mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
426f5260ad
* add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
93 lines
4.1 KiB
Go
93 lines
4.1 KiB
Go
package schema
|
|
|
|
// LDAPAuthenticationBackendConfiguration represents the configuration related to LDAP server.
|
|
type LDAPAuthenticationBackendConfiguration struct {
|
|
Implementation string `mapstructure:"implementation"`
|
|
URL string `mapstructure:"url"`
|
|
SkipVerify bool `mapstructure:"skip_verify"`
|
|
StartTLS bool `mapstructure:"start_tls"`
|
|
MinimumTLSVersion string `mapstructure:"minimum_tls_version"`
|
|
BaseDN string `mapstructure:"base_dn"`
|
|
AdditionalUsersDN string `mapstructure:"additional_users_dn"`
|
|
UsersFilter string `mapstructure:"users_filter"`
|
|
AdditionalGroupsDN string `mapstructure:"additional_groups_dn"`
|
|
GroupsFilter string `mapstructure:"groups_filter"`
|
|
GroupNameAttribute string `mapstructure:"group_name_attribute"`
|
|
UsernameAttribute string `mapstructure:"username_attribute"`
|
|
MailAttribute string `mapstructure:"mail_attribute"`
|
|
DisplayNameAttribute string `mapstructure:"display_name_attribute"`
|
|
User string `mapstructure:"user"`
|
|
Password string `mapstructure:"password"`
|
|
}
|
|
|
|
// FileAuthenticationBackendConfiguration represents the configuration related to file-based backend.
|
|
type FileAuthenticationBackendConfiguration struct {
|
|
Path string `mapstructure:"path"`
|
|
Password *PasswordConfiguration `mapstructure:"password"`
|
|
}
|
|
|
|
// PasswordConfiguration represents the configuration related to password hashing.
|
|
type PasswordConfiguration struct {
|
|
Iterations int `mapstructure:"iterations"`
|
|
KeyLength int `mapstructure:"key_length"`
|
|
SaltLength int `mapstructure:"salt_length"`
|
|
Algorithm string `mapstrucutre:"algorithm"`
|
|
Memory int `mapstructure:"memory"`
|
|
Parallelism int `mapstructure:"parallelism"`
|
|
}
|
|
|
|
// AuthenticationBackendConfiguration represents the configuration related to the authentication backend.
|
|
type AuthenticationBackendConfiguration struct {
|
|
DisableResetPassword bool `mapstructure:"disable_reset_password"`
|
|
RefreshInterval string `mapstructure:"refresh_interval"`
|
|
Ldap *LDAPAuthenticationBackendConfiguration `mapstructure:"ldap"`
|
|
File *FileAuthenticationBackendConfiguration `mapstructure:"file"`
|
|
}
|
|
|
|
// DefaultPasswordConfiguration represents the default configuration related to Argon2id hashing.
|
|
var DefaultPasswordConfiguration = PasswordConfiguration{
|
|
Iterations: 1,
|
|
KeyLength: 32,
|
|
SaltLength: 16,
|
|
Algorithm: argon2id,
|
|
Memory: 1024,
|
|
Parallelism: 8,
|
|
}
|
|
|
|
// DefaultCIPasswordConfiguration represents the default configuration related to Argon2id hashing for CI.
|
|
var DefaultCIPasswordConfiguration = PasswordConfiguration{
|
|
Iterations: 1,
|
|
KeyLength: 32,
|
|
SaltLength: 16,
|
|
Algorithm: argon2id,
|
|
Memory: 128,
|
|
Parallelism: 8,
|
|
}
|
|
|
|
// DefaultPasswordSHA512Configuration represents the default configuration related to SHA512 hashing.
|
|
var DefaultPasswordSHA512Configuration = PasswordConfiguration{
|
|
Iterations: 50000,
|
|
SaltLength: 16,
|
|
Algorithm: "sha512",
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfiguration represents the default LDAP config.
|
|
var DefaultLDAPAuthenticationBackendConfiguration = LDAPAuthenticationBackendConfiguration{
|
|
Implementation: LDAPImplementationCustom,
|
|
UsernameAttribute: "uid",
|
|
MailAttribute: "mail",
|
|
DisplayNameAttribute: "displayname",
|
|
GroupNameAttribute: "cn",
|
|
MinimumTLSVersion: "TLS1.2",
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration represents the default LDAP config for the MSAD Implementation.
|
|
var DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration = LDAPAuthenticationBackendConfiguration{
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))",
|
|
UsernameAttribute: "sAMAccountName",
|
|
MailAttribute: "mail",
|
|
DisplayNameAttribute: "displayName",
|
|
GroupsFilter: "(&(member={dn})(objectClass=group))",
|
|
GroupNameAttribute: "cn",
|
|
}
|