|
1 | | -# sftpgo-ldap-http-server |
| 1 | +# sftpgo-ldap-http-server |
| 2 | + |
| 3 | +Simple integration for use with SFTPGo's External Authentication capabilities. |
| 4 | + |
| 5 | +This project differs from the earlier `sftpgo-ldap` repository since it uses the `amphp/http-server` package to allow for PHP to act as a lightweight HTTP server. |
| 6 | + |
| 7 | +I'll probably also experiment with the RoadRunner / Spiral Framework project as well at some point as offers a similar capability, but I ended up starting with the `amphp/http-server` solution to see if it would be successful first. |
| 8 | + |
| 9 | +To keep things simpler for users, even though you could install PHP on the intended server first, and clone this repo into it, I've created a ZIP that includes a binary created using `ExeOutput for PHP` ahead of time that embed the PHP runtime and LDAP and Socket extensions, along with the `/vendor` code from the dependencies used here. You can still customize the functions.php file and configuration.php file which are located in the '/Data' folder after unzipping, just like you can with the `sftpgp-ldap` repository solutions. |
| 10 | + |
| 11 | +The main reason for creating this alternative option is because, I had observed that setting SFTPGo's `external_auth_hook` to point to the EXE option in my `sftpgo-ldap` repository seemed to incur a considerable lag time for the authentication process, and using an HTTP URL for the hook seemed to be considerably faster. |
| 12 | + |
| 13 | +However, I wanted to somehow bring in a simple HTTP server that also allowed me to use most of the existing PHP code I had created and the existing PHP libaries I'm using (in particular, the LdapRecord library for PHP is pretty awesome, so it helps simplify the LDAP interactions), so that's where `amphp/http-server` came into the picture (along with ExeOutput for PHP to help with creating a binary afterwards to simplify things even further). |
| 14 | + |
| 15 | +### Quick Instructions (this is only if you want to setup PHP separately on your server and clone the repository): |
| 16 | + |
| 17 | +NOTE: You will need to run this code via something like: `php index.php` at the command line on your computer/server. |
| 18 | + |
| 19 | +* Once cloned, make sure to run `composer install` to add in the amphp, LdapRecord, and Monolog dependencies. |
| 20 | +* Copy `configuration.example.php` to `configuration.php` and then begin making adjustments (primarily, you should add `$connections`, adjust `$home_directories`, and add `$virtual_folders`, if desired, and edit the `$default_output_object` if you need to since that's used as a template for what's passed back to SFTPGo). |
| 21 | +* You can adjust the `$port` value to allow the server to run on a different port. |
| 22 | +* You can add additional `allowed_ips` for the PHP code to respond to (I added my remote IP of the SFTPGo server and my home IP in addition to the localhost related ones). |
| 23 | +* You can add one or more named LDAP connections, each pointing to a different LDAP server (if needed) or simply to different Organizational Units. (e.g. one for staff, one for students, and possibly others for different use cases). Each of the connections will be tried in order. |
| 24 | +* In addition to the named connections, you will need to define a home directory for each of the named LDAP connections too. These would correspond to directories on the SFTPGo server. |
| 25 | +* You may also define one or more virtual directories that would be displayed to users as well after they login. |
| 26 | +* Placeholder support is present for the `#USERNAME#` key (for any home directories you define, or for the `name` and `mapped_path` keys when defining virtual directories), which you can use so that each LDAP user would automatically be assigned their own user-specific folder within the home directory defined for the LDAP connection (e.g. if `C:\test\#USERNAME#` is the home directory and my username is `example` then when I login via SFTP I would have the `C:\test\example` folder created where my files would be placed). |
| 27 | +* There is a default output object template in the configuration that can be edited if you wanted a different set of defaults to be applied for your users (currently, the only parts that will be changed in the final object response are the `username` and `home_dir` values, and any virtual folders defined will be added as the response object is being generated, since extra processing of the `#USERNAME#` placeholders may be needed). |
| 28 | + |
| 29 | +### Quick Instructions for Using Provided ZIP Package: |
| 30 | + |
| 31 | +* A ZIP file will be attached that already has the amphp/LdapRecord/Monolog dependencies included. |
| 32 | +* Once unzipped, you will see a `sftpgo-ldap-http-server.exe` along with a `Data` folder . |
| 33 | +* The `Data` folder should only contain the `configuration.example.php` file (which should be copied and named `configuration.php` and customized for your environment), the `functions.php` file (if you may have a specific tweak needed since the current file is mainly setup for an Active Directory environment), along with a `logs` folder which will only log info if you have that flag enabled in your configuration. |
| 34 | +* The rest of the configuration related comments shared above in the other instructions would still apply. |
| 35 | +* Once configured, you can open up a command prompt in the directory you unzipped the files into and run the `sftpgo-ldap-http-server.exe` and it should start up the simple HTTP server and you can then configure SFTPGo with:`external_auth_hook` set to `http://localhost:9001/` and restart the SFTPGo service to give it a try. |
| 36 | +* Once you've been able to verify that things are working as expected, you can use something like the nssm utility and set the EXE to be able to run as a service on your Windows server. |
| 37 | +* NOTE: (An OpenLDAP folder may be included in the ZIP package, but it is not needed directly by the EXE, so it can be deleted if you don't need it...it is mainly provided as a convenience, allowing you to easily copy that folder into your `C:` root if you don't already have it there to help with the TLS related issues shared below). |
| 38 | + |
| 39 | +### Server Side Tips: |
| 40 | + |
| 41 | +* You will need to have PHP with the LDAP (and Sockets) extension installed on your server for this project to function. |
| 42 | +* If using TLS, the tip on this page (https://ldaprecord.com/docs/core/v2/configuration/#debugging) may be helpful since the `TLS_REQCERT never` option may need to be added locally if testing on Windows (the file `C:\OpenLDAP\sysconf\ldap.conf` will likely need to be created and that config line added to it) or on your live server (Linux: `/etc/ldap/ldap.conf`) along with the "proper" way also described on the page. |
| 43 | +* To run a basic test without SFTPGo, you may adjust `_SFTPGO_DEBUG` inside of `configuration.php` to `true` and then adjust the `$debug_object` with the username/password of a real account and see if you successfully receive a JSON response object back, which would indicate the authentication was successful against one of your LDAP connections. If you do use this feature, make sure to turn it back off again, since it will prevent normal logins from working (since it'll always use the `$debug_object`. |
| 44 | +* Basic logging has also been added that you can temporarily enable to get a better idea for where you may be having a problem by setting `_SFTPGO_LOG` to true (and a new file for the day should be created in the logs folder). |
| 45 | + |
| 46 | +I hope this is helpful for others wanting to make use of SFTPGo and LDAP/Active Directory! |
0 commit comments