Edit README to make the user add more subdomains in /etc/hosts for testing the example locally

This commit is contained in:
Clement Michaud 2017-03-25 18:42:48 +01:00
parent b403cfe2f8
commit 7d21f8d5df
2 changed files with 29 additions and 14 deletions

View File

@ -40,6 +40,9 @@ Add the following lines to your /etc/hosts to simulate multiple subdomains
127.0.0.1 secret.test.local 127.0.0.1 secret.test.local
127.0.0.1 secret1.test.local 127.0.0.1 secret1.test.local
127.0.0.1 secret2.test.local 127.0.0.1 secret2.test.local
127.0.0.1 home.test.local
127.0.0.1 mx1.mail.test.local
127.0.0.1 mx2.mail.test.local
127.0.0.1 auth.test.local 127.0.0.1 auth.test.local
Then, type the following command to build and deploy the services: Then, type the following command to build and deploy the services:
@ -48,20 +51,28 @@ Then, type the following command to build and deploy the services:
docker-compose up -d docker-compose up -d
After few seconds the services should be running and you should be able to visit After few seconds the services should be running and you should be able to visit
[https://secret.test.local:8080/](https://secret.test.local:8080/). [https://home.test.local:8080/](https://home.test.local:8080/).
Normally, a self-signed certificate exception should appear, it has to be Normally, a self-signed certificate exception should appear, it has to be
accepted before getting to the login page: accepted before getting to the login page:
![first-factor-page](https://raw.githubusercontent.com/clems4ever/authelia/master/images/first_factor.png) ![first-factor-page](https://raw.githubusercontent.com/clems4ever/authelia/master/images/first_factor.png)
### 1st factor: LDAP ### 1st factor: LDAP and ACL
An LDAP server has been deployed for you with the following credentials: An LDAP server has been deployed for you with the following credentials and
access control list:
- **john/password** is in the admin group and has access to every subdomain. - **john / password** is in the admin group and has access to the secret from
- **bob/password** is in the dev group and has only access to *secret2.test.local* any subdomain.
- **harry/password** is not in a group but has access to *secret1.test.local* - **bob / password** is in the dev group and has access to the secret from
as per the configuration file. - [secret.test.local](https://secret.test.local:8080/secret.html)
- [secret2.test.local](https://secret2.test.local:8080/secret.html)
- [home.test.local](https://home.test.local:8080/secret.html)
- [\*.mail.test.local](https://mx1.mail.test.local:8080/secret.html)
- **harry / password** is not in a group but has rules giving him has access to
the secret from
- [secret1.test.local](https://secret1.test.local:8080/secret.html)
- [home.test.local](https://home.test.local:8080/secret.html)
Type them in the login page and validate. Then, the second factor page should Type them in the login page and validate. Then, the second factor page should
have appeared as shown below. have appeared as shown below.
@ -107,8 +118,8 @@ Paste the link in your browser and you should be able to reset the password.
### Access Control ### Access Control
With **Authelia**, you can define your own access control rules for restricting With **Authelia**, you can define your own access control rules for restricting
the access to certain subdomains to your users. Those rules are defined in the the access to certain subdomains to your users. Those rules are defined in the
configuration file and are per-user or per-group. Check out the configuration file and can be either default, per-user or per-group policies.
*config.template.yml* to see how they are defined. Check out the *config.template.yml* to see how they are defined.
## Documentation ## Documentation
### Configuration ### Configuration

View File

@ -36,12 +36,16 @@ ldap:
# Access Control # Access Control
# #
# Access control is a set of rules where you can specify a group-based # Access control is a set of rules you can use to restrict the user access.
# subdomain restrictions. # Default (anyone), per-user or per-group rules can be defined.
# #
# If access_control is not defined, ACL rules are disabled and default policy # If 'access_control' is not defined, ACL rules are disabled and default policy
# is allowed to everyone. # is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# Otherwise, the default policy is denied for any user and any subdomain. # the rules defined below.
# If no rule is provided, all domains are denied.
#
# '*' means 'any' subdomains and matches any string. It must stand at the
# beginning of the pattern.
access_control: access_control:
default: default:
- home.test.local - home.test.local