[ldap] enabled = true listen = "0.0.0.0:3893" [ldaps] enabled = false [backend] datastore = "config" baseDN = "dc=zb,dc=local" [behaviors] # Dev: do not lock out on failed binds (avoids surprises during testing). LimitFailedBinds = false # ── Groups ─────────────────────────────────────────────────────────── # ScadaBridge role groups (55xx) — DB-mapped (LdapGroupMappings) [[groups]] name = "SCADA-Admins" gidnumber = 5501 [[groups]] name = "SCADA-Designers" gidnumber = 5502 [[groups]] name = "SCADA-Deploy-All" gidnumber = 5503 [[groups]] name = "SCADA-Deploy-SiteA" gidnumber = 5504 [[groups]] name = "SCADA-Viewers" gidnumber = 5505 # OPC-UA permission groups (560x) — OtOpcUa + MxGateway OPC write model [[groups]] name = "ReadOnly" gidnumber = 5601 [[groups]] name = "WriteOperate" gidnumber = 5602 [[groups]] name = "WriteTune" gidnumber = 5603 [[groups]] name = "WriteConfigure" gidnumber = 5604 [[groups]] name = "AlarmAck" gidnumber = 5605 # MxGateway dashboard groups (561x) — config-mapped (GroupToRole) [[groups]] name = "GwAdmin" gidnumber = 5610 [[groups]] name = "GwReader" gidnumber = 5611 # OtOpcUa AdminUI role groups (57xx) — DB-mapped (LdapGroupRoleMapping) [[groups]] name = "OtOpcUa-Admins" gidnumber = 5701 [[groups]] name = "OtOpcUa-Designers" gidnumber = 5702 [[groups]] name = "OtOpcUa-Viewers" gidnumber = 5703 # ── Users ──────────────────────────────────────────────────────────── # All passwords are "password" except serviceaccount ("serviceaccount123"). # sha256("password") = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 # sha256("serviceaccount123") = af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419 # The single bind account every app uses (search-then-bind). [[users]] name = "serviceaccount" uidnumber = 5999 primarygroup = 5601 passsha256 = "af29d0e5c9801ae98a999ed3915e1cf428a64b4b62b3cf221b6336cce0398419" [[users.capabilities]] action = "search" object = "*" # Cross-app: member of EVERY group → all roles in all three apps. [[users]] name = "multi-role" givenname = "Multi" sn = "Role" mail = "multi-role@zb.local" uidnumber = 5005 primarygroup = 5501 othergroups = [5502, 5503, 5504, 5505, 5601, 5602, 5603, 5604, 5605, 5610, 5611, 5701, 5702, 5703] passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # Administrator everywhere (admin-equivalent of each app). [[users]] name = "admin" uidnumber = 5001 primarygroup = 5501 othergroups = [5610, 5701] passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # ScadaBridge single-role testers [[users]] name = "designer" uidnumber = 5002 primarygroup = 5502 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "deployer" uidnumber = 5003 primarygroup = 5503 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "site-deployer" uidnumber = 5004 primarygroup = 5504 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # MxGateway dashboard Viewer tester. # NOTE: tester usernames must NOT case-collide with a group name — glauth exposes # each group as cn= under ou=users, so a case-insensitive (cn=X) search # would match both the user and the group (ambiguous → auth fails). Hence gw-viewer # (not "gwreader" which collides with the GwReader group), opc-* below, etc. [[users]] name = "gw-viewer" uidnumber = 5106 primarygroup = 5611 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # OPC-UA permission testers [[users]] name = "opc-readonly" uidnumber = 5101 primarygroup = 5601 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "opc-writeop" uidnumber = 5102 primarygroup = 5602 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "opc-writetune" uidnumber = 5103 primarygroup = 5603 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "opc-writeconfig" uidnumber = 5104 primarygroup = 5604 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "opc-alarmack" uidnumber = 5105 primarygroup = 5605 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" # OtOpcUa single-role testers (admin covers OtOpcUa-Admins) [[users]] name = "otdesigner" uidnumber = 5202 primarygroup = 5702 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" [[users]] name = "otviewer" uidnumber = 5203 primarygroup = 5703 passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"