[authentication] # The authentiction backend specifies how the user is authenticated, # in case of 'pam' simplepam.authenticate is used to authenticate against # sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate # user against eg. Active Directory or Samba4. backends = pam ;backends = kerberos ;backends = ldap ;backends = kerberos ldap ;backends = kerberos pam ldap uri = ldaps://dc1.example.com [accounts] # The accounts backend specifies how the user's given name, surname and e-mail # address are looked up. In case of 'posix' basically 'getent passwd' is performed, # in case of 'ldap' a search is performed on LDAP server specified by ldap uri # with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME # If certidude setup authority was performed correctly the credential cache should be # updated automatically by /etc/cron.hourly/certidude backend = posix ;backend = ldap ldap gssapi credential cache = /run/certidude/krb5cc ldap uri = ldap://dc1.example.com ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %} [authorization] # The authorization backend specifies how the users are authorized. # In case of 'posix' simply group membership is asserted, # in case of 'ldap' search filter with username as placeholder is applied. backend = posix posix user group = users posix admin group = sudo ;backend = ldap ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s)) ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s)) ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s)) # Users are allowed to log in from user subnets user subnets = # Authority administrators are allowed to sign and revoke certificates from these subnets admin subnets = # Certificate signing requests are allowed to be submitted from these subnets request subnets = # Certificates are automatically signed for these subnets autosign subnets = [logging] backend = ;backend = sql database = sqlite://{{ directory }}/db.sqlite [tagging] backend = ;backend = sql database = sqlite://{{ directory }}/db.sqlite [leases] backend = ;backend = sql schema = strongswan database = sqlite://{{ directory }}/db.sqlite # Following was used on an OpenWrt router # uci set openvpn.s2c.status=/www/status.log # uci commit; touch /www/status.log; chmod 755 /www/status.log ;backend = openvpn-status ;openvpn status uri = /var/log/openvpn-status.log openvpn status uri = http://router.example.com/status.log [signature] certificate lifetime = {{ certificate_lifetime }} revocation list lifetime = {{ revocation_list_lifetime }} certificate url = {{ certificate_url }} revoked url = {{ revoked_url }} [push] event source token = {{ push_token }} event source subscribe = {{ push_server }}/ev/sub/%s event source publish = {{ push_server }}/ev/pub/%s long poll subscribe = {{ push_server }}/lp/sub/%s long poll publish = {{ push_server }}/lp/pub/%s [authority] # User certificate enrollment specifies whether logged in users are allowed to # request bundles. In case of 'single allowed' the common name of the # certificate is set to username, this should work well with REMOTE_USER # enabled web apps running behind Apache/nginx. # In case of 'multiple allowed' the common name is set to username@device-identifier. ;user certificate enrollment = forbidden ;user certificate enrollment = single allowed user certificate enrollment = multiple allowed private key path = {{ ca_key }} certificate path = {{ ca_crt }} requests dir = {{ directory }}/requests/ signed dir = {{ directory }}/signed/ revoked dir = {{ directory }}/revoked/ expired dir = {{ directory }}/expired/ outbox uri = {{ outbox }} outbox sender name = Certificate management outbox sender address = certificates@example.com bundle format = p12 ;bundle format = ovpn openvpn bundle template = /etc/certidude/template.ovpn