cef4cb2c5a
- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures. - Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures. - Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval. - Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms. - Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.
86 lines
2.8 KiB
YAML
86 lines
2.8 KiB
YAML
# Example configuration for the LDAP identity provider plug-in.
|
|
# Adjust values to match your directory deployment before enabling the plugin.
|
|
|
|
connection:
|
|
host: "ldaps://ldap.example.internal"
|
|
port: 636
|
|
useStartTls: false
|
|
validateCertificates: true
|
|
clientCertificate:
|
|
pfxPath: "file:/etc/stellaops/certs/ldap-client.pfx"
|
|
passwordSecret: "file:/etc/stellaops/secrets/ldap-client-pfx.txt"
|
|
sendChain: true
|
|
trustStore:
|
|
mode: system # system | bundle
|
|
bundlePath: "file:/etc/stellaops/trust/ldap-root.pem"
|
|
searchBase: "ou=people,dc=example,dc=internal"
|
|
usernameAttribute: "uid"
|
|
userDnFormat: "uid={username},ou=people,dc=example,dc=internal"
|
|
bindDn: "cn=stellaops-bind,ou=service,dc=example,dc=internal"
|
|
bindPasswordSecret: "file:/etc/stellaops/secrets/ldap-bind.txt"
|
|
|
|
security:
|
|
requireTls: true
|
|
requireClientCertificate: false # set to true to enforce mutual TLS client authentication
|
|
allowInsecureWithEnvToggle: false # set STELLAOPS_LDAP_ALLOW_INSECURE=true to permit TLS downgrade
|
|
allowedCipherSuites:
|
|
- "TLS_AES_256_GCM_SHA384"
|
|
- "TLS_AES_128_GCM_SHA256"
|
|
referralChasing: false
|
|
|
|
lockout:
|
|
useAuthorityPolicies: true
|
|
directoryLockoutAttribute: "pwdAccountLockedTime"
|
|
|
|
claims:
|
|
groupAttribute: "memberOf"
|
|
groupToRoleMap:
|
|
"cn=stellaops-admins,ou=groups,dc=example,dc=internal": "operators"
|
|
"cn=stellaops-read,ou=groups,dc=example,dc=internal": "auditors"
|
|
regexMappings:
|
|
- pattern: "^cn=stellaops-(?P<role>[a-z-]+),ou=groups,dc=example,dc=internal$"
|
|
roleFormat: "{role}" # {role} comes from the named capture group in the pattern above
|
|
extraAttributes:
|
|
displayName: "displayName"
|
|
email: "mail"
|
|
cache:
|
|
enabled: true # enable Mongo-backed cache to avoid hammering LDAP for repeat grants
|
|
collectionName: "ldap_claims_cache" # optional; defaults to ldap_claims_cache_<pluginName> when omitted
|
|
ttlSeconds: 600
|
|
maxEntries: 5000
|
|
|
|
queries:
|
|
userFilter: "(&(objectClass=person)(uid={username}))"
|
|
attributes:
|
|
- "displayName"
|
|
- "mail"
|
|
- "memberOf"
|
|
|
|
clientProvisioning:
|
|
enabled: false
|
|
containerDn: "ou=service,dc=example,dc=internal"
|
|
secretAttribute: "userPassword"
|
|
auditMirror:
|
|
enabled: true
|
|
collectionName: "ldap_client_provisioning" # Mongo mirror ships inside the Offline Kit for auditors
|
|
|
|
bootstrap:
|
|
enabled: false
|
|
containerDn: "ou=people,dc=example,dc=internal"
|
|
rdnAttribute: "uid"
|
|
usernameAttribute: "uid"
|
|
displayNameAttribute: "displayName"
|
|
givenNameAttribute: "givenName"
|
|
surnameAttribute: "sn"
|
|
emailAttribute: "mail"
|
|
secretAttribute: "userPassword"
|
|
staticAttributes:
|
|
description: "StellaOps bootstrap user for {username}"
|
|
auditMirror:
|
|
enabled: true
|
|
collectionName: "ldap_bootstrap_audit"
|
|
|
|
health:
|
|
probeIntervalSeconds: 60
|
|
timeoutSeconds: 5
|