certidude/certidude/templates/certidude.conf

83 lines
2.6 KiB
Plaintext
Raw Normal View History

[authentication]
# The authentiction backend specifies how the user is authenticated,
# in case of 'pam' simplepam.authenticate is used to authenticate against
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
# user against eg. Active Directory or Samba4.
backends = pam
;backends = kerberos
;backends = ldap
;backends = kerberos ldap
;backends = kerberos pam
[accounts]
# The accounts backend specifies how the user's given name, surname and e-mail
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
# in case of 'ldap' a search is performed on LDAP server specified in /etc/ldap/ldap.conf
# with Kerberos credential cache initialized at path specified by 'ldap gssapi credential cache'
backend = posix
;backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
[authorization]
# The authorization backend specifies how the users are authorized.
# In case of 'posix' simply group membership is asserted,
# in case of 'ldap' search filter with username as placeholder is applied.
backend = posix
posix user group = users
posix admin group = sudo
;backend = ldap
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))
# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0
# Authority administrators are allowed to sign and revoke certificates from these subnets
admin subnets = 0.0.0.0/0
# Certificate signing requests are allowed to be submitted from these subnets
request subnets = 0.0.0.0/0
# Certificates are automatically signed for these subnets
autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
[logging]
backend = sql
database = sqlite://{{ directory }}/db.sqlite
[tagging]
backend = sql
database = sqlite://{{ directory }}/db.sqlite
[leases]
backend = sql
schema = strongswan
database = sqlite://{{ directory }}/db.sqlite
[signature]
2016-03-29 15:37:28 +00:00
certificate lifetime = {{ certificate_lifetime }}
revocation list lifetime = {{ revocation_list_lifetime }}
certificate url = {{ certificate_url }}
revoked url = {{ revoked_url }}
[push]
2016-03-30 19:01:02 +00:00
event source = {{ push_server }}/ev/%s
long poll = {{ push_server }}/lp/%s
publish = {{ push_server }}/pub?id=%s
[authority]
private key path = {{ ca_key }}
certificate path = {{ ca_crt }}
requests dir = {{ directory }}/requests/
signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/
outbox = {{ outbox }}
2016-03-29 15:37:28 +00:00