From 7d21f8d5dfec7b7884b3da94058b774e7e60c21a Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sat, 25 Mar 2017 18:42:48 +0100 Subject: [PATCH] Edit README to make the user add more subdomains in /etc/hosts for testing the example locally --- README.md | 29 ++++++++++++++++++++--------- config.template.yml | 14 +++++++++----- 2 files changed, 29 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 03501cef..52d8e0a3 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,9 @@ Add the following lines to your /etc/hosts to simulate multiple subdomains 127.0.0.1 secret.test.local 127.0.0.1 secret1.test.local 127.0.0.1 secret2.test.local + 127.0.0.1 home.test.local + 127.0.0.1 mx1.mail.test.local + 127.0.0.1 mx2.mail.test.local 127.0.0.1 auth.test.local Then, type the following command to build and deploy the services: @@ -48,20 +51,28 @@ Then, type the following command to build and deploy the services: docker-compose up -d After few seconds the services should be running and you should be able to visit -[https://secret.test.local:8080/](https://secret.test.local:8080/). +[https://home.test.local:8080/](https://home.test.local:8080/). Normally, a self-signed certificate exception should appear, it has to be accepted before getting to the login page: ![first-factor-page](https://raw.githubusercontent.com/clems4ever/authelia/master/images/first_factor.png) -### 1st factor: LDAP -An LDAP server has been deployed for you with the following credentials: +### 1st factor: LDAP and ACL +An LDAP server has been deployed for you with the following credentials and +access control list: -- **john/password** is in the admin group and has access to every subdomain. -- **bob/password** is in the dev group and has only access to *secret2.test.local* -- **harry/password** is not in a group but has access to *secret1.test.local* -as per the configuration file. +- **john / password** is in the admin group and has access to the secret from +any subdomain. +- **bob / password** is in the dev group and has access to the secret from + - [secret.test.local](https://secret.test.local:8080/secret.html) + - [secret2.test.local](https://secret2.test.local:8080/secret.html) + - [home.test.local](https://home.test.local:8080/secret.html) + - [\*.mail.test.local](https://mx1.mail.test.local:8080/secret.html) +- **harry / password** is not in a group but has rules giving him has access to + the secret from + - [secret1.test.local](https://secret1.test.local:8080/secret.html) + - [home.test.local](https://home.test.local:8080/secret.html) Type them in the login page and validate. Then, the second factor page should have appeared as shown below. @@ -107,8 +118,8 @@ Paste the link in your browser and you should be able to reset the password. ### Access Control With **Authelia**, you can define your own access control rules for restricting the access to certain subdomains to your users. Those rules are defined in the -configuration file and are per-user or per-group. Check out the -*config.template.yml* to see how they are defined. +configuration file and can be either default, per-user or per-group policies. +Check out the *config.template.yml* to see how they are defined. ## Documentation ### Configuration diff --git a/config.template.yml b/config.template.yml index 789e6108..a70c8d3c 100644 --- a/config.template.yml +++ b/config.template.yml @@ -36,12 +36,16 @@ ldap: # Access Control # -# Access control is a set of rules where you can specify a group-based -# subdomain restrictions. +# Access control is a set of rules you can use to restrict the user access. +# Default (anyone), per-user or per-group rules can be defined. # -# If access_control is not defined, ACL rules are disabled and default policy -# is allowed to everyone. -# Otherwise, the default policy is denied for any user and any subdomain. +# If 'access_control' is not defined, ACL rules are disabled and default policy +# is applied, i.e., access is allowed to anyone. Otherwise restrictions follow +# the rules defined below. +# If no rule is provided, all domains are denied. +# +# '*' means 'any' subdomains and matches any string. It must stand at the +# beginning of the pattern. access_control: default: - home.test.local