#################
# glauth.conf

#################
# General configuration.
debug = true
#syslog = true
# yubikeyclientid = "yubi-api-clientid"
# yubikeysecret = "yubi-api-secret"
#################
# The frontend section controls how clients connect to the proxy.
[frontend]
  tls = false # enable TLS for production!!
  listen = "0.0.0.0:3893"
  cert = "cert.pem"
  key = "key.pem"

#################
# The backend section controls the data store.
[backend]
  datastore = "config"
  baseDN = "dc=glauth,dc=com"

#################
# The users section contains a hardcoded list of valid users.
#   to create a passSHA256:   echo -n "mysecret" | openssl dgst -sha256
[[users]]
  name = "hackers"
  unixid = 5001
  primarygroup = 5501
  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood

# This user record shows all of the possible fields available
[[users]]
  name = "johndoe"
  givenname="John"
  sn="Doe"
  mail = "jdoe@example.com"
  unixid = 5002
  primarygroup = 5501
  loginShell = "/bin/sh"
  homeDir = "/root"
  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
  sshkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3UKCEllO2IZXgqNygiVb+dDLJJwVw3AJwV34t2jzR+/tUNVeJ9XddKpYQektNHsFmY93lJw5QDSbeH/mAC4KPoUM47EriINKEelRbyG4hC/ko/e2JWqEclPS9LP7GtqGmscXXo4JFkqnKw4TIRD52XI9n1syYM9Y8rJ88fjC/Lpn+01AB0paLVIfppJU35t0Ho9doHAEfEvcQA6tcm7FLJUvklAxc8WUbdziczbRV40KzDroIkXAZRjX7vXXhh/p7XBYnA0GO8oTa2VY4dTQSeDAUJSUxbzevbL0ll9Gi1uYaTDQyE5gbn2NfJSqq0OYA+3eyGtIVjFYZgi+txSuhw== rsa-key-20160209"]

[[users]]
  name = "serviceuser"
  unixid = 5003
  primarygroup = 5502
  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret

# Test user showing 2 factor auth authentication
[[users]]
  name = "otpuser"
  unixid = 5004
  primarygroup = 5501
  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
  otpsecret = "3hnvnk4ycv44glzigd6s25j4dougs3rk"
  yubikey = "vvjrcfalhlaa"

#################
# The groups section contains a hardcoded list of valid users.
[[groups]]
  name = "superheros"
  unixid = 5501

[[groups]]
  name = "svcaccts"
  unixid = 5502

[[groups]]
  name = "vpn"
  unixid = 5503
  includegroups = [ 5501 ]

#################
# Enable and configure the optional REST API here.
[api]
  enabled = true
  tls = false # enable TLS for production!!
  listen = "localhost:5555"
  cert = "cert.pem"
  key = "key.pem"