# Test Infrastructure: LDAP Server ## Overview The test LDAP server uses [GLAuth](https://glauth.github.io/), a lightweight LDAP server backed by a TOML config file. It provides test users and groups that map to ScadaLink's role-based authorization model. ## Image & Ports - **Image**: `glauth/glauth:latest` - **LDAP port**: 3893 (plain LDAP, no TLS — dev only) ## Base DN ``` dc=scadalink,dc=local ``` ## Test Users All users have the password `password`. | Username | Email | Primary Group | Additional Groups | ScadaLink Role | |----------|-------|---------------|-------------------|----------------| | `admin` | admin@scadalink.local | SCADA-Admins | — | Full administrator | | `designer` | designer@scadalink.local | SCADA-Designers | — | Template designer | | `deployer` | deployer@scadalink.local | SCADA-Deploy-All | — | Deploy to all sites | | `site-deployer` | site-deployer@scadalink.local | SCADA-Deploy-SiteA | — | Deploy to SiteA only | | `multi-role` | multi-role@scadalink.local | SCADA-Admins | SCADA-Designers, SCADA-Deploy-All | Multiple roles | ## Groups | Group | GID | Purpose | |-------|-----|---------| | SCADA-Admins | 5501 | Full administrative access | | SCADA-Designers | 5502 | Template creation and editing | | SCADA-Deploy-All | 5503 | Deploy to any site | | SCADA-Deploy-SiteA | 5504 | Deploy to SiteA only (site-scoped) | ## User DNs Users bind with their full DN, which includes the primary group as an OU: ``` cn=,ou=,ou=users,dc=scadalink,dc=local ``` For example: `cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local` The full DNs for all test users: | Username | Full DN | |----------|---------| | `admin` | `cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local` | | `designer` | `cn=designer,ou=SCADA-Designers,ou=users,dc=scadalink,dc=local` | | `deployer` | `cn=deployer,ou=SCADA-Deploy-All,ou=users,dc=scadalink,dc=local` | | `site-deployer` | `cn=site-deployer,ou=SCADA-Deploy-SiteA,ou=users,dc=scadalink,dc=local` | | `multi-role` | `cn=multi-role,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local` | ## Verification 1. Check the container is running: ```bash docker ps --filter name=scadalink-ldap ``` 2. Test a user bind with `ldapsearch`: ```bash ldapsearch -H ldap://localhost:3893 \ -D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \ -w password \ -b "dc=scadalink,dc=local" \ "(objectClass=*)" ``` 3. Search for group membership: ```bash ldapsearch -H ldap://localhost:3893 \ -D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \ -w password \ -b "dc=scadalink,dc=local" \ "(cn=multi-role)" ``` ## CLI Tool The `infra/tools/ldap_tool.py` script provides a convenient CLI for interacting with the LDAP server. **Install dependencies** (one-time): ```bash pip install -r infra/tools/requirements.txt ``` **Commands**: ```bash # Check LDAP connectivity and list entries python infra/tools/ldap_tool.py check # Test user authentication python infra/tools/ldap_tool.py bind --user designer --password password # List all users with group memberships python infra/tools/ldap_tool.py users # List all groups with members python infra/tools/ldap_tool.py groups # Search with an arbitrary LDAP filter python infra/tools/ldap_tool.py search --filter "(cn=multi-role)" ``` Use `--host` and `--port` to override defaults (localhost:3893). Run with `--help` for full usage. ## Relevance to ScadaLink Components - **Security & Auth** — test LDAP bind authentication, group-to-role mapping, and multi-group resolution. - **Central UI** — test login flows with different role combinations. ## Notes - GLAuth uses plain LDAP on port 3893. ScadaLink's Security & Auth component requires LDAPS/StartTLS in production. For dev testing, configure the LDAP client to allow plaintext connections. - To add users or groups, edit `infra/glauth/config.toml` locally and restart the container: `docker compose restart ldap`. Note that the file is named `config.toml` on the host but is mounted into the container as `/app/config/config.cfg` (the path GLAuth expects). - The `admin` user is configured with `[[users.capabilities]]` (`action = "search"`, `object = "*"`) in the GLAuth config. This grants the admin account permission to perform LDAP search operations, which is required for user/group lookups. - Anonymous bind is not allowed. All LDAP operations (including searches) require an authenticated bind. Use the `admin` account for search operations.