Created
January 13, 2025 12:35
-
-
Save gashcrumb/37379e5d6384d236fd1b3af0dd42a9c6 to your computer and use it in GitHub Desktop.
slightly modified glauth config to make an example easier to run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################# | |
| # glauth.conf | |
| ################# | |
| # General configuration. | |
| debug = true | |
| # syslog = true | |
| # structuredlog = true | |
| # | |
| # Enable hot-reload of configuration on changes | |
| # - does NOT work [ldap], [ldaps], [backend] or [api] sections | |
| # watchconfig = true | |
| ################# | |
| # yubikeyclientid = "yubi-api-clientid" | |
| # yubikeysecret = "yubi-api-secret" | |
| ################# | |
| # Server configuration. | |
| [ldap] | |
| enabled = true | |
| # run on a non privileged port | |
| listen = "0.0.0.0:3893" | |
| tls = false # enable StartTLS support | |
| tlsCertPath = "glauth.crt" | |
| tlsKeyPath = "glauth.key" | |
| [ldaps] | |
| # to enable ldaps generate a certificate, eg. with: | |
| # openssl req -x509 -newkey rsa:4096 -keyout glauth.key -out glauth.crt -days 365 -nodes -subj '/CN=`hostname`' | |
| enabled = false | |
| listen = "0.0.0.0:3894" | |
| cert = "glauth.crt" | |
| key = "glauth.key" | |
| ################# | |
| # Tracing section controls the tracer configuration | |
| [tracing] | |
| # if enabled is set to false, a no-op tracer will be used | |
| enabled = false | |
| # if both grpcEndpoint and httpEndpoint are unset, the default stdout provider will be used | |
| # TODO add allowGRPCInsecure: right now grpc otlp is using the WithInsecure flag so traffic | |
| # will always go without verifying server certificates | |
| # grpcEndpoint = "otlp.monitoring.io:4317" | |
| # httpEndpoint = "http://otlp.monitoring.io:4318" | |
| ################# | |
| # The backend section controls the data store. | |
| [backend] | |
| datastore = "config" | |
| baseDN = "dc=glauth,dc=com" | |
| # If you are using a client that requires reading the root DSE first | |
| # such as SSSD | |
| anonymousdse = false | |
| ## Configure dn format to use structures like | |
| ## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN" | |
| ## to help ease migrations from other LDAP systems | |
| # nameformat = "uid" | |
| # groupformat = "cn" | |
| ## Configure ssh-key attribute name, default is 'sshPublicKey' | |
| # sshkeyattr = "ipaSshPubKey" | |
| [behaviors] | |
| # Ignore all capabilities restrictions, for instance allowing every user to perform a search | |
| IgnoreCapabilities = false | |
| # Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts | |
| LimitFailedBinds = true | |
| # How many failed login attempts are allowed before a ban is imposed | |
| NumberOfFailedBinds = 3 | |
| # How long (in seconds) is the window for failed login attempts | |
| PeriodOfFailedBinds = 10 | |
| # How long (in seconds) is the ban duration | |
| BlockFailedBindsFor = 60 | |
| # Clean learnt IP addresses every N seconds | |
| PruneSourceTableEvery = 600 | |
| # Clean learnt IP addresses not seen in N seconds | |
| PruneSourcesOlderThan = 600 | |
| ################# | |
| # The users section contains a hardcoded list of valid users. | |
| # to create a passSHA256: echo -n "mysecret" | openssl dgst -sha256 | |
| [[users]] | |
| name = "hackers" | |
| uidnumber = 5001 | |
| primarygroup = 5501 | |
| passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood | |
| [[users.customattributes]] | |
