crypto_RSA_OAEP: encrypt/decrypt strings with asymmetric RSA keys, using PKCS#1 OAEP, an asymmetric cipher based on RSA and the OAEP padding
ldapPasswordHash: generate LDAP hashes of specified formats from a clear text password string
This plugin allows to encrypt/decrypt strings with asymmetric RSA keys, using PKCS#1 OAEP, an asymmetric cipher based on RSA and the OAEP padding.
You can set up as many keys as you want in plugin settings. A key can be used to either encrypt or decrypt, but not both. The plugin will determine if it’s an encryption or a decryption operation upon the key type: decryption for private keys, and encryption for public keys.
hermes:
plugins:
attributes:
crypto_RSA_OAEP:
settings:
keys:
# Key name, you can set whatever you want
encrypt_to_messagebus:
# Hash type, when decrypting, you must obviously use the same value
# that was used for encrypting
hash: SHA3_512
# Public RSA key used to encrypt
# WARNING - THIS KEY IS WEAK AND PUBLIC, NEVER USE IT
rsa_key: |-
-----BEGIN PUBLIC KEY-----
MCgCIQCy2W1bAPOa1JIeLuV8qq1Qg7h0jxpf8QCik11H9xZcfwIDAQAB
-----END PUBLIC KEY-----
# Another key
decrypt_from_messagebus:
hash: SHA3_512
# Private RSA key used to decrypt
# WARNING - THIS KEY IS WEAK AND PUBLIC, NEVER USE IT
rsa_key: |-
-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEAstltWwDzmtSSHi7lfKqtUIO4dI8aX/EAopNdR/cWXH8CAwEAAQIh
AKfflFjGNOJQwvJX3Io+/juxO+HFd7SRC++zBD9paZqZAhEA5OtjZQUapRrV/aC5
NXFsswIRAMgBtgpz+t0FxyEXdzlcTwUCEHU6WZ8M2xU7xePpH49Ps2MCEQC+78s+
/WvfNtXcRI+gJfyVAhAjcIWzHC5q4wzgL7psbPGy
-----END RSA PRIVATE KEY----- Valid values for hash are:
crypto_RSA_OAEP(value: bytes | str, keyname: str) → strOnce everything is set up, you can encrypt data with encrypt_to_messagebus key like this in a Jinja filter:
password_encrypted: "{{ PASSWORD_CLEAR | crypto_RSA_OAEP('encrypt_to_messagebus') }}"
password_decrypted: "{{ PASSWORD_ENCRYPTED | crypto_RSA_OAEP('decrypt_from_messagebus') }}"You can even decrypt and immediately re-encrypt data with another key like this:
password_reencrypted: "{{ PASSWORD_ENCRYPTED | crypto_RSA_OAEP('decrypt_from_datasource') | crypto_RSA_OAEP('encrypt_to_messagebus') }}"This plugin allows to generate LDAP hashes of specified formats from a clear text password string.
You can set up a facultative list of default hash types in plugin settings. This list will be used if hashtypes are not specified in filter arguments, otherwise the specified hashtypes will be used.
hermes:
plugins:
attributes:
ldapPasswordHash:
settings:
default_hash_types:
- SMD5
- SSHA
- SSHA256
- SSHA512Valid values for default_hash_types are:
ldapPasswordHash(password: str, hashtypes: None | str | list[str] = None) → list[str]Once everything is set up, you can generate your hash list like this in a Jinja filter:
# Will contain a list of hashes of PASSWORD_CLEAR according to
# default_hash_types settings: SMD5, SSHA, SSHA256, SSHA512
ldap_password_hashes: "{{ PASSWORD_CLEAR | ldapPasswordHash }}"
# Will contain a list with only the SSHA512 hashes of PASSWORD_CLEAR
ldap_password_hashes: "{{ PASSWORD_CLEAR | ldapPasswordHash('SSHA512') }}"
# Will contain a list with only the SSHA256 and SSHA512 hashes of PASSWORD_CLEAR
ldap_password_hashes: "{{ PASSWORD_CLEAR | ldapPasswordHash(['SSHA256', 'SSHA512']) }}"ldap: use a LDAP server as datasource
oracle: use an Oracle database as datasource
postgresql: use a PostgreSQL database as datasource
sqlite: use a SQLite database as datasource (testing only)
This plugin allows the use of an LDAP server as datasource.
