|
2 | 2 |
|
3 | 3 | This NodeJS/Express module can serve JSON-SCADA realtime data for the web-based interface. |
4 | 4 |
|
5 | | -It can also server the HTML files from the src/AdminUI/dist folder. |
| 5 | +It can also serve the HTML files from the src/AdminUI/dist folder. |
6 | 6 |
|
7 | | -It is possible to access Grafana on "/grafana" path adjusting the _JS_GRAFANA_SERVER_ environment variable. |
| 7 | +It is possible to route access Grafana on "/grafana" path by adjusting the _JS_GRAFANA_SERVER_ environment variable. |
8 | 8 |
|
9 | | -It is recommended to apply a reverse proxy (Nginx) on top of this service to serve securely to client on external networks. For best scalability static files should be served directly via Nginx or Apache, redirecting _/grafana_ to the Grafana server and _/Invoke_ to this Node.js service. |
| 9 | +It is recommended to apply a reverse proxy (Nginx) on top of this service to serve securely (https) to clients on external networks. For best scalability static files should be served directly via Nginx or Apache, and redirecting _/Invoke_ (API calls) to this service. |
| 10 | + |
| 11 | +This module also provides user authentication and role-based access control (RBAC) using JWT tokens and optional LDAP authentication. |
10 | 12 |
|
11 | 13 | ### Example Nginx config as a reverse proxy |
12 | 14 |
|
@@ -304,16 +306,19 @@ To each user can be attributed a set of roles. Each right in each user role are |
304 | 306 |
|
305 | 307 | #### LDAP Authentication Configuration |
306 | 308 |
|
307 | | -- _**JS_LDAP_ENABLED**_ [Boolean] - Use "TRUE" to enable LDAP authentication. **Default="false"**. |
| 309 | +LDAP can be configured by editing the file ./app/config/auth.config.js or by setting the following environment variables. The environment variables have precedence over the configuration file. |
| 310 | + |
| 311 | +- _**JS_LDAP_ENABLED**_ [Boolean] - Use "true" to enable LDAP authentication. **Default="false"**. |
308 | 312 | - _**JS_LDAP_URL**_ [String] - LDAP server URL. **E.g."ldap://localhost:389"**. |
309 | 313 | - _**JS_LDAP_BIND_DN**_ [String] - LDAP bind DN. **E.g."cn=read-only-admin,dc=example,dc=com"**. |
310 | 314 | - _**JS_LDAP_BIND_CREDENTIALS**_ [String] - LDAP bind password. **E.g."secret"**. |
311 | | -- _**JS_LDAP_SEARCH_BASE**_ [String] - LDAP search base. **E.g."dc=example,dc=com"**. |
312 | | -- _**JS_LDAP_SEARCH_FILTER**_ [String] - LDAP search filter. **E.g."(uid={{username}})"**. |
313 | | -- _**JS_LDAP_ATTRIBUTES_USERNAME**_ [String] - LDAP attribute for username. **E.g."uid"**. |
| 315 | +- _**JS_LDAP_SEARCH_BASE**_ [String] - LDAP search base for users. **E.g."dc=example,dc=com"**. |
| 316 | +- _**JS_LDAP_SEARCH_FILTER**_ [String] - LDAP search filter. **E.g."(uid={{username}})" or "(|(sAMAccountName={{username}})(cn={{username}}))"**. |
| 317 | +- _**JS_LDAP_ATTRIBUTES_USERNAME**_ [String] - LDAP attribute for username. **E.g."uid" or "sAMAccountName"**. |
314 | 318 | - _**JS_LDAP_ATTRIBUTES_EMAIL**_ [String] - LDAP attribute for email. **E.g."mail"**. |
315 | 319 | - _**JS_LDAP_ATTRIBUTES_DISPLAYNAME**_ [String] - LDAP attribute for display name. **E.g."cn"**. |
316 | 320 | - _**JS_LDAP_GROUP_SEARCH_BASE**_ [String] - LDAP group search base. **E.g."ou=JSON-SCADA,dc=ad,dc=gpfs,dc=net"**. |
| 321 | +- _**JS_LDAP_GROUP_MAPPING**_ [String] - LDAP group mapping as a JSON object. **E.g.'{"ou=mathematicians,dc=example,dc=com":"admin","ou=scientists,dc=example,dc=com":"user"}'**. |
317 | 322 | - _**JS_LDAP_TLS_REJECT_UNAUTHORIZED**_ [Boolean] - LDAP TLS reject unauthorized. **Default="true"**. |
318 | 323 | - _**JS_LDAP_TLS_CA**_ [String] - LDAP TLS CA file location. **E.g."/etc/ssl/certs/ca-certificates.crt"**. |
319 | 324 | - _**JS_LDAP_TLS_CERT**_ [String] - LDAP TLS cert file location. **E.g."/etc/ssl/certs/client-cert.pem"**. |
|
0 commit comments