groups->ldapgroups

Fusion · Fusion · commit e405ead8a2c7 · 2023-10-02T04:13:41.000Z
diff --git a/README.md b/README.md
@@ -35,19 +35,19 @@ so, let's say you built the 'sqlite' plugin, you would now specify its library:
 ### SQLite, MySQL, Postgres
 
 Tables:
-- users, groups are self-explanatory
+- users, ldapgroups are self-explanatory
 - includegroups store the 'includegroups' relationships
 - othergroups, on the other hand, are a comma-separated list found in the users table (performance)
 
 Here is how to insert example data using your database's REPL (more detailed information can be found in pkg/plugins/sample-database.cfg)
 
 ```sql
-INSERT INTO groups(name, gidnumber) VALUES('superheros', 5501);
-INSERT INTO groups(name, gidnumber) VALUES('svcaccts', 5502);
-INSERT INTO groups(name, gidnumber) VALUES('civilians', 5503);
-INSERT INTO groups(name, gidnumber) VALUES('caped', 5504);
-INSERT INTO groups(name, gidnumber) VALUES('lovesailing', 5505);
-INSERT INTO groups(name, gidnumber) VALUES('smoker', 5506);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('superheros', 5501);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('svcaccts', 5502);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('civilians', 5503);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('caped', 5504);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('lovesailing', 5505);
+INSERT INTO ldapgroups(name, gidnumber) VALUES('smoker', 5506);
 INSERT INTO includegroups(parentgroupid, includegroupid) VALUES(5503, 5501);
 INSERT INTO includegroups(parentgroupid, includegroupid) VALUES(5504, 5502);
 INSERT INTO includegroups(parentgroupid, includegroupid) VALUES(5504, 5501);
diff --git a/postgres.go b/postgres.go
@@ -5,8 +5,8 @@ import (
 
 	_ "github.com/lib/pq"
 
-	"github.com/glauth/glauth/v2/pkg/plugins"
 	"github.com/glauth/glauth/v2/pkg/handler"
+	"github.com/glauth/glauth/v2/pkg/plugins"
 )
 
 type PostgresBackend struct {
@@ -50,9 +50,9 @@ CREATE TABLE IF NOT EXISTS users (
 	statement.Exec()
 	statement, _ = db.Prepare("CREATE UNIQUE INDEX IF NOT EXISTS idx_user_name on users(name)")
 	statement.Exec()
-	statement, _ = db.Prepare("CREATE TABLE IF NOT EXISTS groups (id SERIAL PRIMARY KEY, name TEXT NOT NULL, gidnumber INTEGER NOT NULL)")
+	statement, _ = db.Prepare("CREATE TABLE IF NOT EXISTS ldapgroups (id SERIAL PRIMARY KEY, name TEXT NOT NULL, gidnumber INTEGER NOT NULL)")
 	statement.Exec()
-	statement, _ = db.Prepare("CREATE UNIQUE INDEX IF NOT EXISTS idx_group_name on groups(name)")
+	statement, _ = db.Prepare("CREATE UNIQUE INDEX IF NOT EXISTS idx_group_name on ldapgroups(name)")
 	statement.Exec()
 	statement, _ = db.Prepare("CREATE TABLE IF NOT EXISTS includegroups (id SERIAL PRIMARY KEY, parentgroupid INTEGER NOT NULL, includegroupid INTEGER NOT NULL)")
 	statement.Exec()
@@ -61,9 +61,15 @@ CREATE TABLE IF NOT EXISTS users (
 }
 
 // Migrate schema if necessary
-func (b PostgresBackend) MigrateSchema(db *sql.DB, checker func(*sql.DB, string) bool) {
-	if !checker(db, "sshkeys") {
+func (b PostgresBackend) MigrateSchema(db *sql.DB, checker func(*sql.DB, string, string) bool) {
+	if !checker(db, "users", "sshkeys") {
 		statement, _ := db.Prepare("ALTER TABLE users ADD COLUMN sshkeys TEXT DEFAULT ''")
 		statement.Exec()
 	}
+	if checker(db, "groups", "name") {
+		statement, _ := db.Prepare("DROP TABLE ldapgroups")
+		statement.Exec()
+		statement, _ = db.Prepare("ALTER TABLE groups RENAME TO ldapgroups")
+		statement.Exec()
+	}
 }
diff --git a/sample-psql.cfg b/sample-psql.cfg
@@ -0,0 +1,81 @@
+#################
+# glauth.conf
+
+#################
+# General configuration.
+debug = true
+# syslog = true
+# structuredlog = true
+#
+# Enable hot-reload of configuration on changes
+# - does NOT work [ldap], [ldaps], [backend] or [api] sections
+# watchconfig = true
+
+#################
+# yubikeyclientid = "yubi-api-clientid"
+# yubikeysecret = "yubi-api-secret"
+
+#################
+# Server configuration.
+[ldap]
+  enabled = true
+  # run on a non privileged port
+  listen = "0.0.0.0:3893"
+
+[ldaps]
+# to enable ldaps generate a certificate, eg. with:
+# openssl req -x509 -newkey rsa:4096 -keyout glauth.key -out glauth.crt -days 365 -nodes -subj '/CN=`hostname`'
+  enabled = false
+  listen = "0.0.0.0:3894"
+  cert = "glauth.crt"
+  key = "glauth.key"
+
+#################
+# The backend section controls the data store.
+[backend]
+  datastore = "plugin"
+  plugin = "bin/postgres-linux-amd64.so"
+  pluginHandler = "NewPostgresHandler"
+  database = "host=127.0.0.1 port=5432 dbname=glauth user=glauthtest password=glauth sslmode=disable"
+  baseDN = "dc=glauth,dc=com"
+  nameformat = "cn"
+  groupformat = "ou"
+
+  # If you are using a client that requires reading the root DSE first
+  # such as SSSD
+  # anonymousdse = true
+
+  ## Configure dn format to use structures like 
+  ## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN"
+  ## to help ease migrations from other LDAP systems
+  # nameformat = "uid"
+  # groupformat = "cn"
+
+  ## Configure ssh-key attribute name, default is 'sshPublicKey'
+  # sshkeyattr = "ipaSshPubKey"
+
+[behaviors]
+  # Ignore all capabilities restrictions, for instance allowing every user to perform a search
+  IgnoreCapabilities = false
+  # Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts
+  LimitFailedBinds = true
+  # How many failed login attempts are allowed before a ban is imposed
+  NumberOfFailedBinds = 3
+  # How long (in seconds) is the window for failed login attempts
+  PeriodOfFailedBinds = 10
+  # How long (in seconds) is the ban duration
+  BlockFailedBindsFor = 60
+  # Clean learnt IP addresses every N seconds
+  PruneSourceTableEvery = 600
+  # Clean learnt IP addresses not seen in N seconds
+  PruneSourcesOlderThan = 600
+
+#################
+# Enable and configure the optional REST API here.
+[api]
+  enabled = true
+  internals = true # debug application performance
+  tls = false # enable TLS for production!!
+  listen = "0.0.0.0:5555"
+  cert = "cert.pem"
+  key = "key.pem"
