diff options
| author | Alex Auvolat <alex@adnab.me> | 2020-01-26 20:18:22 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2020-01-26 20:18:22 +0100 |
| commit | 7b77bfc66c94e80e4c65e9d087e5a10ce849bd01 (patch) | |
| tree | 0a4ef49dbc8ca15130bab6c2996c85ac2a8b39aa | |
| parent | d56a2530dd146c7837eca6e5844fb3b9b19062ca (diff) | |
| download | bottin-7b77bfc66c94e80e4c65e9d087e5a10ce849bd01.tar.gz bottin-7b77bfc66c94e80e4c65e9d087e5a10ce849bd01.zip | |
Complete readme
| -rw-r--r-- | README.md | 55 |
1 files changed, 40 insertions, 15 deletions
@@ -3,17 +3,39 @@ in order to provide a redundant (high-availability) LDAP server on a Nomad+Consu It is a reimplementation of [superboum's Bottin](https://github.com/superboum/bottin) using the Go programming language. +Features: + +- most LDAP operations implemented (add, modify, delete, compare, search with most basic filters) +- TLS support with STARTTLS +- Access control through an ACL (hardcoded in the configuration file) + + Building `gobottin` can be done simply by running `go build` in this folder. `gobottin` takes a single command line argument, `-config <filename>`, which is the path to its config file (defaults to `./config.json`). The configuration file is a JSON file whose contents is described in the following section. + +# Server initialization + +When `gobottin` is launched on an empty database, +it creates a special admin entity with the name `cn=admin,your_suffix`. +It will have a randomly generated password that is printed out by the server. +Check your logs to retrieve the password. + +The admin entity has no powers other than those granted by the ACL rules, +so unless you don't want to use it, make sure to keep rules that allow to +bind to the admin entity and that allows the admin entity to do everything. + + # Configuration of `gobottin` ## The LDAP suffix -`gobottin` only handles LDAP entries under a given path, which is typically of the form `dn=sld,dn=tld`, where `sld.tld` is your domain name. Specify this suffix in the `suffix` key of the json config file. +`gobottin` only handles LDAP entries under a given path, which is typically of +the form `dn=sld,dn=tld`, where `sld.tld` is your domain name. Specify this +suffix in the `suffix` key of the json config file. ## Connection to the Consul server @@ -54,17 +76,20 @@ A rule is a string composed of five fields separated by `:`. The fields are the ### Rule examples -``` -// Anybody (before binding) can bind to an entity under ou=users,dc=gobottin,dc=eu -"ANONYMOUS::bind:*,ou=users,dc=gobottin,dc=eu:", -// Anybody (before binding) can bind to the specific admin entity -"ANONYMOUS::bind:cn=admin,dc=gobottin,dc=eu:", -// Anybody who is logged in can read anything that is not a userpassword attribute -"*,dc=gobottin,dc=eu::read:*:* !userpassword", -// Anybody can read and modify anything from their own entry -"*::read modify:SELF:*", -// The admin can read, add, modify, delete anything -"cn=admin,dc=gobottin,dc=eu::read add modify delete:*:*", -// Members of the admin group can read, add, modify, delete anything -"*:cn=admin,ou=groups,dc=gobottin,dc=eu:read add modify delete:*:*" -``` +- Anybody (before binding) can bind to an entity under `ou=users,dc=gobottin,dc=eu`: + `ANONYMOUS::bind:*,ou=users,dc=gobottin,dc=eu:` + +- Anybody (before binding) can bind to the specific admin entity: + `ANONYMOUS::bind:cn=admin,dc=gobottin,dc=eu:` + +- Anybody who is logged in can read anything that is not a userpassword attribute: + `*,dc=gobottin,dc=eu::read:*:* !userpassword` + +- Anybody can read and modify anything from their own entry: + `*::read modify:SELF:*` + +- The admin can read, add, modify, delete anything: + `cn=admin,dc=gobottin,dc=eu::read add modify delete:*:*` + +- Members of the admin group can read, add, modify, delete anything: + `*:cn=admin,ou=groups,dc=gobottin,dc=eu:read add modify delete:*:*` |