This repository has been archived by the owner on Aug 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 258
/
lic_template
91 lines (66 loc) · 5.62 KB
/
lic_template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
"_comment":"This is a template of LDAP integration config file in JSON. For security, please create this template by using create_lic.pl command, which fill the <auth-credentials> in <ldap-service> section with encrypted password. After you make the changes, you can remove <_comment> lines in all sections (but you do not have to). Among all the sections, only <sync> section is mandatory. However, if sync is enabled, <ldap-service>, !!ONLY!! ONE of <accounting-groups> and <groups-partition>, <groups> and <users> become mandatory. The simplest configuration is disabled sync, with only <sync> section, in which <enable> is false.",
"ldap-service":{
"_comment":"This section defines configurations for LDAP service. <server-url> defines LDAP service URL. <auth-method> specifies the LDAP authentication method for the administrative identity designated to perform LDAP sync. <user-auth-method> specifies the LDAP authentication method for normal LDAP users. <auth-principal> defines the LDAP authentication user (for whom to access LDAP). <auth-credentials> field can have both un-encrypted and encrypted password. Encrypted password has a format as {RSA/ECB/PKCS1Padding}xxxxxxxxxxxxx. <use-ssl> specifies whether to use SSL for LDAP connection for extra safety. <ignore-ssl-cert-validation> specifies whether to ignore SSL certificate validation, esp. for accepting self-signed certificates. <krb5-conf> specifies the krb5.conf file for GSSAPI with Kerbeors V5 authentication.",
"server-url":"ldap://localhost:7733",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"cn=ldapadmin,dc=foo,dc=com",
"auth-credentials":"ENCRYPTED_PASSWORD",
"use-ssl":"false",
"ignore-ssl-cert-validation":"false",
"krb5-conf":"/path/to/krb5.conf",
},
"sync":{
"_comment":"This section defines configurations for sync behavior. <enable> turns on/off sync. <auto> specifies if sync is automated. <interval> defines the period between syncs. <clean-deletion> specifies whether to clean up identity objects that are already deleted in the LDAP from the local database.",
"enable":"true",
"auto":"true",
"interval":"900000",
"clean-deletion":"false",
},
"accounting-groups":{
"_comment":"This section defines configurations for accounting groups. !!REMOVE!! this section if you don't have accounting groups and will define accounts by using groups partitions. <base-dn> defines the base DN for searching accounting groups. <id-attribute> specifies name of the attribute that which serves as the unique ID of an account. <member-attribute> is the attribute name that specifies members of the group. <selection> is a construct to define how to pick groups in the tree.",
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{
"_comment":"This construct defines what entities to select from LDAP tree. <filter> is mandatory, which is an LDAP search filter. <select> and <not-select> are optional, which specify one-offs.",
"filter":"objectClass=accountingGroup",
"select":["cn=accountingToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=accountingToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"groups-partition":{
"_comment":"This section defines configurations for groups partitions. !!REMOVE!! this section if you have accounting groups and will use accounting groups to define accounts. Each field defines an account and gives the IDs of the groups for the account.",
"fooAccount":["fooGroup1", "fooGroup2"],
"barAccount":["barGroup1", "barGroup2"],
},
"groups":{
"_comment":"This section defines configurations for groups to sync. <base-dn> defines the base DN for searching groups. <id-attribute> specifies name of the attribute that which serves as the unique ID of a group. <member-attribute> is the attribute name that specifies members of the group. <selection> is a construct to define how to pick groups in the tree.",
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{
"_comment":"This construct defines what entities to select from LDAP tree. <filter> is mandatory, which is an LDAP search filter. <select> and <not-select> are optional, which specify one-offs.",
"filter":"objectClass=groupOfNames",
"select":["cn=groupToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=groupToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"users":{
"_comment":"This section defines configurations for users to sync. <base-dn> defines the base DN for searching users. <id-attribute> specifies name of the attribute that serves as the unique ID of a user. <sasl-id-attribute> defines the name of the attribute that serves as the ID for LDAP login in SASL mode. <user-info-attribute> defines which of the user attributes are chosen, with which, each field defines a mapping between LDAP attribute name and the name to be used in Eucalyptus. <selection> is a construct to define how to pick users in the tree.",
"base-dn":"ou=people,dc=foo,dc=com",
"id-attribute":"uid",
"sasl-id-attribute":"uid",
"user-info-attributes":{
"fullName":"Full Name",
"email":"Email"
},
"selection":{
"_comment":"This construct defines what entities to select from LDAP tree. <filter> is mandatory, which is an LDAP search filter. <select> and <not-select> are optional, which specify one-offs.",
"filter":"objectClass=inetOrgPerson",
"select":["uid=john,ou=People,dc=foo,dc=com", "uid=jack,ou=People,dc=foo,dc=com"],
"not-select":["uid=tom,ou=People,dc=foo,dc=com"],
}
},
}