Difference between revisions of "Backends Configuration"
(4 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
= Access Session Backends = | = Access Session Backends = | ||
== Balabit SCB / PSM == | == Balabit SCB / PSM == | ||
− | *config.address: Address of SCB / PSM box | + | *'''config.address''': Address of SCB / PSM box |
− | *config.connections.ssh._default.port: SSH port for SCB / PSM connections | + | *'''config.maptoip''': If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets |
− | *config.connections.rdp._default.port: RDP port for SCB / PSM connections | + | *'''config.connections.ssh._default.port''': SSH port for SCB / PSM connections |
+ | *'''config.connections.rdp._default.port''': RDP port for SCB / PSM connections | ||
{ | { | ||
"address": "SCB-ADDRESS", | "address": "SCB-ADDRESS", | ||
− | " | + | "maptoip": "onepoint-access", |
"gateway": { | "gateway": { | ||
"protocols": [ | "protocols": [ | ||
Line 29: | Line 30: | ||
} | } | ||
== Apache Guacamole == | == Apache Guacamole == | ||
+ | *'''config.address''': Address of Apache Guacamole server | ||
+ | *'''config.maptoip''': If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets | ||
+ | { | ||
+ | "address": "GUACAMOLE-ONEPOINT-ADDRESS", | ||
+ | "maptoip": "onepoint-access" | ||
+ | } | ||
+ | = Authentication Backends = | ||
+ | == LDAP == | ||
+ | *'''config.directory_backend''': Associated Directory Backend for user info for the authenticated users | ||
+ | *'''config.address''': Address for the LDAP / AD server | ||
+ | *'''config.usermapping''': "replace" for replacing the '''config.usermapping.replace''' attribute with the specified username; "resolution" for resolving the username based on the specified username in LDAP / AD | ||
+ | *'''config.usermapping.resolution.authentication.type''': "none" for anonymous binding, "auth" for binding with '''config.usermapping.resolution.authentication.userdn''' and '''config.usermapping.resolution.authentication.password'''' | ||
+ | *'''config.usermapping.resolution.authentication.encryption''': "none" for no encryption in auth parameters, "password" for encrypting password only, "full" for encrypting userdn and password. (The encrypted string can be retrieved in Settings > Encrypt String) | ||
+ | *'''config.usermapping.resolution.authentication.userdn''': Plain or encrypted userdn for binding LDAP / AD | ||
+ | *'''config.usermapping.resolution.authentication.password''': Plain or encrypted password for binding LDAP / AD | ||
+ | *'''config.usermapping.resolution.basedn''': BaseDN for querying for resolution | ||
+ | *'''config.usermapping.resolution.condition''': LDAP query for resolution, using ${username} for user name or principal identification attribute | ||
+ | { | ||
+ | "directory_backend": "DIRECTORY_BACKEND", | ||
+ | "address": "LDAP_SERVER_ADDRESS", | ||
+ | "usermapping": { | ||
+ | "type": "resolution", | ||
+ | "replace": "cn=${username},ou=People,dc=domain,dc=com", | ||
+ | "resolution": { | ||
+ | "authentication": { | ||
+ | "type": "none", | ||
+ | "encryption": "none", | ||
+ | "userdn": "BIND_USERDN", | ||
+ | "password": "BIND_PASSWORD" | ||
+ | }, | ||
+ | "basedn": "BASE_DN", | ||
+ | "condition": "(&(objectClass=inetorgperson)(uid=${username}))" | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | == XTON CAS == | ||
+ | *'''config.address''': XTON WEB server address | ||
+ | { | ||
+ | "address": "XTON_BASE_WEB_ADDRESS" | ||
+ | } | ||
+ | = Directory Backends = | ||
+ | == LDAP / AD == | ||
+ | *'''config.address''': LDAP / AD server address | ||
+ | *'''config.authentication.type''': Always "explicit". Ignored for now | ||
+ | *'''config.authentication.encryption''': "none" for no ecryption in authentication parameters; "password" for encrypting password; "full" for encrypting both userdn and password | ||
+ | *'''config.authentication.userdn''': Binding User DN | ||
+ | *'''config.authentication.password''': Binding User password | ||
+ | *'''config.basedn''': Base DN for searching | ||
+ | *'''config.query.computer.filter''': Filter for computer query | ||
+ | *'''config.query.computer.ou''': Additional DN segment for computer query (null if none) | ||
+ | *'''config.query.computer.id_attribute''': ID attribute for computer | ||
+ | *'''config.query.user.filter''': Filter for user query | ||
+ | *'''config.query.user.ou''': Additional DN segment for user query (null if none) | ||
+ | *'''config.query.user.id_attribute''': ID attribute for user | ||
+ | *'''config.query.group.filter''': Filter for group query | ||
+ | *'''config.query.group.ou''': Additional DN segment for group query (null if none) | ||
+ | *'''config.query.group.id_attribute''': ID attribute for group | ||
+ | { | ||
+ | "address": "SERVER_ADDRESS", | ||
+ | "authentication": { | ||
+ | "type": "explicit", | ||
+ | "encryption": "none", | ||
+ | "userdn": "BIND_DN", | ||
+ | "password": "BIND_PASSWORD" | ||
+ | }, | ||
+ | "basedn": "BASE_DN", | ||
+ | "query": { | ||
+ | "computer": { | ||
+ | "filter": "(&(objectcategory=computer)(name=${filter.name}))", | ||
+ | "ou": null, | ||
+ | "id_attribute": "cn" | ||
+ | }, | ||
+ | "user": { | ||
+ | "filter": "(&(objectcategory=user)(name=${filter.name}))", | ||
+ | "ou": null, | ||
+ | "id_attribute": "samaccountname" | ||
+ | }, | ||
+ | "group": { | ||
+ | "filter": "(&(objectcategory=group)(name=${filter.name}))", | ||
