lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
certidude/certidude/templates/certidude-server.conf

155 lines
5.3 KiB
Plaintext
Raw Blame History

[authentication]
# The authentiction backend specifies how the user is authenticated,
# in case of 'pam' simplepam.authenticate is used to authenticate against
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
# user against eg. Active Directory or Samba4.
backends = pam
;backends = kerberos
;backends = ldap
;backends = kerberos ldap
;backends = kerberos pam
ldap uri = ldaps://dc1.example.com
[accounts]
# The accounts backend specifies how the user's given name, surname and e-mail
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
# in case of 'ldap' a search is performed on LDAP server specified by ldap uri
# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
# If certidude setup authority was performed correctly the credential cache should be
# updated automatically by /etc/cron.hourly/certidude
backend = posix
;backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
ldap uri = ldap://dc1.example.com
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %}
[authorization]
# The authorization backend specifies how the users are authorized.
# In case of 'posix' simply group membership is asserted,
# in case of 'ldap' search filter with username as placeholder is applied.
backend = posix
posix user group = users
posix admin group = sudo
;backend = ldap
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))
# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0
# Authority administrators are allowed to sign and revoke certificates from these subnets
admin subnets = 0.0.0.0/0
# Certificate signing requests are allowed to be submitted from these subnets
request subnets = 0.0.0.0/0
# Certificates are automatically signed for these subnets
autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
[logging]
backend =
;backend = sql
database = sqlite://{{ directory }}/db.sqlite
[tagging]
backend =
;backend = sql
database = sqlite://{{ directory }}/db.sqlite
[leases]
backend =
;backend = sql
schema = strongswan
database = sqlite://{{ directory }}/db.sqlite
# Following was used on an OpenWrt router
# uci set openvpn.s2c.status=/www/status.log
# uci commit; touch /www/status.log; chmod 755 /www/status.log
;backend = openvpn-status
;openvpn status uri = /var/log/openvpn-status.log
openvpn status uri = http://router.example.com/status.log
[signature]
# Server certificate is granted to certificate with
# common name that includes period which translates to FQDN of the machine.
# TLS Server Auth and IKE Intermediate flags are attached to such certificate.
# Due to problematic CRL support in client applications
# we keep server certificate lifetime short and
# have it renewed automatically.
server certificate lifetime = 3
# Client certificates are granted to everything else
# TLS Client Auth flag is attached to such certificate.
# In this case it's set to 4 months.
client certificate lifetime = 120
revocation list lifetime = 24
# URL where CA certificate can be fetched from
authority certificate url = {{ certificate_url }}
# Strongswan can be configured to automatically fetch CRL
# in that case CRL URL has to be embedded in the certificate
revoked url = {{ revoked_url }}
# If certificate renewal is allowed clients can request a certificate
# for the same public key with extended lifetime
renewal allowed = false
;renewal allowed = true
[push]
event source token = {{ push_token }}
event source subscribe = {{ push_server }}/ev/sub/%s
event source publish = {{ push_server }}/ev/pub/%s
long poll subscribe = {{ push_server }}/lp/sub/%s
long poll publish = {{ push_server }}/lp/pub/%s
[authority]
# Present form for CSR submission for logged in users
;request submission allowed = true
request submission allowed = false
# User certificate enrollment specifies whether logged in users are allowed to
# request bundles. In case of 'single allowed' the common name of the
# certificate is set to username, this should work well with REMOTE_USER
# enabled web apps running behind Apache/nginx.
# In case of 'multiple allowed' the common name is set to username@device-identifier.
;user enrollment = forbidden
;user enrollment = single allowed
user enrollment = multiple allowed
# Machine certificate enrollment specifies whether Kerberos authenticated
# machines are allowed to automatically enroll with certificate where
# common name is set to machine's account name
machine enrollment = forbidden
;machine enrollment = allowed
private key path = {{ ca_key }}
certificate path = {{ ca_crt }}
requests dir = {{ directory }}/requests/
signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/
outbox uri = {{ outbox }}
outbox sender name = Certificate management
outbox sender address = certificates@example.com
[bundle]
format = p12
;format = ovpn
# Template for OpenVPN profile, copy certidude/templates/openvpn-client.conf
# to /etc/certidude/ and make modifications as necessary
openvpn profile template = {{ openvpn_profile_template_path }}
Reference in New Issue View Git Blame Copy Permalink