Connection settings are required in plugin configuration.
hermes:
plugins:
datasources:
# Source name. Use whatever you want. Will be used in datamodel
your_source_name:
type: ldap
settings:
# MANDATORY: LDAP server URI
uri: ldaps://ldap.example.com:636
# MANDATORY: LDAP server credentials to use
binddn: cn=account,dc=example,dc=com
bindpassword: s3cReT_p4s5w0rD
# MANDATORY: LDAP base DN
basedn: dc=example,dc=com
ssl: # Facultative
# Path to PEM file with CA certs
cafile: /path/to/INTERNAL-CA-chain.crt # Facultative
# Path to file with PEM encoded cert for client cert authentication,
# requires keyfile
certfile: /path/to/client.crt # Facultative
# Path to file with PEM encoded key for client cert authentication,
# requires certfile
keyfile: /path/to/client.pem # Facultative
# Facultative. Default: false.
# Since the client is not aware of the LDAP schema, it cannot know whether
# an attribute is single-valued or multi-valued. By default, it will
# return a single value in its base type, as if it were a single-valued
# attribute, and multiple values in a list.
# If this setting is enabled, all values will always be returned in a list.
always_return_values_in_list: trueUsage differs according to specified operation type
Fetch entries from LDAP server.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: fetch
vars:
# Facultative: the basedn to use for 'fetch' operation.
# If unset, setting basedn will be used
base: "ou=exampleOU,dc=example,dc=com"
# Facultative: the operation scope for 'fetch' operation
# Valid values are:
# - base: to search the "base" object itself
# - one, onelevel: to search the "base" object’s immediate children
# - sub, subtree: to search the "base" object and all its descendants
# If unset, "subtree" will be used
scope: subtree
# Facultative: the LDAP filter to use for 'fetch' operation
# If unset, "(objectClass=*)" will be used
filter: "(objectClass=*)"
# Facultative: the attributes to fetch, as a list of strings
# If unset, all the attributes of each entry are returned
attrlist: "{{ REMOTE_ATTRIBUTES }}"Add entries to LDAP server.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: add
vars:
# Facultative: a list of entries to add.
# If unset, an empty list will be used (and nothing will be added)
addlist:
# MANDATORY: the DN of the entry. If not specified, the entry will
# be silently ignored
- dn: uid=newentry1,ou=exampleOU,dc=example,dc=com
# Facultative: the attributes to add to the entry
add:
# Create attribute if it doesn't exist, and add "value" to it
"attrnameToAdd": "value",
# Create attribute if it doesn't exist, and add "value1" and
# "value2" to it
"attrnameToAddList": ["value1", "value2"],
- dn: uid=newentry2,ou=exampleOU,dc=example,dc=com
# ...Delete entries from LDAP server.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: delete
vars:
# Facultative: a list of entries to delete.
# If unset, an empty list will be used (and nothing will be deleted)
dellist:
# MANDATORY: the DN of the entry. If not specified, the entry will
# be silently ignored
- dn: uid=entryToDelete1,ou=exampleOU,dc=example,dc=com
- dn: uid=entryToDelete2,ou=exampleOU,dc=example,dc=com
# ...Modify entries on LDAP server.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: modify
vars:
# Facultative: a list of entries to modify.
# If unset, an empty list will be used (and nothing will be modified)
modlist:
# MANDATORY: the DN of the entry. If not specified, the entry will
# be silently ignored
- dn: uid=entryToModify1,ou=exampleOU,dc=example,dc=com
# Facultative: the attributes to add to the entry
add:
# Create attribute if it doesn't exist, and add "value" to it
attrnameToAdd: value
# Create attribute if it doesn't exist, and add "value1" and
# "value2" to it
attrnameToAddList: [value1, value2]
# Facultative: the attributes to modify in the entry
modify:
# Create attribute if it doesn't exist, and replace all its
# value by "value"
attrnameToModify: newvalue
# Create attribute if it doesn't exist, and replace all its
# value by "newvalue1" and "newvalue2"
attrnameToModifyList: [newvalue1, newvalue2]
# Facultative: the attributes to delete from the entry
delete:
# Delete specified attribute and all of its values
attrnameToDelete: null
# Delete "value" from specified attribute. Raise an error if
# value is missing
attrnameToDeleteValue: value
# Delete "value1" and "value2" from specified attribute. Raise
# an error if a value is missing
attrnameToDeleteValueList: [value1, value2]
- dn: uid=entryToModify2,ou=exampleOU,dc=example,dc=com
# ...This plugin allows using an Oracle database as datasource.
Connection settings are required in plugin configuration.
