Difference between revisions of "Backends Configuration"

From Onepoint Systems Integration
Jump to: navigation, search
 
(2 intermediate revisions by the same user not shown)
Line 35: Line 35:
 
     "address": "GUACAMOLE-ONEPOINT-ADDRESS",
 
     "address": "GUACAMOLE-ONEPOINT-ADDRESS",
 
     "maptoip": "onepoint-access"
 
     "maptoip": "onepoint-access"
 +
  }
 +
= Authentication Backends =
 +
== LDAP ==
 +
*'''config.directory_backend''': Associated Directory Backend for user info for the authenticated users
 +
*'''config.address''': Address for the LDAP / AD server
 +
*'''config.usermapping''': "replace" for replacing the '''config.usermapping.replace''' attribute with the specified username; "resolution" for resolving the username based on the specified username in LDAP / AD
 +
*'''config.usermapping.resolution.authentication.type''': "none" for anonymous binding, "auth" for binding with '''config.usermapping.resolution.authentication.userdn''' and '''config.usermapping.resolution.authentication.password''''
 +
*'''config.usermapping.resolution.authentication.encryption''': "none" for no encryption in auth parameters, "password" for encrypting password only, "full" for encrypting userdn and password. (The encrypted string can be retrieved in Settings > Encrypt String)
 +
*'''config.usermapping.resolution.authentication.userdn''': Plain or encrypted userdn for binding LDAP / AD
 +
*'''config.usermapping.resolution.authentication.password''': Plain or encrypted password for binding LDAP / AD
 +
*'''config.usermapping.resolution.basedn''': BaseDN for querying for resolution
 +
*'''config.usermapping.resolution.condition''': LDAP query for resolution, using ${username} for user name or principal identification attribute
 +
  {
 +
    "directory_backend": "DIRECTORY_BACKEND",
 +
    "address": "LDAP_SERVER_ADDRESS",
 +
    "usermapping": {
 +
      "type": "resolution",
 +
      "replace": "cn=${username},ou=People,dc=domain,dc=com",
 +
      "resolution": {
 +
        "authentication": {
 +
          "type": "none",
 +
          "encryption": "none",
 +
          "userdn": "BIND_USERDN",
 +
          "password": "BIND_PASSWORD"
 +
        },
 +
        "basedn": "BASE_DN",
 +
        "condition": "(&(objectClass=inetorgperson)(uid=${username}))"
 +
      }
 +
    }
 +
  }
 +
== XTON CAS ==
 +
*'''config.address''': XTON WEB server address
 +
  {
 +
    "address": "XTON_BASE_WEB_ADDRESS"
 +
  }
 +
= Directory Backends =
 +
== LDAP / AD ==
 +
*'''config.address''': LDAP / AD server address
 +
*'''config.authentication.type''': Always "explicit". Ignored for now
 +
*'''config.authentication.encryption''': "none" for no ecryption in authentication parameters; "password" for encrypting password; "full" for encrypting both userdn and password
 +
*'''config.authentication.userdn''': Binding User DN
 +
*'''config.authentication.password''': Binding User password
 +
*'''config.basedn''': Base DN for searching
 +
*'''config.query.computer.filter''': Filter for computer query
 +
*'''config.query.computer.ou''': Additional DN segment for computer query (null if none)
 +
*'''config.query.computer.id_attribute''': ID attribute for computer
 +
*'''config.query.user.filter''': Filter for user query
 +
*'''config.query.user.ou''': Additional DN segment for user query (null if none)
 +
*'''config.query.user.id_attribute''': ID attribute for user
 +
*'''config.query.group.filter''': Filter for group query
 +
*'''config.query.group.ou''': Additional DN segment for group query (null if none)
 +
*'''config.query.group.id_attribute''': ID attribute for group
 +
{
 +
  "address": "SERVER_ADDRESS",
 +
  "authentication": {
 +
    "type": "explicit",
 +
    "encryption": "none",
 +
    "userdn": "BIND_DN",
 +
    "password": "BIND_PASSWORD"
 +
  },
 +
  "basedn": "BASE_DN",
 +
  "query": {
 +
    "computer": {
 +
      "filter": "(&(objectcategory=computer)(name=${filter.name}))",
 +
      "ou": null,
 +
      "id_attribute": "cn"
 +
    },
 +
    "user": {
 +
      "filter": "(&(objectcategory=user)(name=${filter.name}))",
 +
      "ou": null,
 +
      "id_attribute": "samaccountname"
 +
    },
 +
    "group": {
 +
      "filter": "(&(objectcategory=group)(name=${filter.name}))",
 +
      "ou": null,
 +
      "id_attribute": "samaccountname"
 +
    }
 +
  }
 +
}
 +
 +
= Vault Backends =
 +
== Hashicorp Vault ==
 +
*'''config.endpoint.address''': Hashicorp Vault Web Services Address
 +
*'''config.endpoint.authentication.mode''': Always "token"
 +
*'''config.endpoint.authentication.encryption''': "none" for no encryption; "full" for token encryption
 +
*'''config.endpoint.authentication.token''': Plain or encrypted Authentication Token
 +
  {
 +
    "endpoint": {
 +
      "address": "HASHICORP-VAULT-ADDRESS",
 +
      "authentication": {
 +
        "mode": "token",
 +
        "encryption": "full",
 +
        "token": "HASHICORP-VAULT-TOKEN"
 +
      }
 +
    }
 
