nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed benchmark
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2026-04-20 16:24:48 +10:00
parent 8ccf5a7009
commit aa0d8099c7
5 changed files with 156 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+57
View File
@@ -251,6 +251,60 @@ Role policy:
- `admin`: mutating/admin APIs (for example `/api/snapshots/*` mutating endpoints, `/api/event/*`, `/api/import/vm`, `/api/encrypt`, `/api/vcenters/cache/rebuild`).
- `admin` implies `viewer` access.
### LDAP group configuration (`auth_group_role_mappings` and `ldap_groups`)
Use full LDAP group DNs for both settings (for example `CN=vctp-admins,OU=Groups,DC=example,DC=com`).
- `settings.auth_group_role_mappings` is required when `settings.auth_enabled: true`.
- Mapping values must be `viewer` or `admin`.
- A user must resolve to at least one mapped role to log in.
- `settings.ldap_groups` is optional and acts as an additional allowlist gate.
- If `settings.ldap_groups` is empty/omitted, allowlist checking is skipped, but mapped-role resolution is still required.
- DN comparisons are normalized (trimmed + case-insensitive), but using exact directory DNs is still recommended.
Example (common setup where viewer/admin groups are both mapped and allowlisted):
```yaml
settings:
auth_enabled: true
auth_mode: required
ldap_bind_address: ldaps://ad01.example.com:636
ldap_base_dn: DC=example,DC=com
auth_group_role_mappings:
"CN=vctp-viewers,OU=Groups,DC=example,DC=com": viewer
"CN=vctp-admins,OU=Groups,DC=example,DC=com": admin
ldap_groups:
- "CN=vctp-viewers,OU=Groups,DC=example,DC=com"
- "CN=vctp-admins,OU=Groups,DC=example,DC=com"
```
Example (`ldap_groups` omitted, only role mapping enforced):
```yaml
settings:
auth_enabled: true
auth_mode: required
auth_group_role_mappings:
"CN=vctp-viewers,OU=Groups,DC=example,DC=com": viewer
"CN=vctp-admins,OU=Groups,DC=example,DC=com": admin
```
Example (`ldap_groups` can be broader, but users still need at least one mapped role):
```yaml
settings:
auth_enabled: true
auth_mode: required
auth_group_role_mappings:
"CN=vctp-viewers,OU=Groups,DC=example,DC=com": viewer
"CN=vctp-admins,OU=Groups,DC=example,DC=com": admin
ldap_groups:
- "CN=vctp-viewers,OU=Groups,DC=example,DC=com"
- "CN=vctp-admins,OU=Groups,DC=example,DC=com"
- "CN=platform-operators,OU=Groups,DC=example,DC=com"
```
Tip: after a successful login, call `GET /api/auth/me` and inspect the returned `groups` claim to copy exact group DN values from your directory.
Public endpoints:
- UI pages (`/`, `/vcenters`, `/snapshots/*`, `/vm/trace`)
- Swagger UI/docs (`/swagger`, `/swagger/`, `/swagger.json`)
@@ -330,6 +384,9 @@ Authentication:
- `settings.auth_clock_skew_seconds`: allowed clock skew for token validation.
- `settings.auth_group_role_mappings`: map of LDAP group DN -> role (`viewer` or `admin`).
- `settings.ldap_groups`: optional allowlist of LDAP group DNs required for login.
- `settings.auth_group_role_mappings` must be non-empty when `settings.auth_enabled: true`.
- A user must belong to at least one mapped group to receive any role and log in.
- `settings.ldap_groups` empty/omitted means no allowlist filter, but mapped-role requirement still applies.
- `settings.ldap_bind_address`: LDAP/LDAPS URL used for authentication.
- `settings.ldap_base_dn`: LDAP base DN for user/group lookups.
- `settings.ldap_trust_cert_file`: optional CA cert file for LDAP TLS.