fac36aae11
This commit adds code to allow users that prefer to do user management via LDAP to do so. Since Etebase does not store the password (proof) in a LDAP compatible fashion, we compromise and instead two checks: One while registering an account to see if the username is the LDAP directory and one whenever the API is accessed. To prevent too many LDAP requests, the result of the request is cached for an configurable amount of hours. Make sure you have python-ldap installed and can successfully import ldap. Then, if you use the easy config, add the following to your config: ``` ; [...] ; Regular etesync configuration [ldap] bind_dn = <Your LDAP "user" to bind as. See Note 1> bind_pw = <The password to authenticate as your bind user> ; Or if you have the password in a file: ; bind_pw_file = /path/to/the/file.txt server = <The URL to your LDAP server> search_base = <Your search base> filter = <Your LDAP filter query. See Note 2> ; In case a cache TTL of 1 hour is too short for you, set `cache_ttl` to the preferred ; amount of hours a cache entry should be viewed as valid: ; cache_ttl = 5 ``` With this config, I am able to make the EteSync server check with my LDAP server if a user should be able to login or register. Note that if a user is allowed to login or register, the password of the LDAP user will be ignored. This LDAP patch is nothing more than an additional check before the actual authentication. A successful LDAP check will be cached, if not configured (correctly), for one hour, after which the LDAP query will be performed again. Note 1: This commit only works with a bind user Note 2: The query must be specified. If an LDAP query returns more than one or no result, then the authentication fails. If your query needs to include the username that currently tries to perform a login or registration, you can use %%s, which will be subsituted for the used username. |
3 years ago | |
---|---|---|
.github | 4 years ago | |
docker | 3 years ago | |
etebase_server | 3 years ago | |
requirements.in | 3 years ago | |
.dockerignore | 4 years ago | |
.gitignore | 3 years ago | |
ChangeLog.md | 3 years ago | |
LICENSE | 7 years ago | |
README.md | 3 years ago | |
etebase-server.ini.example | 3 years ago | |
icon.svg | 6 years ago | |
manage.py | 3 years ago | |
mypy.ini | 4 years ago | |
pyproject.toml | 3 years ago | |
requirements-dev.txt | 3 years ago | |
requirements.txt | 3 years ago | |
setup.py | 3 years ago |
README.md
Etebase - Encrypt Everything
An Etebase (EteSync 2.0) server so you can run your own.
Installation
Requirements
Etebase requires Python 3.7 or newer and has a few Python dependencies (listed in requirements.in/base.txt
).
From source
Before installing the Etebase server make sure you install virtualenv
(for Python 3):
- Arch Linux:
pacman -S python-virtualenv
- Debian/Ubuntu:
apt-get install python3-virtualenv
- Mac/Windows (WSL)/Other Linux: install virtualenv or just skip the instructions mentioning virtualenv.
Then just clone the git repo and set up this app:
git clone https://github.com/etesync/server.git etebase
cd etebase
# Set up the environment and deps
virtualenv -p python3 .venv # If doesn't work, try: virtualenv3 .venv
source .venv/bin/activate
pip install -r requirements.txt
Configuration
If you are familiar with Django you can just edit the settings file
according to the Django deployment checklist.
If you are not, we also provide a simple configuration file for easy deployment which you can use.
To use the easy configuration file rename it to etebase-server.ini
and place it either at the root of this repository or in /etc/etebase-server
.
There is also a wikipage detailing this basic setup.
Some particular settings that should be edited are:
ALLOWED_HOSTS
-- this is the list of host/domain names or addresses on which the app will be served. For example:etebase.example.com
DEBUG
-- handy for debugging, set toFalse
for productionMEDIA_ROOT
-- the path to the directory that will hold user data.SECRET_KEY
-- an ephemeral secret used for various cryptographic signing and token generation purposes. See below for how default configuration ofSECRET_KEY
works for this project.
Now you can initialise our django app.
./manage.py migrate
And you are done! You can now run the debug server just to see everything works as expected by running:
uvicorn etebase_server.asgi:application --host 0.0.0.0 --port 8000
Using the debug server in production is not recommended, so please read the following section for a proper deployment.
