feat(glauth): merged shared dev GLAuth directory + compose + runbook (10.100.0.35)

Phase 0 of the shared-GLAuth standardization. config.toml = merged dc=zb,dc=local directory (15 groups in partitioned 55xx/56xx/57xx families, 14 users incl. multi-role spanning all groups, serviceaccount search account). compose runs one glauth/glauth:latest on :3893. README is the deploy/verify runbook. Code-reviewed; fixed scp -r idempotency in the deploy command (README + plan Task 4).
2026-06-04 15:45:41 -04:00
parent 5be0cec601
commit 0f2b2b8351
4 changed files with 275 additions and 3 deletions
@@ -0,0 +1,165 @@
+[ldap]
+  enabled = true
+  listen = "0.0.0.0:3893"
+
+[ldaps]
+  enabled = false
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=zb,dc=local"
+
+[behaviors]
+  # Dev: do not lock out on failed binds (avoids surprises during testing).
+  LimitFailedBinds = false
+
+# ── Groups ───────────────────────────────────────────────────────────
+# ScadaBridge role groups (55xx) — DB-mapped (LdapGroupMappings)
+[[groups]]
+  name = "SCADA-Admins"
+  gidnumber = 5501
+[[groups]]
+  name = "SCADA-Designers"
+  gidnumber = 5502
+[[groups]]
+  name = "SCADA-Deploy-All"
+  gidnumber = 5503
+[[groups]]
+  name = "SCADA-Deploy-SiteA"
+  gidnumber = 5504
+[[groups]]
+  name = "SCADA-Viewers"
+  gidnumber = 5505
+
+# OPC-UA permission groups (560x) — OtOpcUa + MxGateway OPC write model
+[[groups]]
+  name = "ReadOnly"
+  gidnumber = 5601
+[[groups]]
+  name = "WriteOperate"
+  gidnumber = 5602
+[[groups]]
+  name = "WriteTune"
+  gidnumber = 5603
+[[groups]]
+  name = "WriteConfigure"
+  gidnumber = 5604
+[[groups]]
+  name = "AlarmAck"
+  gidnumber = 5605
+
+# MxGateway dashboard groups (561x) — config-mapped (GroupToRole)
+[[groups]]
+  name = "GwAdmin"
+  gidnumber = 5610
+[[groups]]
+  name = "GwReader"
+  gidnumber = 5611
+
+# OtOpcUa AdminUI role groups (57xx) — DB-mapped (LdapGroupRoleMapping)
+[[groups]]
+  name = "OtOpcUa-Admins"
+  gidnumber = 5701
+[[groups]]
+  name = "OtOpcUa-Designers"
+  gidnumber = 5702
+[[groups]]
+  name = "OtOpcUa-Viewers"
+  gidnumber = 5703
+
+# ── Users ────────────────────────────────────────────────────────────
+# All passwords are "password" except serviceaccount ("serviceaccount123").
+# sha256("password")          = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
+# sha256("serviceaccount123") = af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419
+
+# The single bind account every app uses (search-then-bind).
+[[users]]
+  name = "serviceaccount"
+  uidnumber = 5999
+  primarygroup = 5601
+  passsha256 = "af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419"
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
+
+# Cross-app: member of EVERY group → all roles in all three apps.
+[[users]]
+  name = "multi-role"
+  givenname = "Multi"
+  sn = "Role"
+  mail = "multi-role@zb.local"
+  uidnumber = 5005
+  primarygroup = 5501
+  othergroups = [5502, 5503, 5504, 5505, 5601, 5602, 5603, 5604, 5605, 5610, 5611, 5701, 5702, 5703]
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+
+# Administrator everywhere (admin-equivalent of each app).
+[[users]]
+  name = "admin"
+  uidnumber = 5001
+  primarygroup = 5501
+  othergroups = [5610, 5701]
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+
+# ScadaBridge single-role testers
+[[users]]
+  name = "designer"
+  uidnumber = 5002
+  primarygroup = 5502
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "deployer"
+  uidnumber = 5003
+  primarygroup = 5503
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "site-deployer"
+  uidnumber = 5004
+  primarygroup = 5504
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+
+# MxGateway dashboard Viewer tester
+[[users]]
+  name = "gwreader"
+  uidnumber = 5106
+  primarygroup = 5611
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+
+# OPC-UA permission testers
+[[users]]
+  name = "readonly"
+  uidnumber = 5101
+  primarygroup = 5601
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "writeop"
+  uidnumber = 5102
+  primarygroup = 5602
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "writetune"
+  uidnumber = 5103
+  primarygroup = 5603
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "writeconfig"
+  uidnumber = 5104
+  primarygroup = 5604
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "alarmack"
+  uidnumber = 5105
+  primarygroup = 5605
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+
+# OtOpcUa single-role testers (admin covers OtOpcUa-Admins)
+[[users]]
+  name = "otdesigner"
+  uidnumber = 5202
+  primarygroup = 5702
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+[[users]]
+  name = "otviewer"
+  uidnumber = 5203
+  primarygroup = 5703
+  passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"