-
Notifications
You must be signed in to change notification settings - Fork 1
/
iamvpnlibrary.conf.sample
132 lines (121 loc) · 5.23 KB
/
iamvpnlibrary.conf.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
[failure]
# This defines the "VPN failure mode".
# At some point, the communication will fail, between the VPN and the
# upstream IAM services (LDAP, Duo, whatever). So, you have a choice
# to make in the manner in which you guide the code to react to being
# offline, because those clients are still trying to connect.
#
# * fail_open = True - you will take decisions that will lead towards
# allowing users to connect. That means different things for different
# functions, but in general it means to act forgivingly, but not insanely.
# "when the fire alarm goes off, all doors unlock, even the bank vault"
#
# * fail_open = False - you will take decisions that will lead towards
# a secure environment. People who cannot be explicitly verified will
# be denied. That could lead to someone making a decision that
# disconnects someone, or denies access. Your response time will be
# impacted during an outage.
# "when the fire alarm goes off, all doors lock."
fail_open = False
[sudo]
# sudo is more of a framework for decisions by downstream code, than
# anything to do with iamvpnlibrary. The code is essentially the
# verify_sudo_user function.
#
# sudo_users is a list of users whose cert CN may become another user.
# You probably want to leave this empty, as a general rule, and only add
# people to it when needed for incident testing.
# sudo_users = [ ]
sudo_users = [ '[email protected]' ]
# sudo_username_regexp is a string, a regexp, that a sudo-allowed person
# should type in to become some other user. The gathering parenteses are
# used to subselect from the string, and to let us flag what subsection of
# the string is to be used. This allows us to discriminate / lightly
# filter mistakes. That is, it prevents us from activating 'sudo to yourself'
# use cases.
sudo_username_regexp = ^su-to-(\S+)$
[ldap-bind]
# This section defines how we connect to the LDAP server
#
# These first three should be LDAP-obvious, the URL
# of the server, and the bind user and password.
url = ldap://ldapserver.yourcompany.com
bind_dn = uid=bind-user,ou=logins,dc=yourcompany
bind_password = 12345
#
# Next, we define the base DN of the server, and
# the base DN of groups. They can be the same.
base = dc=yourcompany
groups_base = ou=groups,%(base)s
[ldap-schema-users]
# These are items that define the user portion of
# the LDAP schema.
#
# Most humans have an RDN of [email protected]. 'mail' is the RDN
# attribute. non-humans ruin that, with uid=somename,ou=logins.
# That said, nonhumans have their mail attribute set to an address
# that matches their VPN certificate.
mail_attribute = mail
#
# The 'enabled_user_filter' is "how do you define if a user is not
# disabled?" This could be as complex as you want it to be.
# It just needs to be a valid prefix filter.
enabled_user_filter = (!(employeeType=DISABLED))
[ldap-schema-vpn-acls]
# These are items that define the VPN ACL portion of
# the LDAP schema.
#
# The RDN attribute that defined what an ACL is named:
rdn_attribute = cn
#
# attributes of an ACL that list users. It is assumed in the code that
# the values are DNs
attribute_user = member
#
# attributes of an ACL that list CIDR/port ACLs. These are strings that
# require parsing into useful blocks.
attribute_host = ipHostNumber
#
# This is a filter ACL to find all VPN ACLs. Could be name, could be
# an objectclass, if you're slick. Just some valid prefix filter.
# This should be how you look for ALL VPN ACLs, so, you should have
# some kind of wildcard in here:
all_acls_filter = (&(objectClass=GroupOfNames)(%(rdn_attribute)s=vpn_*))
#
# This is a filter ACL to find your default ACL group. That is, "if a user
# doesn't pass this check, they shouldn't be using the VPN." This could
# be "member of some group", it could be "(objectClass=*)" if you're
# super permissive and allow anyone.
minimum_group_filter = (&(objectClass=GroupOfNames)(%(rdn_attribute)s=vpn_default))
#
# This is the group that defines users who are not required to use MFA when
# they log in. This probably includes bots from remote sites. Use this
# with caution.
mfa_exempt_group_filter = (&(objectClass=GroupOfNames)(%(rdn_attribute)s=duo_vpn_exceptions))
[testing]
# The 'testing' section contains information for the unit tests.
# A production instance can/should empty this.
#
# Here's an email address that is bad. This will help us find cases where
# someone should fail out.
bad_user = [email protected]
#
# This should be a valid user in your testing (someone who should be able
# to log in. Just having a username will get us a lot of tests.
# If this user DOESN'T exist, you will have a looot of test failures.
normal_user = [email protected]
#
# If you hand over that user's password, you can run the full suite of
# unit tests. It's only really needed to do non-MFA testing, so if you
# don't want to provide it, that's cool. It's barely needed.
#
# Remember: if you do 'normal_user_password = anything', it tries the password
# of 'anything'. Leaving it blank tries a blank password. Leave this line
# commented out completely to get a pythonic 'None' and skip password based
# testing.
; normal_user_password = 12345
#
# If you have a user that is allowed to do 1fa all the time, share here
# for dedicated testing.
1fa_user = vpn-1fa-tester
; 1fa_user_password = 12345