| employeetype = ["Intern", "Temp"] | |
| employeenumber = [12345, 54321] | |
| [[users.capabilities]] | |
| action = "search" | |
| object = "ou=superheros,dc=glauth,dc=com" | |
| # This user record shows all of the possible fields available | |
| [[users]] | |
| name = "johndoe" | |
| givenname="John" | |
| sn="Doe" | |
| mail = "[email protected]" | |
| uidnumber = 5002 | |
| primarygroup = 5501 | |
| loginShell = "/bin/sh" | |
| homeDir = "/root" | |
| passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood | |
| sshkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3UKCEllO2IZXgqNygiVb+dDLJJwVw3AJwV34t2jzR+/tUNVeJ9XddKpYQektNHsFmY93lJw5QDSbeH/mAC4KPoUM47EriINKEelRbyG4hC/ko/e2JWqEclPS9LP7GtqGmscXXo4JFkqnKw4TIRD52XI9n1syYM9Y8rJ88fjC/Lpn+01AB0paLVIfppJU35t0Ho9doHAEfEvcQA6tcm7FLJUvklAxc8WUbdziczbRV40KzDroIkXAZRjX7vXXhh/p7XBYnA0GO8oTa2VY4dTQSeDAUJSUxbzevbL0ll9Gi1uYaTDQyE5gbn2NfJSqq0OYA+3eyGtIVjFYZgi+txSuhw== rsa-key-20160209"] | |
| passappsha256 = [ | |
| "c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa", # TestAppPw1 | |
| "c9853d5f2599e90497e9f8cc671bd2022b0fb5d1bd7cfff92f079e8f8f02b8d3", # TestAppPw2 | |
| "4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88", # TestAppPw3 | |
| ] | |
| [[users]] | |
| name = "serviceuser" | |
| mail = "[email protected]" | |
| uidnumber = 5003 | |
| primarygroup = 5502 | |
| passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret | |
| [[users.capabilities]] | |
| action = "search" | |
| object = "*" | |
| # Test user showing 2 factor auth authentication | |
| [[users]] | |
| name = "otpuser" | |
| uidnumber = 5004 | |
| primarygroup = 5501 | |
| passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret | |
| otpsecret = "3hnvnk4ycv44glzigd6s25j4dougs3rk" | |
| yubikey = "vvjrcfalhlaa" | |
| [[users.capabilities]] | |
| action = "search" | |
| object = "ou=superheros,dc=glauth,dc=com" | |
| [[users]] | |
| name = "uberhackers" | |
| uidnumber = 5005 | |
| primarygroup = 5501 | |
| # bcrypt format: hex($2y$2^<number of rounds>$<salt>$<hash>) | |
| passappbcrypt = [ | |
| "243261243130244B62463462656F7265504F762E794F324957746D656541326B4B46596275674A79336A476845764B616D65446169784E41384F4432" # dogood | |
| ] | |
| # uncomment and comment out above array to test password with otp code | |
| # passappbcrypt = "243261243130244B62463462656F7265504F762E794F324957746D656541326B4B46596275674A79336A476845764B616D65446169784E41384F4432" # dogood | |
| otpsecret = "3hnvnk4ycv44glzigd6s25j4dougs3rk" | |
| [[users]] | |
| name = "danger" | |
| uidnumber = 5006 | |
| primarygroup = 5503 | |
| passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood | |
| ################# | |
| # The groups section contains a hardcoded list of valid users. | |
| [[groups]] | |
| name = "superheros" | |
| gidnumber = 5501 | |
| [[groups]] | |
| name = "svcaccts" | |
| gidnumber = 5502 | |
| [[groups]] | |
| name = "umbrella" | |
| gidnumber = 5503 | |
| includegroups = [ 5504 ] | |
| [[groups]] | |
| name = "danger" | |
| gidnumber = 5504 | |
| [[groups.capabilities]] | |
| action = "search" | |
| object = "dc=glauth,dc=com" | |
| ################# | |
| # Enable and configure the optional REST API here. | |
| [api] | |
| enabled = true | |
| internals = true # debug application performance | |
| tls = false # enable TLS for production!! | |
| listen = "0.0.0.0:5555" | |
| cert = "cert.pem" | |
| key = "key.pem" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment