diff --git a/infra/glauth/README.md b/infra/glauth/README.md index 4b0e749..2300024 100644 --- a/infra/glauth/README.md +++ b/infra/glauth/README.md @@ -26,9 +26,14 @@ each app maps only its own family and ignores the rest. uses for search-then-bind. Has a `search *` capability. - **`multi-role`** — member of **every** group → all roles in all three apps (canonical cross-app login). - **`admin`** — `SCADA-Admins` + `GwAdmin` + `OtOpcUa-Admins` → Administrator everywhere. -- Per-role testers: `designer` / `deployer` / `site-deployer` (ScadaBridge); `gwreader` - (MxGateway Viewer); `otdesigner` / `otviewer` (OtOpcUa); `readonly` / `writeop` / `writetune` - / `writeconfig` / `alarmack` (OPC perms). +- Per-role testers: `designer` / `deployer` / `site-deployer` (ScadaBridge); `gw-viewer` + (MxGateway Viewer); `otdesigner` / `otviewer` (OtOpcUa); `opc-readonly` / `opc-writeop` / + `opc-writetune` / `opc-writeconfig` / `opc-alarmack` (OPC perms). + +> **Naming rule:** a tester username must **not** case-collide with a group name. GLAuth exposes +> each group as `cn=` under `ou=users`, so a case-insensitive `(cn=x)` search would match +> both the user and the group (two entries → the shared lib's "exactly one entry" rule fails the +> bind). That's why the OPC/Gw testers are `opc-*` / `gw-viewer`, not `readonly` / `gwreader`. ## Deploy on `10.100.0.35` diff --git a/infra/glauth/config.toml b/infra/glauth/config.toml index c044936..18cabc1 100644 --- a/infra/glauth/config.toml +++ b/infra/glauth/config.toml @@ -118,36 +118,40 @@ primarygroup = 5504 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" -# MxGateway dashboard Viewer tester +# MxGateway dashboard Viewer tester. +# NOTE: tester usernames must NOT case-collide with a group name — glauth exposes +# each group as cn= under ou=users, so a case-insensitive (cn=X) search +# would match both the user and the group (ambiguous → auth fails). Hence gw-viewer +# (not "gwreader" which collides with the GwReader group), opc-* below, etc. [[users]] - name = "gwreader" + name = "gw-viewer" uidnumber = 5106 primarygroup = 5611 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # OPC-UA permission testers [[users]] - name = "readonly" + name = "opc-readonly" uidnumber = 5101 primarygroup = 5601 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] - name = "writeop" + name = "opc-writeop" uidnumber = 5102 primarygroup = 5602 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] - name = "writetune" + name = "opc-writetune" uidnumber = 5103 primarygroup = 5603 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] - name = "writeconfig" + name = "opc-writeconfig" uidnumber = 5104 primarygroup = 5604 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] - name = "alarmack" + name = "opc-alarmack" uidnumber = 5105 primarygroup = 5605 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"