2016-03-21 21:42:39 +00:00
|
|
|
[authentication]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The authentiction backend specifies how the user is authenticated,
|
|
|
|
# in case of 'pam' simplepam.authenticate is used to authenticate against
|
|
|
|
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
|
|
|
|
# user against eg. Active Directory or Samba4.
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backends = pam
|
2016-03-29 09:29:15 +00:00
|
|
|
;backends = kerberos
|
|
|
|
;backends = ldap
|
|
|
|
;backends = kerberos ldap
|
|
|
|
;backends = kerberos pam
|
2017-01-25 09:43:19 +00:00
|
|
|
ldap uri = ldaps://dc1.example.com
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
[accounts]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The accounts backend specifies how the user's given name, surname and e-mail
|
|
|
|
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
|
2017-01-25 09:43:19 +00:00
|
|
|
# in case of 'ldap' a search is performed on LDAP server specified by ldap uri
|
2016-09-17 21:00:14 +00:00
|
|
|
# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
|
2017-01-20 10:56:46 +00:00
|
|
|
# If certidude setup authority was performed correctly the credential cache should be
|
|
|
|
# updated automatically by /etc/cron.hourly/certidude
|
2016-03-29 09:29:15 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backend = posix
|
2016-03-29 09:29:15 +00:00
|
|
|
;backend = ldap
|
2017-01-20 10:56:46 +00:00
|
|
|
ldap gssapi credential cache = /run/certidude/krb5cc
|
2017-01-25 09:43:19 +00:00
|
|
|
ldap uri = ldap://dc1.example.com
|
|
|
|
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %}
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
[authorization]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The authorization backend specifies how the users are authorized.
|
|
|
|
# In case of 'posix' simply group membership is asserted,
|
|
|
|
# in case of 'ldap' search filter with username as placeholder is applied.
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backend = posix
|
2016-03-27 21:00:41 +00:00
|
|
|
posix user group = users
|
|
|
|
posix admin group = sudo
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
;backend = ldap
|
|
|
|
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
|
2016-03-31 21:01:58 +00:00
|
|
|
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
|
2016-03-29 19:03:27 +00:00
|
|
|
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Users are allowed to log in from user subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
user subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Authority administrators are allowed to sign and revoke certificates from these subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
admin subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Certificate signing requests are allowed to be submitted from these subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
request subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Certificates are automatically signed for these subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
|
|
|
|
|
|
|
[logging]
|
2017-02-07 22:07:21 +00:00
|
|
|
backend =
|
|
|
|
|
|
|
|
;backend = sql
|
2016-03-21 21:42:39 +00:00
|
|
|
database = sqlite://{{ directory }}/db.sqlite
|
|
|
|
|
|
|
|
[tagging]
|
2017-02-07 22:07:21 +00:00
|
|
|
backend =
|
|
|
|
|
|
|
|
;backend = sql
|
2016-03-21 21:42:39 +00:00
|
|
|
database = sqlite://{{ directory }}/db.sqlite
|
|
|
|
|
2017-01-26 21:59:12 +00:00
|
|
|
[leases]
|
|
|
|
backend =
|
|
|
|
|
|
|
|
;backend = sql
|
2017-02-07 22:07:21 +00:00
|
|
|
schema = strongswan
|
|
|
|
database = sqlite://{{ directory }}/db.sqlite
|
2017-01-26 21:59:12 +00:00
|
|
|
|
|
|
|
# Following was used on an OpenWrt router
|
|
|
|
# uci set openvpn.s2c.status=/www/status.log
|
|
|
|
# uci commit; touch /www/status.log; chmod 755 /www/status.log
|
|
|
|
;backend = openvpn-status
|
|
|
|
;openvpn status uri = /var/log/openvpn-status.log
|
|
|
|
openvpn status uri = http://router.example.com/status.log
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
[signature]
|
2016-03-29 15:37:28 +00:00
|
|
|
certificate lifetime = {{ certificate_lifetime }}
|
|
|
|
revocation list lifetime = {{ revocation_list_lifetime }}
|
2016-03-29 09:29:15 +00:00
|
|
|
certificate url = {{ certificate_url }}
|
|
|
|
revoked url = {{ revoked_url }}
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
[push]
|
2017-02-07 22:07:21 +00:00
|
|
|
event source token = {{ push_token }}
|
|
|
|
event source subscribe = {{ push_server }}/ev/sub/%s
|
|
|
|
event source publish = {{ push_server }}/ev/pub/%s
|
|
|
|
long poll subscribe = {{ push_server }}/lp/sub/%s
|
|
|
|
long poll publish = {{ push_server }}/lp/pub/%s
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
[authority]
|
2016-03-31 22:55:51 +00:00
|
|
|
# User certificate enrollment specifies whether logged in users are allowed to
|
|
|
|
# request bundles. In case of 'single allowed' the common name of the
|
|
|
|
# certificate is set to username, this should work well with REMOTE_USER
|
|
|
|
# enabled web apps running behind Apache/nginx.
|
|
|
|
# In case of 'multiple allowed' the common name is set to username@device-identifier.
|
|
|
|
;user certificate enrollment = forbidden
|
|
|
|
;user certificate enrollment = single allowed
|
|
|
|
user certificate enrollment = multiple allowed
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
private key path = {{ ca_key }}
|
|
|
|
certificate path = {{ ca_crt }}
|
2016-03-29 09:29:15 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
requests dir = {{ directory }}/requests/
|
|
|
|
signed dir = {{ directory }}/signed/
|
|
|
|
revoked dir = {{ directory }}/revoked/
|
2016-03-29 09:29:15 +00:00
|
|
|
expired dir = {{ directory }}/expired/
|
2017-02-07 22:07:21 +00:00
|
|
|
|
|
|
|
outbox uri = {{ outbox }}
|
|
|
|
outbox sender name = Certificate management
|
|
|
|
outbox sender address = certificates@example.com
|
2016-03-29 15:37:28 +00:00
|
|
|
|
2017-01-25 11:34:08 +00:00
|
|
|
bundle format = p12
|
|
|
|
;bundle format = ovpn
|
|
|
|
|
|
|
|
openvpn bundle template = /etc/certidude/template.ovpn
|
|
|
|
|