[authentication]
# The authentiction backend specifies how the user is authenticated,
# in case of 'pam' simplepam.authenticate is used to authenticate against
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
# user against eg. Active Directory or Samba4.

;backends = ldap
;backends = kerberos
{% if realm %}
backends = kerberos ldap
;backends = pam
{% else %}
;backends = kerberos ldap
backends = pam
{% endif %}

kerberos keytab = FILE:{{ kerberos_keytab }}
{% if realm %}
# Kerberos realm derived from /etc/samba/smb.conf
kerberos realm = {{ realm }}
{% else %}
# Kerberos realm
kerberos realm = EXAMPLE.LAN
{% endif %}

{% if domain %}
# LDAP URI derived from /etc/samba/smb.conf
ldap uri = ldaps://dc1.{{ domain }}
{% else %}
# Placeholder LDAP URI
ldap uri = ldaps://dc1.example.lan
{% endif %}

[accounts]
# The accounts backend specifies how the user's given name, surname and e-mail
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
# in case of 'ldap' a search is performed on LDAP server specified by ldap uri
# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
# If certidude setup authority was performed correctly the credential cache should be
# updated automatically by /etc/cron.hourly/certidude

{% if not realm %}
backend = posix
{% else %}
;backend = posix
{% endif %}
mail suffix = example.lan

{% if realm %}
backend = ldap
{% else %}
;backend = ldap
{% endif %}
ldap gssapi credential cache = /run/certidude/krb5cc

{% if domain %}
# LDAP URI derived from /etc/samba/smb.conf
ldap uri = ldap://dc1.{{ domain }}
{% else %}
# LDAP URI
ldap uri = ldaps://dc1.example.lan
{% endif %}

{% if base %}
# LDAP base derived from /etc/samba/smb.conf
ldap base = {{ base }}
{% else %}
ldap base = dc=example,dc=lan
{% endif %}

ldap mail attribute = mail
;ldap mail attribute = otherMailbox

[authorization]
# The authorization backend specifies how the users are authorized.
# In case of 'posix' simply group membership is asserted,
# in case of 'ldap' search filter with username as placeholder is applied.

{% if realm %}
;backend = posix
{% else %}
backend = posix
{% endif %}
posix user group = users
posix admin group = sudo

{% if realm %}
backend = ldap
{% else %}
;backend = ldap
{% endif %}
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
{% if base %}
# LDAP user filter for administrative accounts, derived from /etc/samba/smb.conf
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{{ base }})(samaccountname=%s))
{% else %}
# LDAP user filter for administrative accounts
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,dc=example,dc=lan)(samaccountname=%s))
{% endif %}
;ldap admin filter = (&(samaccountname=lauri)(samaccountname=%s))

;backend = whitelist
user whitelist =
admin whitelist =

# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0

# Certificate signing requests are allowed to be submitted from these subnets
request subnets = 0.0.0.0/0

# Certificates are automatically signed for these subnets
autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

# Simple Certificate Enrollment Protocol enabled subnets
scep subnets =
;scep subnets = 0.0.0.0/0

# Online Certificate Status Protocol enabled subnets, anywhere by default
;ocsp subnets =
ocsp subnets = 0.0.0.0/0

# Certificate Revocation lists can be accessed from anywhere by default
;crl subnets =
crl subnets = 0.0.0.0/0

# If certificate renewal is attempted from whitelisted subnets, clients can
# request a certificate for the same public key with extended lifetime.
# To disable set to none
renewal subnets =
;renewal subnets = 0.0.0.0/0

# From which subnets autosign and SCEP requests are allowed to overwrite
# already existing certificate with same CN
overwrite subnets =
;overwrite subnets = 0.0.0.0/0


# Which subnets are offered Kerberos authentication, eg.
# subnet for Windows workstations or slice of VPN subnet where
# workstations are assigned to
kerberos subnets = 0.0.0.0
;kerberos subnets =


