Files
lmxopcua/tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/glauth/config.toml
T
Joseph Doherty 3a48eb0c70
v2-ci / build (pull_request) Successful in 4m13s
v2-ci / unit-tests (pull_request) Failing after 10m18s
fix(harness): swap retired bitnami/openldap for GLAuth in the Host real-LDAP mode
The Host.IntegrationTests opt-in real-LDAP mode (OTOPCUA_HARNESS_USE_LDAP=1)
used bitnami/openldap:2.6, gone since Bitnami deprecated their free image
catalog in 2025. Replaced it with GLAuth — the same LDAP server the rest of
the project already uses (docker-dev + the live OPC UA data-plane auth, both
against the shared GLAuth on :3893) — removing the lone OpenLDAP outlier and
the gone-image breakage.

- Added tests/.../Host.IntegrationTests/glauth/config.toml: baseDN dc=zb,dc=local,
  a search-capable serviceaccount, dev users alice (full access) / bob (read-only),
  and role groups with the same gidnumbers as scadaproj/infra/glauth so GroupToRole
  maps identically.
- Compose ldap service -> glauth/glauth:latest, mounting the config, host :3894 -> :3893.
- Repointed the harness real-LDAP override from the OpenLDAP cn=admin/ldapadmin to
  GLAuth's cn=serviceaccount/serviceaccount123.

Live-verified against a deployed container on :3894: the serviceaccount bind
searches and returns alice + her 5 memberOf groups; alice/bob bind with the
correct password; a wrong password yields Invalid credentials (49) — exactly the
OtOpcUaLdapAuthService flow (proven identical to the data-plane's shared-GLAuth path).

NB: real-LDAP mode is opt-in; the default Host run uses StubLdapAuthService, so
this never blocked the default suite. Integration-sweep follow-up #6 (LDAP leg);
the amd64-emulated-SQL deadline leg remains open.
2026-07-15 06:03:50 -04:00

79 lines
2.6 KiB
TOML

# GLAuth config for the Host.IntegrationTests real-LDAP mode (OTOPCUA_HARNESS_USE_LDAP=1).
#
# Replaces the retired bitnami/openldap:2.6 image (Bitnami deprecated their free catalog
# in 2025) with GLAuth — the same LDAP server the rest of the project uses (docker-dev +
# the live OPC UA data-plane auth, both against the shared GLAuth on 10.100.0.35:3893).
# Unifying on GLAuth removes the lone OpenLDAP outlier and the gone-image breakage.
#
# Mirrors scadaproj/infra/glauth/config.toml (source of truth) but trimmed to the harness's
# needs: baseDN dc=zb,dc=local, a search-capable service account, and two dev users
# (alice = full-access, bob = read-only). Bind DN form is GLAuth's cn=<name>,dc=zb,dc=local.
#
# Listens on :3893 inside the container; the compose maps host :3894 -> :3893 so this runs
# side-by-side with docker-dev's shared GLAuth (:3893) without a port clash.
[ldap]
enabled = true
listen = "0.0.0.0:3893"
[ldaps]
enabled = false
[backend]
datastore = "config"
baseDN = "dc=zb,dc=local"
[behaviors]
# Tests may bind bad passwords on purpose (outage / wrong-cred paths) — don't lock out.
LimitFailedBinds = false
# ── Groups (gidnumbers match scadaproj/infra/glauth so GroupToRole maps identically) ──
[[groups]]
name = "ReadOnly"
gidnumber = 5601
[[groups]]
name = "WriteOperate"
gidnumber = 5602
[[groups]]
name = "WriteTune"
gidnumber = 5603
[[groups]]
name = "WriteConfigure"
gidnumber = 5604
[[groups]]
name = "AlarmAck"
gidnumber = 5605
# ── Users ─────────────────────────────────────────────────────────────
# Service account the harness binds first to search for the user entry.
# DN: cn=serviceaccount,dc=zb,dc=local password: serviceaccount123
[[users]]
name = "serviceaccount"
uidnumber = 5999
primarygroup = 5601
passsha256 = "af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419"
[[users.capabilities]]
action = "search"
object = "*"
# alice — full access (member of every write/ack role group). password: alice123
[[users]]
name = "alice"
givenname = "Alice"
sn = "Admin"
mail = "alice@zb.local"
uidnumber = 5010
primarygroup = 5604
othergroups = [5601, 5602, 5603, 5605]
passsha256 = "4e40e8ffe0ee32fa53e139147ed559229a5930f89c2204706fc174beb36210b3"
# bob — read-only. password: bob123
[[users]]
name = "bob"
givenname = "Bob"
sn = "Reader"
mail = "bob@zb.local"
uidnumber = 5011
primarygroup = 5601
passsha256 = "8d059c3640b97180dd2ee453e20d34ab0cb0f2eccbe87d01915a8e578a202b11"