scadalink-design/docs/test_infra/test_infra_ldap.md

Test Infrastructure: LDAP Server

Overview

The test LDAP server uses GLAuth, a lightweight LDAP server backed by a TOML config file. It provides test users and groups that map to ScadaLink's role-based authorization model.

Image & Ports

• Image: glauth/glauth:latest
• LDAP port: 3893 (plain LDAP, no TLS — dev only)

Base DN

dc=scadalink,dc=local

Test Users

All users have the password password.

Username	Email	Primary Group	Additional Groups	ScadaLink Role
admin	admin@scadalink.local	SCADA-Admins	—	Full administrator
designer	designer@scadalink.local	SCADA-Designers	—	Template designer
deployer	deployer@scadalink.local	SCADA-Deploy-All	—	Deploy to all sites
site-deployer	site-deployer@scadalink.local	SCADA-Deploy-SiteA	—	Deploy to SiteA only
multi-role	multi-role@scadalink.local	SCADA-Admins	SCADA-Designers, SCADA-Deploy-All	Multiple roles

Groups

Group	GID	Purpose
SCADA-Admins	5501	Full administrative access
SCADA-Designers	5502	Template creation and editing
SCADA-Deploy-All	5503	Deploy to any site
SCADA-Deploy-SiteA	5504	Deploy to SiteA only (site-scoped)

User DNs

Users bind with their full DN, which includes the primary group as an OU:

cn=<username>,ou=<PrimaryGroupName>,ou=users,dc=scadalink,dc=local

For example: cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local

The full DNs for all test users:

Username	Full DN
admin	cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local
designer	cn=designer,ou=SCADA-Designers,ou=users,dc=scadalink,dc=local
deployer	cn=deployer,ou=SCADA-Deploy-All,ou=users,dc=scadalink,dc=local
site-deployer	cn=site-deployer,ou=SCADA-Deploy-SiteA,ou=users,dc=scadalink,dc=local
multi-role	cn=multi-role,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local

Verification

1. Check the container is running:

docker ps --filter name=scadalink-ldap

2. Test a user bind with ldapsearch:

ldapsearch -H ldap://localhost:3893 \
  -D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \
  -w password \
  -b "dc=scadalink,dc=local" \
  "(objectClass=*)"

3. Search for group membership:

ldapsearch -H ldap://localhost:3893 \
  -D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \
  -w password \
  -b "dc=scadalink,dc=local" \
  "(cn=multi-role)"

CLI Tool

The infra/tools/ldap_tool.py script provides a convenient CLI for interacting with the LDAP server.

Install dependencies (one-time):

pip install -r infra/tools/requirements.txt

Commands:

# Check LDAP connectivity and list entries
python infra/tools/ldap_tool.py check

# Test user authentication
python infra/tools/ldap_tool.py bind --user designer --password password

# List all users with group memberships
python infra/tools/ldap_tool.py users

# List all groups with members
python infra/tools/ldap_tool.py groups

# Search with an arbitrary LDAP filter
python infra/tools/ldap_tool.py search --filter "(cn=multi-role)"

Use --host and --port to override defaults (localhost:3893). Run with --help for full usage.

Relevance to ScadaLink Components

• Security & Auth — test LDAP bind authentication, group-to-role mapping, and multi-group resolution.
• Central UI — test login flows with different role combinations.

Notes

• GLAuth uses plain LDAP on port 3893. ScadaLink's Security & Auth component requires LDAPS/StartTLS in production. For dev testing, configure the LDAP client to allow plaintext connections.
• To add users or groups, edit infra/glauth/config.toml locally and restart the container: docker compose restart ldap. Note that the file is named config.toml on the host but is mounted into the container as /app/config/config.cfg (the path GLAuth expects).
• The admin user is configured with [[users.capabilities]] (action = "search", object = "*") in the GLAuth config. This grants the admin account permission to perform LDAP search operations, which is required for user/group lookups.
• Anonymous bind is not allowed. All LDAP operations (including searches) require an authenticated bind. Use the admin account for search operations.