# Source subnets of Kerberos authenticated machines which are automatically
# allowed to enroll with CSR whose common name is set to machine's account name.
# Note that overwriting is not allowed by default, see 'overwrite subnets'
# option above
machine enrollment subnets =
;machine enrollment subnets = 0.0.0.0/0


# Authenticated users belonging to administrative LDAP or POSIX group
# are allowed to sign and revoke certificates from these subnets
admin subnets = 0.0.0.0/0
;admin subnets = 172.20.7.0/24 172.20.8.5


[logging]
# Disable logging
;backend =

# Use SQLite backend
backend = sql
database = sqlite://{{ directory }}/meta/db.sqlite

[signature]
# Server certificate is granted to certificate with
# common name that includes period which translates to FQDN of the machine.
# TLS Server Auth and IKE Intermediate flags are attached to such certificate.
# Due to problematic CRL support in client applications
# we keep server certificate lifetime short and
# have it renewed automatically.
server certificate lifetime = 3

# Client certificates are granted to everything else
# TLS Client Auth flag is attached to such certificate.
# In this case it's set to 4 months.
client certificate lifetime = 120

revocation list lifetime = 24

# URL where CA certificate can be fetched from
authority certificate url = {{ certificate_url }}


[push]
# This should occasionally be regenerated
event source token = {{ push_token }}

# For local nchan
event source publish = http://localhost/ev/pub/%s
long poll publish = http://localhost/lp/pub/%s
event source subscribe = /ev/sub/%s
long poll subscribe = /lp/sub/%s

# For remote nchan, make sure you use https:// if SSL is configured on push server
;event source publish = http://push.example.com/ev/pub/%s
;long poll publish = http://push.example.com/lp/pub/%s
;event source subscribe = //push.example.com/ev/sub/%s
;long poll subscribe = //push.example.com/lp/sub/%s

[authority]
# Present form for CSR submission for logged in users
;request submission allowed = true
request submission allowed = false

# User certificate enrollment specifies whether logged in users are allowed to
# request bundles. In case of 'single allowed' the common name of the
# certificate is set to username, this should work well with REMOTE_USER
# enabled web apps running behind Apache/nginx.
# In case of 'multiple allowed' the common name is set to username@device-identifier.
;user enrollment = forbidden
;user enrollment = single allowed
user enrollment = multiple allowed

# Certificate authority keypair
private key path = {{ ca_key }}
certificate path = {{ ca_cert }}

# Private key used by nginx frontend
self key path = {{ self_key }}

# Directories for requests, signed, revoked and expired certificates
requests dir = {{ directory }}/requests/
signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/

[mailer]
# Certidude submits mails to local MTA.
# In case of Postfix configure it as "Sattelite system",
# and make sure Certidude machine doesn't try to accept mails.
# uncomment mail sender address to enable e-mails.
# Make sure used e-mail address is reachable for end users.
name = Certidude at {{ common_name }}
{% if domain %}
address = certificates@{{ domain }}
{% else %}
address = certificates@example.com
{% endif %}

[tagging]
owner/string = Owner
location/string = Location
phone/string = Phone
other/ = Other

[bootstrap]
# Following can be used to set up clients easily: certidude bootstrap ca.example.lan
# Services template is rendered on certidude server with relevant variables and
# placed to /etc/certidude/services.conf on the client
services template = {{ template_path }}/bootstrap.conf

[token]
# Token mechanism allows authority administrator to send invites for users.
# Backend for tokens, set none to disable
;backend =
backend = sql

# Database path for SQL backend
database = sqlite://{{ directory }}/meta/db.sqlite

# URL format
url = {{ token_url }}

# Token lifetime in minutes, 48 hours by default.
# Note that code tolerates 5 minute clock skew.
lifetime = 2880


[script]
# Path to the folder with scripts that can be served to the clients, set none to disable scripting
path = {{ script_dir }}
;path = /etc/certidude/script
;path =

[service]
protocols = ikev2 https openvpn
routers = ^(router|vpn|gw|gateway)\d*\.