postgresml · AndrewJackson2020 · Sep 5, 2024 · Sep 7, 2024 · Sep 7, 2024
diff --git a/.circleci/glauth.cfg b/.circleci/glauth.cfg
@@ -0,0 +1,111 @@
+#################
+# glauth.conf
+
+#################
+# General configuration.
+debug = true
+
+[ldap]
+  enabled = true
+  # run on a non privileged port
+  listen = "0.0.0.0:3893"
+  tls = false
+
+[ldaps]
+  enabled = false
+#################
+# Tracing section controls the tracer configuration
+[tracing]
+  # if enabled is set to false, a no-op tracer will be used
+  enabled = true
+  # if both grpcEndpoint and httpEndpoint are unset, the default stdout provider will be used
+  # TODO add allowGRPCInsecure: right now grpc otlp is using the WithInsecure flag so traffic
+  # will always go without verifying server certificates
+  # grpcEndpoint = "otlp.monitoring.io:4317"
+  # httpEndpoint = "http://otlp.monitoring.io:4318"
+#################
+# The backend section controls the data store.
+[backend]
+  datastore = "config"
+  baseDN = "dc=example,dc=com"
+  nameformat = "cn"
+  groupformat = "ou"
+
+  # If you are using a client that requires reading the root DSE first
+  # such as SSSD
+  # anonymousdse = true
+
+  ## Configure dn format to use structures like
+  ## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN"
+  ## to help ease migrations from other LDAP systems
+  # nameformat = "uid"
+  # groupformat = "cn"
+
+  ## Configure ssh-key attribute name, default is 'sshPublicKey'
+  # sshkeyattr = "ipaSshPubKey"
+
+[behaviors]
+  # Ignore all capabilities restrictions, for instance allowing every user to perform a search
+  IgnoreCapabilities = false
+  # Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts
+  LimitFailedBinds = true
+  # How many failed login attempts are allowed before a ban is imposed
+  NumberOfFailedBinds = 3
+  # How long (in seconds) is the window for failed login attempts
+  PeriodOfFailedBinds = 10
+  # How long (in seconds) is the ban duration
+  BlockFailedBindsFor = 60
+  # Clean learnt IP addresses every N seconds
+  PruneSourceTableEvery = 600
+  # Clean learnt IP addresses not seen in N seconds
+  PruneSourcesOlderThan = 600
+
+#################
+# The users section contains a hardcoded list of valid users.
+#   to create a passSHA256:   echo -n "mysecret" | openssl dgst -sha256
+[[users]]
+  name = "admin_user"
+  uidnumber = 5001
+  primarygroup = 5501
+  mail = "admin_user@example.com"
+  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
+    [[users.customattributes]]
+    employeetype = ["Intern", "Temp"]
+    employeenumber = [12345, 54321]
+    [[users.capabilities]]
+    action = "search"
+    object = "dc=example,dc=com"
+
+# This user record shows all of the possible fields available
+[[users]]
+  name = "sharding_user"
+  givenname="John"
+  sn="Doe"
+  mail = "sharding_user@example.com"
+  uidnumber = 5002
+  primarygroup = 5501
+  loginShell = "/bin/sh"
+  homeDir = "/root"
+  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
+  sshkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3UKCEllO2IZXgqNygiVb+dDLJJwVw3AJwV34t2jzR+/tUNVeJ9XddKpYQektNHsFmY93lJw5QDSbeH/mAC4KPoUM47EriINKEelRbyG4hC/ko/e2JWqEclPS9LP7GtqGmscXXo4JFkqnKw4TIRD52XI9n1syYM9Y8rJ88fjC/Lpn+01AB0paLVIfppJU35t0Ho9doHAEfEvcQA6tcm7FLJUvklAxc8WUbdziczbRV40KzDroIkXAZRjX7vXXhh/p7XBYnA0GO8oTa2VY4dTQSeDAUJSUxbzevbL0ll9Gi1uYaTDQyE5gbn2NfJSqq0OYA+3eyGtIVjFYZgi+txSuhw== rsa-key-20160209"]
+  passappsha256 = [
+    "c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa", # TestAppPw1
+    "c9853d5f2599e90497e9f8cc671bd2022b0fb5d1bd7cfff92f079e8f8f02b8d3", # TestAppPw2
+    "4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88", # TestAppPw3
+  ]
+
+#################
+# The groups section contains a hardcoded list of valid users.
+[[groups]]
+  name = "superheros"
+  gidnumber = 5501
+
+[[groups]]
+  name = "svcaccts"
+  gidnumber = 5502
+
+[[groups]]
+  name = "vpn"
+  gidnumber = 5503
+  includegroups = [ 5501 ]
+
diff --git a/.circleci/pgcat_ldap.toml b/.circleci/pgcat_ldap.toml
@@ -0,0 +1,25 @@
+
+[general]
+host = "0.0.0.0"
+port = 6432
+admin_username = "admin_user"
+admin_password = ""
+admin_auth_type = "ldap"
+admin_auth_ldapurl = "ldap://127.0.0.1:3893"
+admin_auth_ldapsuffix  = "@example.com"
+
+[pools.sharded_db.users.0]
+username = "sharding_user"
+password = "sharding_user"
+auth_type = "ldap"
+auth_ldapurl = "ldap://127.0.0.1:3893"
+auth_ldapsuffix  = "@example.com"
+pool_size = 10
+min_pool_size = 1
+pool_mode = "transaction"
+
+[pools.sharded_db.shards.0]
+servers = [
+  [ "127.0.0.1", 5432, "primary" ],
+]
+database = "shard0"
diff --git a/.circleci/pgcat_trust.toml b/.circleci/pgcat_trust.toml
@@ -0,0 +1,21 @@
+
+[general]
+host = "0.0.0.0"
+port = 6432
+admin_username = "admin_user"
+admin_password = ""
+admin_auth_type = "trust"
+
+[pools.sharded_db.users.0]
+username = "sharding_user"
+password = "sharding_user"
+auth_type = "trust"
+pool_size = 10
+min_pool_size = 1
+pool_mode = "transaction"
+
+[pools.sharded_db.shards.0]
+servers = [
+  [ "127.0.0.1", 5432, "primary" ],
+]
+database = "shard0"