techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
29a900226d
authelia/internal/configuration/schema/authentication.go
James Elliott 29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) 
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00

96 lines
4.4 KiB
Go
Raw Blame History

package schema
// LDAPAuthenticationBackendConfiguration represents the configuration related to LDAP server.
type LDAPAuthenticationBackendConfiguration struct {
Implementation string `mapstructure:"implementation"`
URL string `mapstructure:"url"`
BaseDN string `mapstructure:"base_dn"`
AdditionalUsersDN string `mapstructure:"additional_users_dn"`
UsersFilter string `mapstructure:"users_filter"`
AdditionalGroupsDN string `mapstructure:"additional_groups_dn"`
GroupsFilter string `mapstructure:"groups_filter"`
GroupNameAttribute string `mapstructure:"group_name_attribute"`
UsernameAttribute string `mapstructure:"username_attribute"`
MailAttribute string `mapstructure:"mail_attribute"`
DisplayNameAttribute string `mapstructure:"display_name_attribute"`
User string `mapstructure:"user"`
Password string `mapstructure:"password"`
StartTLS bool `mapstructure:"start_tls"`
TLS *TLSConfig `mapstructure:"tls"`
SkipVerify *bool `mapstructure:"skip_verify"` // Deprecated: Replaced with LDAPAuthenticationBackendConfiguration.TLS.SkipVerify. TODO: Remove in 4.28.
MinimumTLSVersion string `mapstructure:"minimum_tls_version"` // Deprecated: Replaced with LDAPAuthenticationBackendConfiguration.TLS.MinimumVersion. TODO: Remove in 4.28.
}
// FileAuthenticationBackendConfiguration represents the configuration related to file-based backend.
type FileAuthenticationBackendConfiguration struct {
Path string `mapstructure:"path"`
Password *PasswordConfiguration `mapstructure:"password"`
}
// PasswordConfiguration represents the configuration related to password hashing.
type PasswordConfiguration struct {
Iterations int `mapstructure:"iterations"`
KeyLength int `mapstructure:"key_length"`
SaltLength int `mapstructure:"salt_length"`
Algorithm string `mapstrucutre:"algorithm"`
Memory int `mapstructure:"memory"`
Parallelism int `mapstructure:"parallelism"`
}
// AuthenticationBackendConfiguration represents the configuration related to the authentication backend.
type AuthenticationBackendConfiguration struct {
DisableResetPassword bool `mapstructure:"disable_reset_password"`
RefreshInterval string `mapstructure:"refresh_interval"`
Ldap *LDAPAuthenticationBackendConfiguration `mapstructure:"ldap"`
File *FileAuthenticationBackendConfiguration `mapstructure:"file"`
}
// DefaultPasswordConfiguration represents the default configuration related to Argon2id hashing.
var DefaultPasswordConfiguration = PasswordConfiguration{
Iterations: 1,
KeyLength: 32,
SaltLength: 16,
Algorithm: argon2id,
Memory: 1024,
Parallelism: 8,
}
// DefaultCIPasswordConfiguration represents the default configuration related to Argon2id hashing for CI.
var DefaultCIPasswordConfiguration = PasswordConfiguration{
Iterations: 1,
KeyLength: 32,
SaltLength: 16,
Algorithm: argon2id,
Memory: 128,
Parallelism: 8,
}
// DefaultPasswordSHA512Configuration represents the default configuration related to SHA512 hashing.
var DefaultPasswordSHA512Configuration = PasswordConfiguration{
Iterations: 50000,
SaltLength: 16,
Algorithm: "sha512",
}
// DefaultLDAPAuthenticationBackendConfiguration represents the default LDAP config.
var DefaultLDAPAuthenticationBackendConfiguration = LDAPAuthenticationBackendConfiguration{
Implementation: LDAPImplementationCustom,
UsernameAttribute: "uid",
MailAttribute: "mail",
DisplayNameAttribute: "displayname",
GroupNameAttribute: "cn",
TLS: &TLSConfig{
MinimumVersion: "TLS1.2",
},
}
// DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration represents the default LDAP config for the MSAD Implementation.
var DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration = LDAPAuthenticationBackendConfiguration{
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))",
UsernameAttribute: "sAMAccountName",
MailAttribute: "mail",
DisplayNameAttribute: "displayName",
GroupsFilter: "(&(member={dn})(objectClass=group))",
GroupNameAttribute: "cn",
}
Reference in New Issue View Git Blame Copy Permalink