hermes:
plugins:
datasources:
# Source name. Use whatever you want. Will be used in datamodel
your_source_name:
type: oracle
settings:
# MANDATORY: the database server DNS name or IP address
server: dummy.example.com
# MANDATORY: the database connection port
port: 1234
# MANDATORY: the database service name. Cannot be set if 'sid' is set
service_name: DUMMY.example.com
# MANDATORY: the database SID. Cannot be set if 'service_name' is set
sid: DUMMY
# MANDATORY: the database credentials to use
login: HERMES_DUMMY
password: "DuMmY_p4s5w0rD"Specify a query. If you’d like to provide values from cache, you should provide them in a vars dict, and refer to them by specifying the column-prefixed : var key name in the query: this will automatically sanitize the query.
The example vars names are prefixed with sanitized_ only for clarity, it’s not a requirement.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: fetch
query: >-
SELECT {{ REMOTE_ATTRIBUTES | join(', ') }}
FROM AN_ORACLE_TABLE
commit_one:
type: modify
query: >-
UPDATE AN_ORACLE_TABLE
SET
valueToSet = :sanitized_valueToSet
WHERE pkey = :sanitized_pkey
vars:
sanitized_pkey: "{{ ITEM_FETCHED_VALUES.pkey }}"
sanitized_valueToSet: "{{ ITEM_FETCHED_VALUES.valueToSet }}"This plugin allows using a PostgreSQL database as datasource.
Connection settings are required in plugin configuration.
hermes:
plugins:
datasources:
# Source name. Use whatever you want. Will be used in datamodel
your_source_name:
type: postgresql
settings:
# MANDATORY: the database server DNS name or IP address
server: dummy.example.com
# MANDATORY: the database connection port
port: 1234
# MANDATORY: the database name
dbname: DUMMY
# MANDATORY: the database credentials to use
login: HERMES_DUMMY
password: "DuMmY_p4s5w0rD"Specify a query. If you’d like to provide values from cache, you should provide them in a vars dict, and refer to them by specifying the var key name encased in %()s in the query: this will automatically sanitize the query. See example below.
The example vars names are prefixed with sanitized_ only for clarity, it’s not a requirement.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: fetch
query: >-
SELECT {{ REMOTE_ATTRIBUTES | join(', ') }}
FROM A_POSTGRESQL_TABLE
commit_one:
type: modify
query: >-
UPDATE A_POSTGRESQL_TABLE
SET
valueToSet = %(sanitized_valueToSet)s
WHERE pkey = %(sanitized_pkey)s
vars:
sanitized_pkey: "{{ ITEM_FETCHED_VALUES.pkey }}"
sanitized_valueToSet: "{{ ITEM_FETCHED_VALUES.valueToSet }}"This plugin allows using an SQLite database as datasource.
Connection settings are required in plugin configuration.
hermes:
plugins:
datasources:
# Source name. Use whatever you want. Will be used in datamodel
your_source_name:
type: sqlite
settings:
# MANDATORY: the database file path
uri: /path/to/sqlite.dbSpecify a query. If you’d like to provide values from cache, you should provide them in a vars dict, and refer to them by specifying the column-prefixed : var key name in the query: this will automatically sanitize the query.
The example vars names are prefixed with sanitized_ only for clarity, it’s not a requirement.
hermes-server:
datamodel:
oneDataType:
sources:
your_source_name: # 'your_source_name' was set in plugin settings
fetch:
type: fetch
query: >-
SELECT {{ REMOTE_ATTRIBUTES | join(', ') }}
FROM AN_SQLITE_TABLE
commit_one:
type: modify
query: >-
UPDATE AN_SQLITE_TABLE
SET
valueToSet = :sanitized_valueToSet
WHERE pkey = :sanitized_pkey
vars:
sanitized_pkey: "{{ ITEM_FETCHED_VALUES.pkey }}"
sanitized_valueToSet: "{{ ITEM_FETCHED_VALUES.valueToSet }}"This plugin allows hermes-server to send produced events over an Apache Kafka server.
