dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

docs(glauth): dev/test LDAP is now the shared GLAuth on 10.100.0.35

Browse Source 
infra/ no longer runs scadabridge-ldap (retired); central nodes bind the shared
zb-shared-glauth on 10.100.0.35:3893 (dc=zb,dc=local). Source of truth:
scadaproj/infra/glauth/. test_infra_ldap.md banner-marked SUPERSEDED.
This commit is contained in:
Joseph Doherty
2026-06-04 16:38:08 -04:00
parent 5ddb17a089
commit 35a4a5bfea
4 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/test_infra/test_infra.md
+4 -4
View File
@@ -8,7 +8,7 @@ This document describes the local Docker-based test infrastructure for ScadaBrid
|---------|-------|---------|--------|-------------|
| OPC UA Server | `mcr.microsoft.com/iotedge/opc-plc:latest` | 50000 (OPC UA), 8080 (web) | `infra/opcua/nodes.json` | `infra/` |
| OPC UA Server 2 | `mcr.microsoft.com/iotedge/opc-plc:latest` | 50010 (OPC UA), 8081 (web) | `infra/opcua/nodes.json` | `infra/` |
| LDAP Server | `glauth/glauth:latest` | 3893 | `infra/glauth/config.toml` | `infra/` |
| LDAP Server | `glauth/glauth:latest` | 3893 | `scadaproj/infra/glauth/config.toml` | **Shared**`zb-shared-glauth` on `10.100.0.35`; NOT started by `infra/` stack (retired 2026-06-04). See `scadaproj/infra/glauth/`. |
| MS SQL 2022 | `mcr.microsoft.com/mssql/server:2022-latest` | 1433 | `infra/mssql/setup.sql` | `infra/` |
| SMTP (Mailpit) | `axllent/mailpit:latest` | 1025 (SMTP), 8025 (web) | Environment vars | `infra/` |
| REST API (Flask) | Custom build (`infra/restapi/Dockerfile`) | 5200 | `infra/restapi/app.py` | `infra/` |
@@ -65,7 +65,7 @@ For use in `appsettings.Development.json`:
"ScadaBridgeMachineData": "Server=localhost,1433;Database=ScadaBridgeMachineData;User Id=scadabridge_app;Password=ScadaBridge_Dev1#;TrustServerCertificate=true"
},
"Ldap": {
"Server": "localhost",
"Server": "10.100.0.35",
"Port": 3893,
"BaseDN": "dc=zb,dc=local",
"UseSsl": false
@@ -98,7 +98,7 @@ For use in `appsettings.Development.json`:
```bash
cd infra
docker compose down # stop containers, preserve SQL data volume
docker compose stop opcua # stop a single service (also: opcua2, ldap, mssql, smtp, restapi)
docker compose stop opcua # stop a single service (also: opcua2, mssql, smtp, restapi) # note: ldap is no longer a local service
```
**Full teardown** (removes volumes, optionally images and venv):
@@ -117,7 +117,7 @@ After a full teardown, the next `docker compose up -d` starts fresh — re-run t
infra/
docker-compose.yml # All seven services
teardown.sh # Teardown script (volumes, images, venv)
glauth/config.toml # LDAP users and groups
glauth/config.toml # LDAP users and groups — HISTORICAL (retired 2026-06-04); live config is scadaproj/infra/glauth/config.toml
mssql/setup.sql # Database and user creation
mssql/machinedata_seed.sql # Machine Data tables, stored procedures, sample data
opcua/nodes.json # Custom OPC UA tag definitions
docs/test_infra/test_infra_ldap.md
+17 -7
View File
@@ -1,5 +1,11 @@
# Test Infrastructure: LDAP Server
> **SUPERSEDED 2026-06-04** — ScadaBridge no longer runs its own glauth. Dev/test LDAP is now the
> shared GLAuth on **10.100.0.35:3893** (dc=zb,dc=local); source of truth and runbook:
> **`scadaproj/infra/glauth/`** (`~/Desktop/scadaproj/infra/glauth/config.toml`). The
> `scadabridge-ldap` container has been retired (commented out in `infra/docker-compose.yml`).
> The content below describes the retired local setup, kept for reference/rollback.
## Overview
The test LDAP server uses [GLAuth](https://glauth.github.io/), a lightweight LDAP server backed by a TOML config file. It provides test users and groups that map to ScadaBridge's role-based authorization model.
@@ -8,6 +14,7 @@ The test LDAP server uses [GLAuth](https://glauth.github.io/), a lightweight LDA
- **Image**: `glauth/glauth:latest`
- **LDAP port**: 3893 (plain LDAP, no TLS — dev only)
- **Host (shared)**: `10.100.0.35` — the shared `zb-shared-glauth` container on the Linux docker host (replaces `localhost` below)
## Base DN
@@ -58,16 +65,19 @@ The full DNs for all test users:
## Verification
1. Check the container is running:
1. Check the shared container is running (on the docker host):
```bash
docker ps --filter name=scadabridge-ldap
# The container now runs on 10.100.0.35 as zb-shared-glauth, not locally.
# To verify from the docker host:
# docker ps --filter name=zb-shared-glauth
# Formerly: docker ps --filter name=scadabridge-ldap (retired)
```
2. Test a user bind with `ldapsearch`:
2. Test a user bind with `ldapsearch` against the shared host:
```bash
ldapsearch -H ldap://localhost:3893 \
ldapsearch -H ldap://10.100.0.35:3893 \
-D "cn=admin,ou=SCADA-Admins,ou=users,dc=zb,dc=local" \
-w password \
-b "dc=zb,dc=local" \
@@ -77,7 +87,7 @@ ldapsearch -H ldap://localhost:3893 \
3. Search for group membership:
```bash
ldapsearch -H ldap://localhost:3893 \
ldapsearch -H ldap://10.100.0.35:3893 \
-D "cn=admin,ou=SCADA-Admins,ou=users,dc=zb,dc=local" \
-w password \
-b "dc=zb,dc=local" \
@@ -112,7 +122,7 @@ python infra/tools/ldap_tool.py groups
python infra/tools/ldap_tool.py search --filter "(cn=multi-role)"
```
Use `--host` and `--port` to override defaults (localhost:3893). Run with `--help` for full usage.
Use `--host 10.100.0.35 --port 3893` to point at the shared server. Run with `--help` for full usage.
## Relevance to ScadaBridge Components
@@ -122,6 +132,6 @@ Use `--host` and `--port` to override defaults (localhost:3893). Run with `--hel
## Notes
- GLAuth uses plain LDAP on port 3893. ScadaBridge's Security & Auth component requires LDAPS/StartTLS in production. For dev testing, configure the LDAP client to allow plaintext connections.
- To add users or groups, edit `infra/glauth/config.toml` locally and restart the container: `docker compose restart ldap`. Note that the file is named `config.toml` on the host but is mounted into the container as `/app/config/config.cfg` (the path GLAuth expects).
- To add users or groups, edit **`scadaproj/infra/glauth/config.toml`** (the shared source of truth at `~/Desktop/scadaproj/infra/glauth/config.toml`) and restart the `zb-shared-glauth` container on the docker host. **Do not edit the retired `ScadaBridge/infra/glauth/config.toml`** — that file is historical only. The config is mounted into the container as `/app/config/config.cfg` (the path GLAuth expects).
- The `admin` user is configured with `[[users.capabilities]]` (`action = "search"`, `object = "*"`) in the GLAuth config. This grants the admin account permission to perform LDAP search operations, which is required for user/group lookups.
- Anonymous bind is not allowed. All LDAP operations (including searches) require an authenticated bind. Use the `admin` account for search operations.