LDAP Documentation (#91)

* document local setup for ldap

* concept for ldap

* add ldap to topics

Author: Metauriel

docs/topics/h5p/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "H5P",
-  "position": 9,
+  "position": 8,
   "link": {
     "type": "generated-index",
     "description": "Learn about the H5P services & modules."

docs/topics/ldap/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "LDAP",
+  "position": 9,
+  "link": {
+    "type": "generated-index",
+    "description": "Learn about the LDAP strategy."
+  }
+}

docs/topics/ldap/concept.md

@@ -0,0 +1,57 @@
+# LDAP Sync
+
+The LDAP Sync is a highly configurable and scalable tool to import Users, Classes, and Schools from an LDAP System into the Bildungscloud.
+
+## Strukture
+
+Each external LDAP Server that should be synced has to be configured with a `system` object in the database.
+
+Through the `system` object, many details for the structure of the external LDAP can be configured, so they can be automatically mapped to our datastructure.
+
+There is a UI under /administration/school-settings where a school admin is able to configure an LDAP system for his own school himself. However bear in mind that this is a fairly complicated and errorprone matter, that should be done by people with technikal knowledge and be closely monitored by Support.
+
+Its also possible to set up an LDAP System with multiple schools.
+
+The actual Synchronisation is triggered regularly via a Cronjob, and is implemented with a producer/consumer pattern via RabbitMQ.
+
+## Requirements
+
+The external LDAP System has to be accessible for our Server.
+If necessary, the corresponding IP adresses should be whitelisted in the firewall of the LDAP Provider. (This means we need to ensure the IP Adress used by the server does not randomly change)
+
+Each user in the LDAP must have the following attributes, though their naming may vary:
+
+- uid (used as login name, must be unique)
+- uuid (must be immutable and unique)
+- mail (must be unique)
+- givenName (firstname)
+- sn (surname)
+- objectClass (must include the value `person`)
+
+The role of the user can either be an attribute, or an ldap group (`memberOf`). There must be the following roles, though their naming may vary:
+
+- ROLE_STUDENT
+- ROLE_TEACHER
+- ROLE_ADMIN
+
+You can also give the role `ROLE_NO_SC` to users that should not be synced.
+
+## Components
+
+The Code can be found in the legacy Server under [src/services/sync/strategies](https://github.com/hpi-schul-cloud/schulcloud-server/tree/main/src/services/sync/strategies).
+
+The three main components are the `LDAPSyncer`, `LDAPSyncerConsumer`, and `LDAPSystemSyncer`.
+
+the `LDAPSyncer` will process a single LDAP System, fetch and parse its data to identify its schools, classes, and users, and push each of those as a rabbitMQ event.
+
+the `LDAPSyncerConsumer` will consume these events, and create or update the corresponding objects in the Bildungscloud.
+
+the `LDAPSystemSyncer` provides an API to run all configured LDAP Systems with a single command.
+
+## Scaling
+
+The LDAP Sync is, as of writing this, not yet implemented as a microservice, but part of the legacy Server.
+
+However when multiple Servers are deployed and connected via RabbitMQ, they will share and balance the work among themselves.
+
+Do ensure each of the Servers that should partake in the LDAP Sync has `FEATURE_SYNCER_CONSUMER_ENABLE` set.