   }
 
   }

Latest revision as of 16:17, 11 July 2019

Access Session Backends

Balabit SCB / PSM

  • config.address: Address of SCB / PSM box
  • config.maptoip: If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets
  • config.connections.ssh._default.port: SSH port for SCB / PSM connections
  • config.connections.rdp._default.port: RDP port for SCB / PSM connections
 {
   "address": "SCB-ADDRESS",
   "maptoip": "onepoint-access",
   "gateway": {
     "protocols": [
       "rdp",
       "ssh"
     ],
     "connections": {
       "ssh": {
         "__default": {
           "port": 22
         },
       },
       "rdp": {
         "__default": {
           "port": 443
         },
       }
     }
   }
 }

Apache Guacamole

  • config.address: Address of Apache Guacamole server
  • config.maptoip: If present, and if equals to "onepoint-access" for resolving IP addresses with Onepoint Assets
 {
   "address": "GUACAMOLE-ONEPOINT-ADDRESS",
   "maptoip": "onepoint-access"
 }

Authentication Backends

LDAP

  • config.directory_backend: Associated Directory Backend for user info for the authenticated users
  • config.address: Address for the LDAP / AD server
  • config.usermapping: "replace" for replacing the config.usermapping.replace attribute with the specified username; "resolution" for resolving the username based on the specified username in LDAP / AD
  • config.usermapping.resolution.authentication.type: "none" for anonymous binding, "auth" for binding with config.usermapping.resolution.authentication.userdn and config.usermapping.resolution.authentication.password'
  • config.usermapping.resolution.authentication.encryption: "none" for no encryption in auth parameters, "password" for encrypting password only, "full" for encrypting userdn and password. (The encrypted string can be retrieved in Settings > Encrypt String)
  • config.usermapping.resolution.authentication.userdn: Plain or encrypted userdn for binding LDAP / AD
  • config.usermapping.resolution.authentication.password: Plain or encrypted password for binding LDAP / AD
  • config.usermapping.resolution.basedn: BaseDN for querying for resolution
  • config.usermapping.resolution.condition: LDAP query for resolution, using ${username} for user name or principal identification attribute
 {
   "directory_backend": "DIRECTORY_BACKEND",
   "address": "LDAP_SERVER_ADDRESS",
   "usermapping": {
     "type": "resolution",
     "replace": "cn=${username},ou=People,dc=domain,dc=com",
     "resolution": {
       "authentication": {
         "type": "none",
         "encryption": "none",
         "userdn": "BIND_USERDN",
         "password": "BIND_PASSWORD"
       },
       "basedn": "BASE_DN",
       "condition": "(&(objectClass=inetorgperson)(uid=${username}))"
     }
   }
 }

XTON CAS

  • config.address: XTON WEB server address
 {
   "address": "XTON_BASE_WEB_ADDRESS"
 }

Directory Backends

LDAP / AD

  • config.address: LDAP / AD server address
  • config.authentication.type: Always "explicit". Ignored for now
  • config.authentication.encryption: "none" for no ecryption in authentication parameters; "password" for encrypting password; "full" for encrypting both userdn and password
  • config.authentication.userdn: Binding User DN
  • config.authentication.password: Binding User password
  • config.basedn: Base DN for searching
  • config.query.computer.filter: Filter for computer query
  • config.query.computer.ou: Additional DN segment for computer query (null if none)
  • config.query.computer.id_attribute: ID attribute for computer
  • config.query.user.filter: Filter for user query
  • config.query.user.ou: Additional DN segment for user query (null if none)
  • config.query.user.id_attribute: ID attribute for user
  • config.query.group.filter: Filter for group query
  • config.query.group.ou: Additional DN segment for group query (null if none)
  • config.query.group.id_attribute: ID attribute for group

{ 

 "address": "SERVER_ADDRESS",
 "authentication": {
   "type": "explicit",
   "encryption": "none",
   "userdn": "BIND_DN",
   "password": "BIND_PASSWORD"
 },
 "basedn": "BASE_DN",
 "query": {
   "computer": {
     "filter": "(&(objectcategory=computer)(name=${filter.name}))",
     "ou": null,
     "id_attribute": "cn"
   },
   "user": {
     "filter": "(&(objectcategory=user)(name=${filter.name}))",
     "ou": null,
     "id_attribute": "samaccountname"
   },
   "group": {
     "filter": "(&(objectcategory=group)(name=${filter.name}))",
     "ou": null,
     "id_attribute": "samaccountname"
   }
 }

}

Vault Backends

Hashicorp Vault

  • config.endpoint.address: Hashicorp Vault Web Services Address
  • config.endpoint.authentication.mode: Always "token"
  • config.endpoint.authentication.encryption: "none" for no encryption; "full" for token encryption
  • config.endpoint.authentication.token: Plain or encrypted Authentication Token
 {
   "endpoint": {
     "address": "HASHICORP-VAULT-ADDRESS",
     "authentication": {
       "mode": "token",
       "encryption": "full",
       "token": "HASHICORP-VAULT-TOKEN"
     }
   }
 }
Retrieved from "http://wiki.onepoint.net.br/index.php?title=Backends_Configuration&oldid=193"