It is possible to connect to Kafka server without authentication, or with SSL (TLS) authentication.
hermes:
plugins:
messagebus:
kafka:
settings:
# MANDATORY: the Kafka server or servers list that can be used
servers:
- dummy.example.com:9093
# Facultative: which Kafka API version to use. If unset, the
# api version will be detected at startup and reported in the logs.
# Don't set this directive unless you encounter some
# "kafka.errors.NoBrokersAvailable: NoBrokersAvailable" errors raised
# by a "self.check_version()" call.
api_version: [2, 6, 0]
# Facultative: Hard limit on the size of a message sent to Kafka.
# You should set a higher value if your Kafka messages are likely to
# exceed the default of 1MB or if you encountered the error
# "MessageSizeTooLargeError: The message is xxx bytes when
# serialized which is larger than the maximum request size you
# have configured with the max_request_size configuration".
# Default: 1048576.
max_request_size: 1048576
# Facultative: enables SSL authentication. If set, the 3 options below
# must be defined
ssl:
# MANDATORY: hermes-server cert file that will be used for
# authentication
certfile: /path/to/.hermes/dummy.crt
# MANDATORY: hermes-server cert file private key
keyfile: /path/to/.hermes/dummy.pem
# MANDATORY: The PKI CA cert
cafile: /path/to/.hermes/INTERNAL-CA-chain.crt
# MANDATORY: the topic to send events to
topic: hermesThis plugin allows hermes-server to send produced events over an SQLite database.
To emulate the behavior of other message buses that delete messages once some conditions are met, retention_in_days can be set. It will delete messages older than the specified number of days.
hermes:
plugins:
messagebus:
sqlite:
settings:
# MANDATORY:
uri: /path/to/.hermes/bus.sqlite
retention_in_days: 1The client plugins are grouped by categories serving the same goal over several target types. There is currently only one plugin category:
Manage users, groups, userpasswords and groups membership.
Available clients are:
pypsrp.Groups, containing the e-mail addresses of its members (one by line).This client will handle Users, Groups and UserPasswords events, and store data into an Active Directory through Powershell commands across pypsrp.
The settings list standardAttributes contains available cmdlet parameters used for Users (New-ADUser / Set-ADUser) and Groups (New-ADGroup / Set-ADGroup).
The settings list otherAttributes may contains available LDAP display name (ldapDisplayName) attributes to manage those that are not represented by cmdlet parameters for Users and Groups.
The local Datamodel keys MUST exist in standardAttributes or otherAttributes, and will be used as cmdlet parameters with associated values, allowing to handle every AD attributes.
The GroupsMembers will only associate a User with a Group.
The SubGroupsMembers will only associate a Group with a Group, allowing to handle nested groups.
To avoid security issues and corner cases with trashbin, a complex random password is set when user is created. This unknown password will be overwritten by the next UserPassword event of the User. This avoids having an enabled account with no password.
The trashbin will only disable the account.
hermes-client-usersgroups_adpypsrp:
WinRM: # For options details, you may look at https://pypi.org/project/pypsrp/ - "Connection"
# MANDATORY: AD server URI and port
host: radon1.in.insa-strasbourg.fr
port: 5986
# MANDATORY: AD server credentials
login: administrator
password: "s3cReT_p4s5w0rD"
# Default: true
ssl: true
# Default: true
ssl_cert_validation: false
# Default: true
credssp_disable_tlsv1_2: true
# Default: "auto". Valid values are [auto, always, never]
encryption: always
# Default: "wsman"
path: "wsman"
