3a48eb0c70
The Host.IntegrationTests opt-in real-LDAP mode (OTOPCUA_HARNESS_USE_LDAP=1) used bitnami/openldap:2.6, gone since Bitnami deprecated their free image catalog in 2025. Replaced it with GLAuth — the same LDAP server the rest of the project already uses (docker-dev + the live OPC UA data-plane auth, both against the shared GLAuth on :3893) — removing the lone OpenLDAP outlier and the gone-image breakage. - Added tests/.../Host.IntegrationTests/glauth/config.toml: baseDN dc=zb,dc=local, a search-capable serviceaccount, dev users alice (full access) / bob (read-only), and role groups with the same gidnumbers as scadaproj/infra/glauth so GroupToRole maps identically. - Compose ldap service -> glauth/glauth:latest, mounting the config, host :3894 -> :3893. - Repointed the harness real-LDAP override from the OpenLDAP cn=admin/ldapadmin to GLAuth's cn=serviceaccount/serviceaccount123. Live-verified against a deployed container on :3894: the serviceaccount bind searches and returns alice + her 5 memberOf groups; alice/bob bind with the correct password; a wrong password yields Invalid credentials (49) — exactly the OtOpcUaLdapAuthService flow (proven identical to the data-plane's shared-GLAuth path). NB: real-LDAP mode is opt-in; the default Host run uses StubLdapAuthService, so this never blocked the default suite. Integration-sweep follow-up #6 (LDAP leg); the amd64-emulated-SQL deadline leg remains open.
79 lines
2.6 KiB
TOML
79 lines
2.6 KiB
TOML
# GLAuth config for the Host.IntegrationTests real-LDAP mode (OTOPCUA_HARNESS_USE_LDAP=1).
|
|
#
|
|
# Replaces the retired bitnami/openldap:2.6 image (Bitnami deprecated their free catalog
|
|
# in 2025) with GLAuth — the same LDAP server the rest of the project uses (docker-dev +
|
|
# the live OPC UA data-plane auth, both against the shared GLAuth on 10.100.0.35:3893).
|
|
# Unifying on GLAuth removes the lone OpenLDAP outlier and the gone-image breakage.
|
|
#
|
|
# Mirrors scadaproj/infra/glauth/config.toml (source of truth) but trimmed to the harness's
|
|
# needs: baseDN dc=zb,dc=local, a search-capable service account, and two dev users
|
|
# (alice = full-access, bob = read-only). Bind DN form is GLAuth's cn=<name>,dc=zb,dc=local.
|
|
#
|
|
# Listens on :3893 inside the container; the compose maps host :3894 -> :3893 so this runs
|
|
# side-by-side with docker-dev's shared GLAuth (:3893) without a port clash.
|
|
|
|
[ldap]
|
|
enabled = true
|
|
listen = "0.0.0.0:3893"
|
|
|
|
[ldaps]
|
|
enabled = false
|
|
|
|
[backend]
|
|
datastore = "config"
|
|
baseDN = "dc=zb,dc=local"
|
|
|
|
[behaviors]
|
|
# Tests may bind bad passwords on purpose (outage / wrong-cred paths) — don't lock out.
|
|
LimitFailedBinds = false
|
|
|
|
# ── Groups (gidnumbers match scadaproj/infra/glauth so GroupToRole maps identically) ──
|
|
[[groups]]
|
|
name = "ReadOnly"
|
|
gidnumber = 5601
|
|
[[groups]]
|
|
name = "WriteOperate"
|
|
gidnumber = 5602
|
|
[[groups]]
|
|
name = "WriteTune"
|
|
gidnumber = 5603
|
|
[[groups]]
|
|
name = "WriteConfigure"
|
|
gidnumber = 5604
|
|
[[groups]]
|
|
name = "AlarmAck"
|
|
gidnumber = 5605
|
|
|
|
# ── Users ─────────────────────────────────────────────────────────────
|
|
# Service account the harness binds first to search for the user entry.
|
|
# DN: cn=serviceaccount,dc=zb,dc=local password: serviceaccount123
|
|
[[users]]
|
|
name = "serviceaccount"
|
|
uidnumber = 5999
|
|
primarygroup = 5601
|
|
passsha256 = "af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419"
|
|
[[users.capabilities]]
|
|
action = "search"
|
|
object = "*"
|
|
|
|
# alice — full access (member of every write/ack role group). password: alice123
|
|
[[users]]
|
|
name = "alice"
|
|
givenname = "Alice"
|
|
sn = "Admin"
|
|
mail = "alice@zb.local"
|
|
uidnumber = 5010
|
|
primarygroup = 5604
|
|
othergroups = [5601, 5602, 5603, 5605]
|
|
passsha256 = "4e40e8ffe0ee32fa53e139147ed559229a5930f89c2204706fc174beb36210b3"
|
|
|
|
# bob — read-only. password: bob123
|
|
[[users]]
|
|
name = "bob"
|
|
givenname = "Bob"
|
|
sn = "Reader"
|
|
mail = "bob@zb.local"
|
|
uidnumber = 5011
|
|
primarygroup = 5601
|
|
passsha256 = "8d059c3640b97180dd2ee453e20d34ab0cb0f2eccbe87d01915a8e578a202b11"
|