-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathhimmelblau.conf.example
151 lines (150 loc) · 6.98 KB
/
himmelblau.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
[global]
# REQUIRED: The list of configured domains. This must be specified, or no users
# will be permitted to authenticate. The first user to authenticate to each
# domain will be the owner of the device object in the directory. Typically
# this would be the primary user of the device. Specify ONLY the primary domain
# for your tenant.
# domains =
#
### Optional global values
# Configure whether the logger will output debug messages to the journal.
# debug = false
#
# pam_allow_groups SHOULD be defined or else all users will be authorized by
# pam account. The option should be set to a comma seperated list of Users and
# Groups which are allowed access to the system. Groups MUST be specified by
# Object ID, not by UPN. This is because Azure does not permit regular users
# the right to read group names, only the Object IDs which they belong to.
# pam_allow_groups =
#
# Specify whether to map uid/gid based on the object name, the object uuid, or
# based on the rfc2307 schema extension attributes synchronized from an on-prem
# Active Directory instance. By object uuid mapping is the old default, but can
# cause authentication issues over SSH. Mapping by name or by rfc2307 is
# recommeneded.
# id_attr_map = name ; {name|uuid|rfc2307}
#
# Specify whether to map group IDs (GIDs) based on the object name or object UUID
# when no gidNumber attribute is found in an on-prem Active Directory instance
# synchronized to Azure Entra ID. This option is only used if id_attr_map is set
# to rfc2307. If not set, groups without a gidNumber will not be available to NSS.
# rfc2307_group_fallback_map = name ; {name|uuid}
#
# If you have an ODC provider (the default being odc.officeapps.live.com), specify
# the hostname for sending a federationProvider request. If the federationProvider
# request is successful, the tenant_id and authority_host options do not need to
# be specified.
# odc_provider = odc.officeapps.live.com
#
# Whether to enroll users in Hello authentication. If disabled, MFA may be
# required during each login. Disabling Hello authentication is recommeneded
# when the host is public facing (such as via SSH).
# WARNING: Hello authentication depends on openssl3. If your system does not
# provide openssl3, Hello MUST be disabled or authentication will fail.
# EL8 distros (such as Rocky Linux 8) DO NOT provide openssl3.
# enable_hello = true
#
# The minimum length of the Hello authentication PIN. This PIN length cannot
# be less than 6, and cannot exceed 32 characters. These are hard requirements
# for the encryption algorithm.
# hello_pin_min_length = 6
#
# Whether to permit attempting a SFA (password only) authentication when MFA
# methods are unavailable. Sometimes this is possible when MFA has yet to be
# configured. This is disabled by default.
# enable_sfa_fallback = false
#
# CN to UPN mapping allows users to simply enter the short form of their
# username (`dave` instead of `dave@example.com`). Himmelblau will only map CNs
# to the primary domain (the first domain listed in the `domains` option
# above). WARNING: CN mapping could mask local users, depending on your PAM
# configuration.
# cn_name_mapping = true
#
# A comma seperated list of local groups that every Entra Id user should be a
# member of. For example, you may wish for all Entra Id users to be a member
# of the sudo group. WARNING: This setting will not REMOVE group member entries
# when groups are removed from this list. You must remove them manually.
# local_groups =
#
# Logon user script. This script will execute every time a user logs on. Two
# environment variables are set: USERNAME, and ACCESS_TOKEN. The ACCESS_TOKEN
# environment variable is an access token for the MS graph. The token scope
# config option sets the comma separated scopes that should be requested for
# the ACCESS_TOKEN. ACCESS_TOKEN will be empty during offline logon. The return
# code of the script determines how the authentication proceeds. 0 is success,
# 1 is a soft failure and authentication will proceed, while 2 is a hard
# failure causing authentication to fail.
# logon_script =
# logon_token_scopes =
#
# This option enables the experimental MFA (multi-factor authentication) flow,
# which permits Hello authentication. Note that this flow may fail in certain
# edge cases. When disabled, the system will enforce the DAG (Device Authorization
# Grant) flow for MFA, and Hello authentication will be disabled.
# enable_experimental_mfa = true
#
# In some cases, mapping the UPN to the CN may be impractical. The following
# option executes the specified filename (any executable), which MUST accept
# a single argument representing a mapped name. The executable MUST print
# the corresponding UPN (User Principal Name) to stdout. If the name is not
# recognized, the script MUST return the input name unchanged. This option
# provides flexibility for environments requiring custom name transformations.
# name_mapping_script =
#
# Whether to apply Intune policies (experimental). This will not mark the device
# compliant in Entra Id, nor create an Intune managed device in the portal. It
# will only attempt to apply the policies assigned in Intune to the user. An
# app_id MUST be defined for this domain for policy application to succeed, and
# the "DeviceManagementConfiguration.Read.All" API permission MUST be granted.
# apply_policy = false ; {true|false}
#
# authority_host = login.microsoftonline.com
#
# The location of the cache database
# db_path = /var/cache/himmelblau/himmelblau.cache.db
#
# The location where the hsm pin will be stored
# hsm_pin_path = /var/lib/himmelblaud/hsm-pin
# socket_path = /var/run/himmelblaud/socket
# task_socket_path = /var/run/himmelblaud/task_sock
# broker_socket_path = /var/run/himmelblaud/broker_sock
# home_prefix = /home/
# home_attr = UUID ; home directory attribute options:
# ; UUID (default)
# ; SPN
# ; CN
# home_alias = SPN ; home directory alias options:
# ; UUID
# ; SPN (default)
# ; CN
# shell = /bin/bash ; default shell for the user
# idmap_range = 5000000-5999999
# connection_timeout = 2
# cache_timeout = 300
# use_etc_skel = false
# selinux = true
### Domain specific values
# Individual domain values may be overridden by specifying these values under
# a domain section. These options take precedent over global config options.
# For example:
#
# [example.com]
# odc_provider = odc.officeapps.live.com
# home_prefix = /home/
# home_attr = UUID
# home_alias = SPN
# shell = /bin/zsh
# idmap_range = 6000000-6999999
#
# Application ID used for requesting an ACCESS_TOKEN on behalf of the user.
# If not set, the domain’s app_id is used.
# logon_token_app_id = 544e695f-5d78-442e-b14e-e114e95e640c
#
# The `app_id` option specifies the Entra ID application ID that has the
# necessary permissions to obtain access tokens for the `logon_script`. This
# application SHOULD also include the `GroupMember.Read.All` permission,
# enabling Himmelblau to retrieve the `gidNumber` extended attribute.
#
# [example.com]
# app_id = d023f7aa-d214-4b59-911d-6074de623765