# GLAuth config for the Host.IntegrationTests real-LDAP mode (OTOPCUA_HARNESS_USE_LDAP=1). # # Replaces the retired bitnami/openldap:2.6 image (Bitnami deprecated their free catalog # in 2025) with GLAuth — the same LDAP server the rest of the project uses (docker-dev + # the live OPC UA data-plane auth, both against the shared GLAuth on 10.100.0.35:3893). # Unifying on GLAuth removes the lone OpenLDAP outlier and the gone-image breakage. # # Mirrors scadaproj/infra/glauth/config.toml (source of truth) but trimmed to the harness's # needs: baseDN dc=zb,dc=local, a search-capable service account, and two dev users # (alice = full-access, bob = read-only). Bind DN form is GLAuth's cn=,dc=zb,dc=local. # # Listens on :3893 inside the container; the compose maps host :3894 -> :3893 so this runs # side-by-side with docker-dev's shared GLAuth (:3893) without a port clash. [ldap] enabled = true listen = "0.0.0.0:3893" [ldaps] enabled = false [backend] datastore = "config" baseDN = "dc=zb,dc=local" [behaviors] # Tests may bind bad passwords on purpose (outage / wrong-cred paths) — don't lock out. LimitFailedBinds = false # ── Groups (gidnumbers match scadaproj/infra/glauth so GroupToRole maps identically) ── [[groups]] name = "ReadOnly" gidnumber = 5601 [[groups]] name = "WriteOperate" gidnumber = 5602 [[groups]] name = "WriteTune" gidnumber = 5603 [[groups]] name = "WriteConfigure" gidnumber = 5604 [[groups]] name = "AlarmAck" gidnumber = 5605 # ── Users ───────────────────────────────────────────────────────────── # Service account the harness binds first to search for the user entry. # DN: cn=serviceaccount,dc=zb,dc=local password: serviceaccount123 [[users]] name = "serviceaccount" uidnumber = 5999 primarygroup = 5601 passsha256 = "af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419" [[users.capabilities]] action = "search" object = "*" # alice — full access (member of every write/ack role group). password: alice123 [[users]] name = "alice" givenname = "Alice" sn = "Admin" mail = "alice@zb.local" uidnumber = 5010 primarygroup = 5604 othergroups = [5601, 5602, 5603, 5605] passsha256 = "4e40e8ffe0ee32fa53e139147ed559229a5930f89c2204706fc174beb36210b3" # bob — read-only. password: bob123 [[users]] name = "bob" givenname = "Bob" sn = "Reader" mail = "bob@zb.local" uidnumber = 5011 primarygroup = 5601 passsha256 = "8d059c3640b97180dd2ee453e20d34ab0cb0f2eccbe87d01915a8e578a202b11"