dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efbedc60a800dee170dbb2a8bf261e0fedecddfe
scadalink-design/test_infra_ldap.md
Joseph Doherty 652378b470 Add test infrastructure with Docker services, CLI tools, and resolve Phase 0 questions 
Stand up local dev infrastructure (OPC UA, LDAP, MS SQL) with Docker Compose,
Python CLI tools for service interaction, and teardown script. Fix GLAuth config
mount, OPC PLC node format, and document actual DN/namespace behavior discovered
during testing. Resolve Q1-Q8,Q10: .NET 10, Akka.NET 1.5.x, monorepo with slnx,
appsettings JWT, Windows Server 2022 site target.
2026-03-16 14:03:12 -04:00

128 lines
4.4 KiB
Markdown
Raw Blame History

# Test Infrastructure: LDAP Server
## Overview
The test LDAP server uses [GLAuth](https://glauth.github.io/), a lightweight LDAP server backed by a TOML config file. It provides test users and groups that map to ScadaLink's role-based authorization model.
## Image & Ports
- **Image**: `glauth/glauth:latest`
- **LDAP port**: 3893 (plain LDAP, no TLS — dev only)
## Base DN
```
dc=scadalink,dc=local
```
## Test Users
All users have the password `password`.
| Username | Email | Primary Group | Additional Groups | ScadaLink Role |
|----------|-------|---------------|-------------------|----------------|
| `admin` | admin@scadalink.local | SCADA-Admins | — | Full administrator |
| `designer` | designer@scadalink.local | SCADA-Designers | — | Template designer |
| `deployer` | deployer@scadalink.local | SCADA-Deploy-All | — | Deploy to all sites |
| `site-deployer` | site-deployer@scadalink.local | SCADA-Deploy-SiteA | — | Deploy to SiteA only |
| `multi-role` | multi-role@scadalink.local | SCADA-Admins | SCADA-Designers, SCADA-Deploy-All | Multiple roles |
## Groups
| Group | GID | Purpose |
|-------|-----|---------|
| SCADA-Admins | 5501 | Full administrative access |
| SCADA-Designers | 5502 | Template creation and editing |
| SCADA-Deploy-All | 5503 | Deploy to any site |
| SCADA-Deploy-SiteA | 5504 | Deploy to SiteA only (site-scoped) |
## User DNs
Users bind with their full DN, which includes the primary group as an OU:
```
cn=<username>,ou=<PrimaryGroupName>,ou=users,dc=scadalink,dc=local
```
For example: `cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local`
The full DNs for all test users:
| Username | Full DN |
|----------|---------|
| `admin` | `cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local` |
| `designer` | `cn=designer,ou=SCADA-Designers,ou=users,dc=scadalink,dc=local` |
| `deployer` | `cn=deployer,ou=SCADA-Deploy-All,ou=users,dc=scadalink,dc=local` |
| `site-deployer` | `cn=site-deployer,ou=SCADA-Deploy-SiteA,ou=users,dc=scadalink,dc=local` |
| `multi-role` | `cn=multi-role,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local` |
## Verification
1. Check the container is running:
```bash
docker ps --filter name=scadalink-ldap
```
2. Test a user bind with `ldapsearch`:
```bash
ldapsearch -H ldap://localhost:3893 \
-D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \
-w password \
-b "dc=scadalink,dc=local" \
"(objectClass=*)"
```
3. Search for group membership:
```bash
ldapsearch -H ldap://localhost:3893 \
-D "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local" \
-w password \
-b "dc=scadalink,dc=local" \
"(cn=multi-role)"
```
## CLI Tool
The `infra/tools/ldap_tool.py` script provides a convenient CLI for interacting with the LDAP server.
**Install dependencies** (one-time):
```bash
pip install -r infra/tools/requirements.txt
```
**Commands**:
```bash
# Check LDAP connectivity and list entries
python infra/tools/ldap_tool.py check
# Test user authentication
python infra/tools/ldap_tool.py bind --user designer --password password
# List all users with group memberships
python infra/tools/ldap_tool.py users
# List all groups with members
python infra/tools/ldap_tool.py groups
# Search with an arbitrary LDAP filter
python infra/tools/ldap_tool.py search --filter "(cn=multi-role)"
```
Use `--host` and `--port` to override defaults (localhost:3893). Run with `--help` for full usage.
## Relevance to ScadaLink Components
- **Security & Auth** — test LDAP bind authentication, group-to-role mapping, and multi-group resolution.
- **Central UI** — test login flows with different role combinations.
## Notes
- GLAuth uses plain LDAP on port 3893. ScadaLink's Security & Auth component requires LDAPS/StartTLS in production. For dev testing, configure the LDAP client to allow plaintext connections.
- To add users or groups, edit `infra/glauth/config.toml` locally and restart the container: `docker compose restart ldap`. Note that the file is named `config.toml` on the host but is mounted into the container as `/app/config/config.cfg` (the path GLAuth expects).
- The `admin` user is configured with `[[users.capabilities]]` (`action = "search"`, `object = "*"`) in the GLAuth config. This grants the admin account permission to perform LDAP search operations, which is required for user/group lookups.
- Anonymous bind is not allowed. All LDAP operations (including searches) require an authenticated bind. Use the `admin` account for search operations.
Reference in New Issue View Git Blame Copy Permalink