Production deployment
There are more details about a proper production setup using uvicorn and Nginx in the wiki.
The webserver should also be configured to serve Etebase using TLS. A guide for doing so can be found in the wiki as well.
The Etebase server needs to be aware of the URL it's been served as, so make sure to forward the Host
header to the server if using a reverse proxy. For example, you would need to use the following directive in nginx: proxy_set_header Host $host;
.
Data locations and backups
The server stores user data in two different locations that need to be backed up:
- The database - how to backup depends on which database you use.
- The
MEDIA_ROOT
- the path where user data is stored.
Usage
Create yourself an admin user:
./manage.py createsuperuser
At this stage you need to create accounts to be used with the EteSync apps. To do that, please go to:
www.your-etesync-install.com/admin
and create a new user to be used with the service. No need to set
a password, as Etebase uses a zero-knowledge proof for authentication, so the user will just create
a password when creating the account from the apps.
After this user has been created, you can use any of the EteSync apps to signup (or login) with the same username and email in order to set up the account. The password used at that point will be used to setup the account. Don't forget to set your custom server address under "Advanced".
SECRET_KEY
and secret.txt
The default configuration creates a file “secret.txt
” in the project’s
base directory, which is used as the value of the Django SECRET_KEY
setting. You can revoke this key by deleting the secret.txt
file and the
next time the app is run, a new one will be generated. Make sure you keep
the secret.txt
file secret (e.g. don’t accidentally commit it to version
control). However, backing it up is okay, and it makes it easier to restore
the database to a new EteSync server, but it's not essential. If you want to
change to a more secure system for storing secrets, edit etesync_server/settings.py
and implement your own method for setting SECRET_KEY
(remove the line
where it uses the get_secret_from_file
function). Read the Django docs
for more information about the SECRET_KEY
and its uses.
Updating
Updating from version 0.5.0 onwards
First, run git pull --rebase
to update this repository.
Then, inside the virtualenv:
- Run
pip install -U -r requirements.txt
to update the dependencies. - Run
python manage.py migrate
to perform database migrations.
You can now restart the server.
Updating from version 0.5.0 or before
The 0.5.0 release marks the change to the EteSync 2.0 protocol. EteSync 2.0 accounts are substantially different to 1.0 accounts, and require additional upgrade steps. In addition, the servers are incompatible, so 0.5.0 requires a fresh installation.
Here are the update steps:
- Chose any of the the migration tools and make sure the underlying apps are up to date with all of your data. So for example, if you are using the Android client, make sure to sync before commencing.
- Install the 0.5.0 version to a new path (you can't reuse the same database).
- Run the 0.5.0 account and create the appropriate users as described in the installation/upgrade steps above.
- Run the migration tool to migrate all of your data.
- Add your new EteSync 2.0 accounts to all of your devices.
Testing
Docker images named etesync/test-server:<version>
and :latest
are available for testing etesync clients.
This docker image starts a server on port 3735 that supports user signup (without email confirmation), is in debug mode (thus supporting the reset endpoint), and stores its data locally.
It is in no way suitable for production usage, but is able to start up quickly and makes a good component of CI for etesync clients and users of those clients.
User signup
Instead of having to create Django users manually when signup up Etebase users, it is also possible to allow automatic signup. For example, this makes sense when putting an Etebase server in production. However, this does come with the added risk that everybody with access to your server will be able to sign up.
In order to set it up, comment out the line ETEBASE_CREATE_USER_FUNC = "etebase_server.django.utils.create_user_blocked"
in server/settings.py
and restart your Etebase server.
License
Etebase is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License version 3 as published by the Free Software Foundation. See the LICENSE for more information.
A quick summary can be found on tldrlegal. Though in even simpler terms (not part of the license, and not legal advice): you can use it in however way you want, including self-hosting and commercial offerings as long as you release the code to any modifications you have made to the server software (clients are not affected).
Commercial licensing
For commercial licensing options, contact license@etebase.com
Financially Supporting Etebase
Please consider registering an account even if you self-host in order to support the development of Etebase, or visit the contribution for more information on how to support the service.
Become a financial contributor and help us sustain our community!