Leosac
0.8.0
Open Source Access Control
|
Documentation for a backend authentication module that stores its config in XML.
The module Auth-File is an authentication backend module. It listens to events generated by authentication source module (like Wiegand
). These events contains credentials. This module verify the credential and either grant or deny access. Granting or denying access means sending a message to the application. This module doesn't open a door or perform action on its own.
Options | Options | Description | Mandatory |
---|---|---|---|
instances | List of configured auth file instance | YES | |
—> | name | Configure of one particular led device | YES |
—> | auth_source | Which device (auth source) we listen to. Can appear multiple times. | YES |
—> | config_file | Path to the config file that holds permissions data | YES |
—> | target | Name of the target (door) that we are authenticating against | NO |
Notes:
target
is not present, the module assumes the default target, and will ignore target-specific permissions.config_file
path is relative to the working directory of Leosac.auth_source
device. The module instance will listen to all of them.target
field is prefixed by the instance name and a dot when checking for permission in the permission configuration file. This makes it easier to synchronize: you put all configuration in the permission file and simply sync everything, the name of the door will adapt based on the instance name. Assuming instance_name
being rpi-1
and target
being door1
the matching name in the permission file shall be rpi-1.door1
.If you made modification to the module's configuration file it is possible to request reloading of this config without having to restart Leosac. Sending SIGHUP
to the Leosac process will trigger an asynchronous reload of the configuration: during the time it takes to load the new configuration, the old configuration is still used.
Users are obviously a core component of an authentication module. The users will map to group, credentials, etc. Users can hold additional property, like their name, email address, or the status of their account (enabled
, or disabled
).
This section is about describing how to declare users. This takes place in the additional config file.
Options | Options | Options | Description | Mandatory |
---|---|---|---|---|
users | List of users we declare | YES | ||
—> | user | Declaration of one user | YES | |
—> | —> | name | Globally unique name to identify a user. | YES |
—> | —> | firstname | The firstname of the user. | NO |
—> | —> | lastname | The family name of the user | NO |
—> | —> | An email address for the user. | NO | |
—> | —> | validity_start | Date when the user starts becoming valid / enabled | NO |
—> | —> | validity_end | Date when the user becomes invalid / disabled | NO |
—> | —> | enabled | A boolean to fully enable or disable an account | NO (defaults to true ) |
The datetime format for validity_{start,end}
is this: d/m/Y H:M
(see man (3) strptime
).
A credentials maps to a user.
3 types of credentials are supported:
All credentials type share 4 optional properties that you can configure per credentials:
id
: The id of the credentials. Used when mapping credentials to schedules. This can be whatever you want, as long as it is unique.enabled
: Is the card active? If true, the credentials can be used, otherwise it will look like it doesn't exist.validity_start
: Optional date at which the credentials becomes active.validity_end
: Optional date at which the credentials stops being activeIt is possible to omit the id
field. It is necessary only if you plan to map credentials directly to schedules, instead of mapping user to schedules. The direct mapping of credentials to schedules can be used to create temporary cards with more privilege than the user usually have.
This credentials is simply a Wiegand card number. It is qualified through a string representing the card id, and an integer representing the number of meaningful bits in the card id.
Options | Options | Description | Mandatory |
---|---|---|---|
WiegandCard | Defines a WiegandCard credential | NO | |
—> | card_id | The id of the card, text string (aa:bb:cc:dd ) | YES |
—> | bits | Number of meaningful bits | YES |
This credentials is simply a PIN code. The number of character in the code is variable.
Options | Options | Description | Mandatory |
---|---|---|---|
PINCode | Defines a PINCode that will be a credentials | NO | |
—> | pin | The PIN code to be used. This is a string. | YES |
This is the combination of a PIN code a WiegandCard. This is currently the most complex credential type.
Options | Options | Description | Mandatory |
---|---|---|---|
WiegandCardPin | Defines a credentials composed of a card and a PIN code | NO | |
—> | pin | The PIN code to be used. This is a string. | YES |
—> | card_id | The id of the card, text string (aa:bb:cc:dd ) | YES |
—> | bits | Number of meaningful bits | YES |
Below an example for each of those credentials:
The module also supports groups. A user can be in multiple groups, and will collect permissions from all the groups he's a member of.
There is no definition of groups, they are lazily created when mapping users to them.
A <group_mapping>
block can be used to map user to groups.
Note: It is not possible to map credentials directly to group.
Schedules can be defined. They represents time-frame where access is granted. Schedules are then mapped to user or to group.
They can apply to any auth_target
(aka doors) or they can target specific doors only. This is configured when mapping a schedule, so that the same schedule can be better reused.
See below for an example of how to declare schedules.
Options | Options | Options | Options | Description | Mandatory |
---|---|---|---|---|---|
schedules | We declare our schedules here | YES | |||
—> | schedule | Description of on schedule entry | YES | ||
—> | —> | name | A unique name for a schedule | YES | |
—> | —> | "weekday" | A day of the week (monday , sunday , ...) | NO | |
—> | —> | —> | start | Start hour (format is hh:mm ) | NO |
—> | —> | —> | end | End hour (format is hh:mm ) | NO |
This is a simple example that declares one schedule, named my_schedule
. It would grants access anytime on monday, and wednesday from 11h to 13h and from 17h to 19h.
Schedules can, or rather must, be referenced by name. They can be mapped to either users
, groups
, or directly to credentials
.
Options | Options | Options | Description | Mandatory |
---|---|---|---|---|
schedules_mapping | Defines the mapping between schedule and user/group/we | YES | ||
—> | map | One mapping entry | YES | |
—> | —> | schedule | Which schedule are we mapping | YES |
—> | —> | user | To which user are we applying the schedule(s) | NO |
—> | —> | group | To which group are we applying the schedules(s) | NO |
—> | —> | credential | To which credential (identified by its id ) do we apply the schedule | NO |
—> | —> | door | Name of the auth target the mapping apply to | NO |
Note that schedule
, user
and group
can be used multiple times in the same mapping entry.
There is 2 mappings entry in the following example.
name_of_schedule
and name_of_another_schedule
and applies them to the user My_User
, A_Second_User
and to anyone who is a member of the group the_whole_group_has_the_schedule
.sysadmin_access_schedule
to the sysadmins
group when the authentication attempt target the sysadmin_room
. See the target
field in the module options.This is the module configuration in the main config file.
This is a possible content of the file designed by the config_field
config entry for the module ("file_auth.xml" based on the previous example).
Check the module object documentation.