+ | "ou": null, | ||
+ | "id_attribute": "samaccountname" | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | = Vault Backends = | ||
+ | == Hashicorp Vault == | ||
+ | *'''config.endpoint.address''': Hashicorp Vault Web Services Address | ||
+ | *'''config.endpoint.authentication.mode''': Always "token" | ||
+ | *'''config.endpoint.authentication.encryption''': "none" for no encryption; "full" for token encryption | ||
+ | *'''config.endpoint.authentication.token''': Plain or encrypted Authentication Token | ||
+ | { | ||
+ | "endpoint": { | ||
+ | "address": "HASHICORP-VAULT-ADDRESS", | ||
+ | "authentication": { | ||
+ | "mode": "token", | ||
+ | "encryption": "full", | ||
+ | "token": "HASHICORP-VAULT-TOKEN" | ||
+ | } | ||
+ | } | ||
+ | } |
Latest revision as of 16:17, 11 July 2019
Contents
Access Session Backends
Balabit SCB / PSM
- config.address: Address of SCB / PSM box
- config.maptoip: If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets
- config.connections.ssh._default.port: SSH port for SCB / PSM connections
- config.connections.rdp._default.port: RDP port for SCB / PSM connections
{ "address": "SCB-ADDRESS", "maptoip": "onepoint-access", "gateway": { "protocols": [ "rdp", "ssh" ], "connections": { "ssh": { "__default": { "port": 22 }, }, "rdp": { "__default": { "port": 443 }, } } } }
Apache Guacamole
- config.address: Address of Apache Guacamole server
- config.maptoip: If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets
{ "address": "GUACAMOLE-ONEPOINT-ADDRESS", "maptoip": "onepoint-access" }
Authentication Backends
LDAP
- config.directory_backend: Associated Directory Backend for user info for the authenticated users
- config.address: Address for the LDAP / AD server
- config.usermapping: "replace" for replacing the config.usermapping.replace attribute with the specified username; "resolution" for resolving the username based on the specified username in LDAP / AD
- config.usermapping.resolution.authentication.type: "none" for anonymous binding, "auth" for binding with config.usermapping.resolution.authentication.userdn and config.usermapping.resolution.authentication.password'
- config.usermapping.resolution.authentication.encryption: "none" for no encryption in auth parameters, "password" for encrypting password only, "full" for encrypting userdn and password. (The encrypted string can be retrieved in Settings > Encrypt String)
- config.usermapping.resolution.authentication.userdn: Plain or encrypted userdn for binding LDAP / AD
- config.usermapping.resolution.authentication.password: Plain or encrypted password for binding LDAP / AD
- config.usermapping.resolution.basedn: BaseDN for querying for resolution
- config.usermapping.resolution.condition: LDAP query for resolution, using ${username} for user name or principal identification attribute
{ "directory_backend": "DIRECTORY_BACKEND", "address": "LDAP_SERVER_ADDRESS", "usermapping": { "type": "resolution", "replace": "cn=${username},ou=People,dc=domain,dc=com", "resolution": { "authentication": { "type": "none", "encryption": "none", "userdn": "BIND_USERDN", "password": "BIND_PASSWORD" }, "basedn": "BASE_DN", "condition": "(&(objectClass=inetorgperson)(uid=${username}))" } } }
XTON CAS
- config.address: XTON WEB server address
{ "address": "XTON_BASE_WEB_ADDRESS" }
Directory Backends
LDAP / AD
- config.address: LDAP / AD server address
- config.authentication.type: Always "explicit". Ignored for now
- config.authentication.encryption: "none" for no ecryption in authentication parameters; "password" for encrypting password; "full" for encrypting both userdn and password
- config.authentication.userdn: Binding User DN
- config.authentication.password: Binding User password
- config.basedn: Base DN for searching
- config.query.computer.filter: Filter for computer query
- config.query.computer.ou: Additional DN segment for computer query (null if none)
- config.query.computer.id_attribute: ID attribute for computer
- config.query.user.filter: Filter for user query
- config.query.user.ou: Additional DN segment for user query (null if none)
- config.query.user.id_attribute: ID attribute for user
- config.query.group.filter: Filter for group query
- config.query.group.ou: Additional DN segment for group query (null if none)
- config.query.group.id_attribute: ID attribute for group
{
"address": "SERVER_ADDRESS", "authentication": { "type": "explicit", "encryption": "none", "userdn": "BIND_DN", "password": "BIND_PASSWORD" }, "basedn": "BASE_DN", "query": { "computer": { "filter": "(&(objectcategory=computer)(name=${filter.name}))", "ou": null, "id_attribute": "cn" }, "user": { "filter": "(&(objectcategory=user)(name=${filter.name}))", "ou": null, "id_attribute": "samaccountname" }, "group": { "filter": "(&(objectcategory=group)(name=${filter.name}))", "ou": null, "id_attribute": "samaccountname" } }
}
Vault Backends
Hashicorp Vault
- config.endpoint.address: Hashicorp Vault Web Services Address
- config.endpoint.authentication.mode: Always "token"
- config.endpoint.authentication.encryption: "none" for no encryption; "full" for token encryption
- config.endpoint.authentication.token: Plain or encrypted Authentication Token
{ "endpoint": { "address": "HASHICORP-VAULT-ADDRESS", "authentication": { "mode": "token", "encryption": "full", "token": "HASHICORP-VAULT-TOKEN" } } }