# Default: "negotiate". Valid values are [basic, certificate, negotiate, ntlm, kerberos, credssp]
auth: kerberos
# Default: "WSMAN". Override the service part of the calculated SPN used when authenticating the server.
# This is only valid if negotiate auth negotiated Kerberos or kerberos was explicitly set.
# If you obtain an error "Server not found in Kerberos database", you may try to set HTTP here.
negotiate_service: WSMAN
AD_domain:
# MANDATORY: AD domain name and DN
name: in.insa-strasbourg.fr
dn: DC=in,DC=insa-strasbourg,DC=fr
# MANDATORY: OUs where Users and Groups will be stored
users_ou: OU=INSA,OU=People,DC=in,DC=insa-strasbourg,DC=fr
groups_ou: OU=INSA,OU=Groups,DC=in,DC=insa-strasbourg,DC=fr
# Optional, allows to force each user to be added to the specified group list.
# Group membership is only added when the user is created: any change to this parameter's value
# will only impact users created subsequently
Users_mandatory_groups:
- MandatoryGroup1
- MandatoryGroup2
# Defines cmdlet parameters that can be set, and the valid type of the associated value
# You really should set it as is.
standardAttributes:
Users:
AccountExpirationDate: "<DateTime>"
AccountNotDelegated: "<Boolean>"
AllowReversiblePasswordEncryption: "<Boolean>"
AuthenticationPolicy: "<ADAuthenticationPolicy>"
AuthenticationPolicySilo: "<ADAuthenticationPolicySilo>"
AuthType: "<ADAuthType>"
CannotChangePassword: "<Boolean>"
ChangePasswordAtLogon: "<Boolean>"
City: "<String>"
Company: "<String>"
CompoundIdentitySupported: "<Boolean>"
Country: "<String>"
# Credential: "<PSCredential>" # Useless: Specifies the user account credentials to use to perform this task
Department: "<String>"
Description: "<String>"
DisplayName: "<String>"
Division: "<String>"
EmailAddress: "<String>"
EmployeeID: "<String>"
EmployeeNumber: "<String>"
Enabled: "<Boolean>"
Fax: "<String>"
GivenName: "<String>"
HomeDirectory: "<String>"
HomeDrive: "<String>"
HomePage: "<String>"
HomePhone: "<String>"
KerberosEncryptionType: "<ADKerberosEncryptionType>"
LogonWorkstations: "<String>"
Manager: "<ADUser>"
MobilePhone: "<String>"
Office: "<String>"
OfficePhone: "<String>"
Organization: "<String>"
OtherName: "<String>"
PasswordNeverExpires: "<Boolean>"
PasswordNotRequired: "<Boolean>"
POBox: "<String>"
PostalCode: "<String>"
# PrincipalsAllowedToDelegateToAccount: "<ADPrincipal[]>" # Won't be set
ProfilePath: "<String>"
SamAccountName: "<String>"
ScriptPath: "<String>"
# Server: "<String>" # Useless: Specifies the Active Directory Domain Services instance to connect to
SmartcardLogonRequired: "<Boolean>"
State: "<String>"
StreetAddress: "<String>"
Surname: "<String>"
Title: "<String>"
# TrustedForDelegation: "<Boolean>" # Won't be set
UserPrincipalName: "<String>"
Groups:
AuthType: "<ADAuthType>"
# Credential: "<PSCredential>" # Useless: Specifies the user account credentials to use to perform this task
Description: "<String>"
DisplayName: "<String>"
GroupCategory: "<ADGroupCategory>"
GroupScope: "<ADGroupScope>"
HomePage: "<String>"
ManagedBy: "<ADPrincipal>"
SamAccountName: "<String>"
