euclide/openvpn-mgt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

improve permissions system

Browse Source
This commit is contained in:
Xavier Henner
2019-07-17 19:12:00 +02:00
parent 0d918b7540
commit e18aa583d0
5 changed files with 90 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
openvpn-dm-mgt-server.conf.example
View File

@@ -2,6 +2,26 @@ config
{
profiles:
{
###################################################################
### Security Model ###
### ###
### +---> CONTRACT ###
### | ###
### start-here +-------> DATACENTER ###
### | | ###
### +---> CORP ------------> DEV -----> ADMINS ###
### | ^ ###
### | | ###
### +--> IT-AND-SEC ---+ ###
### ###
### CORP/IT-AND-SEC have the same IPs but not the web perms ###
### ADMIN/DATACENTER have the same IPs but not the web perms ###
### ###
### attributes[0] must match validGroups ###
### attributes[1] is the login for the next security groups ###
### attributes[2] is used as a salt for mfa generation ###
### ###
###################################################################
CONTRACT:
{
servers: [ "dc-11.office.daily","dc-12.office.daily","dc-13.office.daily" ]
@@ -9,13 +29,12 @@ config
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
bindPw: "********************",
searchFilter: "(&(sAMAccountName=%s))"
attributes: [ "memberOf", "mail" ]
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
validGroups:
[
"CN=SEC_VPN_Users_External,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
]
mfa: "okta"
cert: "ignore"
mfa: "internal"
IPRange: "192.168.207.1 - 192.168.207.254",
routes:
[
@@ -38,15 +57,32 @@ config
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
bindPw: "********************",
searchFilter: "(&(sAMAccountName=%s))"
attributes: [ "memberOf", "mail" ]
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
validGroups:
[
"CN=SEC_VPN,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
]
mfa: "okta"
cert: "optionnal"
mfa: ""
IPRange: "192.168.201.1-192.168.203.254"
}
IT-AND-SEC:
{
servers: [ "dc-11.office.daily","dc-12.office.daily","dc-13.office.daily" ]
baseDN: "OU=Dailymotion,DC=office,DC=daily",
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
bindPw: "********************",
searchFilter: "(&(mail=%s))"
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
upgradeFrom: [ "CORP" ]
validGroups:
[
"CN=IT-Office,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
"CN=Security,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
]
mfa: ""
IPRange: "192.168.201.1-192.168.203.254"
}
DEV:
{
servers: [ "ldap-auth.vip.dailymotion.com" ]
@@ -55,9 +91,8 @@ config
bindPw: "**********"
searchFilter: "(&(mail=%s))"
attributes: [ "description", "sshPublicKey" ]
upgradeFrom: "CORP"
upgradeFrom: [ "CORP", "IT-AND-SEC" ]
mfa: ""
cert: "optionnal"
IPRange: "192.168.204.1-192.168.206.254"
}
ADMINS:
@@ -66,11 +101,19 @@ config
[
"infra",
"net",
]
upgradeFrom: [ "DEV" ]
mfa: "internal"
IPRange: "192.168.200.2-192.168.200.254"
}
DATACENTER:
{
validGroups:
[
"datacenter",
]
upgradeFrom: "DEV"
upgradeFrom: [ "DEV" ]
mfa: "internal"
cert: "mandatory"
IPRange: "192.168.200.2-192.168.200.254"
}
}
@@ -82,9 +125,8 @@ config
key: "/etc/ssl/private/server-key.pem"
cert: "/etc/ssl/certs/server-bundle.pem"
startAuth: "CORP"
reqAuth: "ADMINS"
reqAuth: [ "ADMINS", "IP-AND-SEC" ]
}
cacheDir: "/var/run/openvpn/"
authCa: "/usr/local/share/ca-certificates/Dailymotion.crt"
masterSecrets: [ "********************************" ]