docs/topics/ldap/local-setup.md

@@ -0,0 +1,127 @@
+# Setting up LDAP server on local & dev environments
+
+## Introduction
+
+This guide describes how to test the LDAP adapter in a local or dev environment. For this we use the following Docker image: [ghcr.io/hpi-schul-cloud/sc-openldap-single:main](http://ghcr.io/hpi-schul-cloud/sc-openldap-single:main) It provides a multitude of users for testing, in a compatible format.
+
+---
+
+## Setting up the LDAP server for local development & testing purposes
+
+### Starting the LDAP Container
+
+The first step is to start a Docker container with the **sc-openldap-single** image and exposed 389 port for the ldap protocol connections.
+
+Note that there have been issues running the ldaps protocol.
+
+```bash
+docker run -d -p 389:389 --name openldap ghcr.io/hpi-schul-cloud/sc-openldap-single:main
+```
+
+You can verify the deployment using [Apache Directory Studio™](https://directory.apache.org/studio/) or a simlar software to connect:
+
+- **Hostname:** `localhost` or `127.0.0.1`
+- **Port:** `389`
+- **Bind DN or user:** `cn=admin,dc=example,dc=org`
+- **Bind password:** `admin`
+
+### Connecting to the LDAP Container
+
+Since we are not using the ldaps protocoll for the local deployment, we have to configure the server to accept insecure ldap connections. Add the following to your environment variables:
+
+```bash
+FEATURE_ALLOW_INSECURE_LDAP_URL_ENABLED: true
+```
+
+To configure a school in the Bildungscloud to use your new LDAP deployment, there are two ways: Either you add the necessary data directly in the database, or you add the system in the UI.
+
+To make the changes directly, add the following Object in the `systems` collection
+
+```json
+{
+  "type": "ldap",
+  "alias": "testldap-schoolOne0",
+  "ldapConfig": {
+    "active": true,
+    "federalState": {
+      "$oid": "0000b186816abba584714c53"
+    },
+    "url": "ldap://127.0.0.1:389",
+    "rootPath": "o=schoolOne0,dc=de,dc=example,dc=org",
+    "searchUser": "cn=admin,dc=example,dc=org",
+    "searchUserPassword": "<encryt this with your Base64 Key>",
+    "provider": "general",
+    "providerOptions": {
+      "schoolName": "Paul-Gerhardt-Gymnasium",
+      "userPathAdditions": "ou=users",
+      "classPathAdditions": "ou=groups",
+      "roleType": "group",
+      "userAttributeNameMapping": {
+        "givenName": " givenName",
+        "sn": "sn",
+        "dn": "dn",
+        "uuid": "uuid",
+        "uid": "uid",
+        "mail": "mail",
+        "role": "memberOf"
+      },
+      "roleAttributeNameMapping": {
+        "roleStudent": "cn=ROLE_STUDENT,ou=roles,o=schoolOne0,dc=de,dc=example,dc=org",
+        "roleTeacher": "cn=ROLE_TEACHER,ou=roles,o=schoolOne0,dc=de,dc=example,dc=org",
+        "roleAdmin": "cn=ROLE_ADMIN,ou=roles,o=schoolOne0,dc=de,dc=example,dc=org",
+        "roleNoSc": "cn=ROLE_NBC_EXCLUDE,ou=roles,o=schoolOne0,dc=de,dc=example,dc=org"
+      },
+      "classAttributeNameMapping": {
+        "description": "description",
+        "dn": "dn",
+        "uniqueMember": "member"
+      }
+    }
+  },
+}
+```
+
+Then add the following properties to a school object of your choice.
+
+```json
+{
+  [...]
+  "systems": [
+    {
+      "$oid": "<id of the system you just created>"
+    }
+  ],
+  "ldapSchoolIdentifier": "o=schoolOne0,dc=de,dc=example,dc=org"
+}
+```
+
+Alternatively, in the UI you can login as a school admin and navigate to /administration/school-settings, and under "Authentication" click on "Add LDAP System".
+
+Refer to the example above for the values. (note that the password only has to be encrypted if you add it to the database manually)
+
+> **Note:** you can not use `localhost` as the hostname, since that will be rejected by the validator. use the ip adress `127.0.0.1` instead.
+
+Once you have filled all the fields you can verify the config.
+
+---
+
+## Triggering the LDAP sync
+
+Before triggering the LDAP sync ensure you have a working RabbitMQ setup, and add the following environment variables
+
+```bash
+FEATURE_SYNCER_CONSUMER_ENABLE: 'true'
+SYNC_API_KEY: 'a-key-of-your-choice'
+```
+
+Then trigger the sync with the following request:
+
+```bash
+curl -X POST -H "X-API-Key: $SYNC_API_KEY" "$API_HOST/v1/sync?target=ldap"
+```
+
+You should get a response similar to:
+
+```json
+[{"success":true,"errors":[],"systems":{"Paul-Gerhardt-Gymnasium":{"success":true,"errors":[],"schools":1,"users":1226,"classes":17}}}]
+```

docs/topics/vue-client/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Vue Client",
-  "position": 18,
+  "position": 20,
   "link": {
     "type": "generated-index",
     "description": "Learn about the vue-client repo."