# Server: "<String>" # Useless: Specifies the Active Directory Domain Services instance to connect to
# Defines LDAP display name (ldapDisplayName) to handle, that are not handled with standardAttributes.
# You can set your desired values. The values below are just here for example.
otherAttributes:
Users:
otherMobile: "<String[]>"
otherTelephone: "<String[]>"
url: "<String[]>"
# Optional random password generation settings. Default: values specified below
# Random password is generated to initialize a user whose password is not yet available,
# or when the user password is removed but the user still exists
random_passwords:
# Password length
length: 32
# If true, the generated password may contains some upper case letters
with_upper_letters: true
# The generated password will contain at least this number of upper case letters
minimum_number_of_upper_letters: 1
# If true, the generated password may contains some lower case letters
with_lower_letters: true
# The generated password will contain at least this number of lower case letters
minimum_number_of_lower_letters: 1
# If true, the generated password may contains some numbers
with_numbers: true
# The generated password will contain at least this number of numbers
minimum_number_of_numbers: 1
# If true, the generated password may contains some special chars
with_special_chars: true
# The generated password will contain at least this number of special chars
minimum_number_of_special_chars: 1
# If true, the generated password won't contains the chars specified in 'ambigous_chars_dictionary'
avoid_ambigous_chars: false
# The dictionary of ambigous chars (case sensitive) that may be forbidden in password, even if some are present in other dictionnaries
ambigous_chars_dictionary: "lIO01"
# The dictionary of letters (case unsensitive) allowed in password
letters_dictionary: "abcdefghijklmnopqrstuvwxyz"
# The dictionary of special chars allowed in password
special_chars_dictionary: "!@#$%^&*"The following data types may be set up:
Users: requires the attribute SamAccountName to be setUserPasswords: obviously requires Users, and requires the attribute user_pkey corresponding to the primary keys of Users, and the attribute password. All other attributes will be ignoredGroups: requires the attribute SamAccountName to be setGroupsMembers: obviously requires Users and Groups, and requires the attributes user_pkey and group_pkey corresponding to the primary keys of Users and Groups. All other attributes will be ignoredSubGroupsMembers: obviously requires Groups, and requires that the subgroup_pkey and group_pkey attributes match the primary key of the subgroup to be assigned, and that of the assignment group, respectively. All other attributes will be ignored datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
SamAccountName: login_on_server
UserPrincipalName: "{{ login_on_server ~ '@YOU.AD.DOMAIN.TLD' }}"
# Not mandatory, only for example:
MobilePhone: "{{ (mobile | default([None]))[0] }}" # <String>
otherMobile: "{{ (mobile | default([]))[1:] }}" # <String[]>
# ...
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
password: cleartext_password_on_server
# ...
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
group_pkey: group_primary_key_on_server
SamAccountName: group_name_on_server
# ...
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
group_pkey: group_primary_key_on_server
# ...
SubGroupsMembers:
hermesType: your_server_SubGroupsMembers_type_name
attrsmapping:
subgroup_pkey: subgroup_primary_key_on_server
group_pkey: group_primary_key_on_server
# ...This client will handle Users, UserPasswords, Groups, GroupsMembers, GroupsSenders and Ressources events, and store data into the PARTAGE dashboard through its API, handled by libPythonBssApi.
To avoid security issues, if no hash is available at user creation, a complex random password will be set. This unknown password will be changed when a userPassword attribute will be set to the User or to the UserPassword. This avoids having an enabled account with no password.
The trashbin will only disable the account.
You have to configure an authentication mapping containing all domains managed by this client as keys, and their API key as values.
hermes-client-usersgroups_bsspartage:
authentication:
example.com: "Secret_API_key_of_example.com"
subdomain.example.com: "Secret_API_key_of_subdomain.example.com"
# When an attribute has no more value, the default behavior is to keep its latest value in place.
# This setting allow to override this behaviour for the specified attributes, with the replacement values.
# Please note that it is forbidden to set Users.userPassword, as the default behavior is to generate a new random password.
# It is also forbidden to set null values, as this reverts to the default behavior. In this case, simply remove the affected attribute from this list.
#
# The values set below are the default values used if default_removed_values is not set
default_removed_values:
Users:
co: ""
company: ""
description: ""
displayName: ""
facsimileTelephoneNumber: ""
givenName: ""
homePhone: ""
initials: ""
l: ""
mobile: ""
name: ""
pager: ""
postalCode: ""
st: ""
street: ""
telephoneNumber: ""
title: ""
zimbraNotes: ""
zimbraPrefMailForwardingAddress: ""
zimbraMailCanonicalAddress: ""
zimbraPrefFromDisplay: ""
zimbraMailQuota: 0
Groups:
