldap
RUN wget "https://github.com/kvspb/nginx-auth-ldap/archive/${NGINX_LDAP_VERSION}.tar.gz" -O - \
| tar -xz -C /tmp/nginx-ldap --strip-components=1
RUN mkdir -p /tmp/nginx
WORKDIR /tmp/nginx
RUN wget "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O - \
| tar -xz -C /tmp/nginx --strip-components=1
RUN ./configure \
--add-dynamic-module=/tmp/nginx-ldap \
--modules-path=/usr/local/nginx/modules \
--conf-path=/app/code/nginx.conf \
--pid-path=/run/nginx.pid \
--error-log-path=/run/nginx.error.log \
--build=cloudron-river
RUN make install
ENV VERSION 0.14.44 ENV VERSION 0.14.44
RUN mkdir -p /app/code \ RUN mkdir -p /app/code \
@ -36,8 +9,6 @@ RUN mkdir -p /app/code \
WORKDIR /app/code WORKDIR /app/code
ADD nginx.conf /app/code/nginx.conf
ADD inittab /etc/inittab
ADD start.sh /app/code/start.sh ADD start.sh /app/code/start.sh
CMD [ "/app/code/start.sh" ] CMD [ "/app/code/start.sh" ]

View File

@ -1,2 +0,0 @@
::respawn:sudo -nu cloudron /app/code/syncthing -gui-address=0.0.0.0:3000 -home=/app/data/config -no-browser >/dev/stdout 2>/dev/stderr
::respawn:/usr/local/nginx/sbin/nginx -c /app/code/nginx.conf

View File

@ -1,49 +0,0 @@
user cloudron;
load_module "/usr/local/nginx/modules/ngx_http_auth_ldap_module.so";
worker_processes 1;
pid /run/nginx.pid;
daemon off;
# Send logs to stderr
error_log /dev/stderr warn;
events {
worker_connections 768;
}
http {
include /run/ldap.conf;
error_log /dev/stderr warn;
log_format simple '$remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer"';
access_log /dev/stdout simple;
include /etc/nginx/mime.types;
client_body_temp_path /tmp/client_body 1 2;
proxy_temp_path /tmp/proxy_temp 1 2;
fastcgi_temp_path /tmp/fastcgi_temp 1 2;
uwsgi_temp_path /tmp/uwsgi_temp 1 2;
scgi_temp_path /tmp/scgi_temp 1 2;
proxy_buffering off;
proxy_cache_path /tmp/proxy_cache levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=60m use_temp_path=off;
proxy_cache my_cache;
auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 300000;
auth_ldap_cache_size 100;
server {
error_log /dev/stderr warn;
listen 8000 default_server;
server_name _;
proxy_read_timeout 120s;
location /check {
proxy_pass http://localhost:3000/syncthing/app.js;
}
location / {
auth_ldap "Forbidden";
auth_ldap_servers cloudron;
proxy_pass http://localhost:3000;
}
}
}

View File

@ -12,22 +12,12 @@ if [ ! -f /app/data/config/config.xml ]; then
/app/code/syncthing --generate="/app/data/config" /app/code/syncthing --generate="/app/data/config"
fi fi
cat >/run/ldap.conf <<EOF
ldap_server cloudron {
url ${LDAP_URL}/${LDAP_USERS_BASE_DN}?username;
binddn ${LDAP_BIND_DN};
binddn_passwd ${LDAP_BIND_PASSWORD};
group_attribute ${LDAP_GROUPS_BASE_DN};
group_attribute_is_dn on;
require valid_user;
}
EOF
# Set the listenAddress and the gui enabled to make sure user doesnt lock themselves out by accident. # Set the listenAddress and the gui enabled to make sure user doesnt lock themselves out by accident.
sed -e 's,<listenAddress>.*</listenAddress>,<listenAddress>tcp://:22000</listenAddress>,' -i /app/data/config/config.xml sed -e 's,<listenAddress>.*</listenAddress>,<listenAddress>tcp://:22000</listenAddress>,' -i /app/data/config/config.xml
sed -e 's,<gui .*>,<gui enabled="true" tls="false" debugging="false">,' -i /app/data/config/config.xml sed -e 's,<gui .*>,<gui enabled="true" tls="false" debugging="false">,' -i /app/data/config/config.xml
chown -R cloudron:cloudron /app/data/config /app/data chown -R cloudron:cloudron /app/data/config /app/data
exec busybox init echo "=> Starting syncthing"
exec /usr/local/bin/gosu cloudron:cloudron /app/code/syncthing -gui-address=0.0.0.0:3000 -home=/app/data/config -no-browser