# Values should be set to empty strings, but a bug in API is ignoring them.
# This bug has been notified to PARTAGE's team.
description: "-"
displayName: "-"
zimbraNotes: "-"
Resources:
co: ""
description: ""
l: ""
postalCode: ""
st: ""
street: ""
zimbraCalResBuilding: ""
zimbraCalResContactEmail: ""
zimbraCalResContactName: ""
zimbraCalResContactPhone: ""
zimbraCalResFloor: ""
zimbraCalResLocationDisplayName: ""
zimbraCalResRoom: ""
zimbraCalResSite: ""
zimbraNotes: ""
zimbraCalResCapacity: "-1"
# Optional random password generation settings. Default: values specified below
# Random password is generated to initialize a user whose password is not yet available
random_passwords:
# Password length
length: 32
# If true, the generated password may contains some upper case letters
with_upper_letters: true
# The generated password will contain at least this number of upper case letters
minimum_number_of_upper_letters: 1
# If true, the generated password may contains some lower case letters
with_lower_letters: true
# The generated password will contain at least this number of lower case letters
minimum_number_of_lower_letters: 1
# If true, the generated password may contains some numbers
with_numbers: true
# The generated password will contain at least this number of numbers
minimum_number_of_numbers: 1
# If true, the generated password may contains some special chars
with_special_chars: true
# The generated password will contain at least this number of special chars
minimum_number_of_special_chars: 1
# If true, the generated password won't contains the chars specified in 'ambigous_chars_dictionary'
avoid_ambigous_chars: false
# The dictionary of ambigous chars (case sensitive) that may be forbidden in password, even if some are present in other dictionnaries
ambigous_chars_dictionary: "lIO01"
# The dictionary of letters (case unsensitive) allowed in password
letters_dictionary: "abcdefghijklmnopqrstuvwxyz"
# The dictionary of special chars allowed in password
special_chars_dictionary: "!@#$%^&*"The following data types may be set up:
Users: for users accounts. Requires the attribute name and sn to be set, a facultative aliases attribute may bet set, and the others are attributes as defined and used by libPythonBssApi and are facultative.
Note that zimbraAllowFromAddress, zimbraFeatureContactsEnabled and zimbraMailForwardingAddress attributes are not supported by libPythonBssApi.UserPasswords: obviously require Users, and requires that its primary keys are corresponding to the primary keys of Users, and requires the attribute userPassword that have to contain a valid LDAP hash. All other attributes will be ignored. As the userPassword attribute can also be managed by Users, you have to choose: either you manage it by Users, or by UserPasswords, but in no case should you use both at the same time for obvious reasons.Groups: for groups and distribution lists. Requires the attribute name and zimbraMailStatus to be set, a facultative aliases attribute may bet set, and the others are attributes as defined and used by libPythonBssApi and are facultative.GroupsMembers: to add users as group members. Obviously require Users and Groups, and requires the attributes user_pkey and group_pkey corresponding to the primary keys of Users and Groups. All other attributes will be ignored.GroupsSenders: to add users as group senders. Obviously require Users and Groups, and requires the attributes user_pkey and group_pkey corresponding to the primary keys of Users and Groups. All other attributes will be ignored.Resources: for resources. Requires the attribute name, zimbraCalResType and displayName to be set, and the others are attributes as defined and used by libPythonBssApi and are facultative.If you’re setting the Users.zimbraCOSId, you should avoid setting COS-managed attributes in your datamodel, as overriding the COS default value may lead to unexpected behaviours.
Since the API does not allow renaming Groups and Resources, this operation is done by deleting the old instance and recreating the new one in the process. However, this can cause loss of links and information (e.g. resource calendars), and it is probably best to avoid these renames.
To handle Users.zimbraCOSId, it is likely that your data source provides a name rather than the COSId. It is possible to declare a mapping table in Jinja directly in your configuration:
datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
# ...
zimbraCOSId: >-
{{
{
'name_of_cos1': '11111111-1111-1111-1111-111111111111',
'name_of_cos2': '22222222-2222-2222-2222-222222222222',
'name_of_cos3': '33333333-3333-3333-3333-333333333333',
}[zimbraCOSName_value_from_server | default('name_of_cos1') | lower]
| default('11111111-1111-1111-1111-111111111111')
}}
# ... datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
# User primary email address <Valid email address>
name: name_value_from_server
# User last name <String>
sn: sn_value_from_server
# List of aliases for this user <String[]>
aliases: aliases_value_from_server
# User EPPN number <String>
carLicense: carLicense_value_from_server
# Country name <String>
co: co_value_from_server
# Company or institution name <String>
company: company_value_from_server
# Account description <String>
description: description_value_from_server
# Name displayed in emails <String>
displayName: displayName_value_from_server
# User fax <String>
facsimileTelephoneNumber: facsimileTelephoneNumber_value_from_server
# User first name <String>
givenName: givenName_value_from_server
# User home phone <String>
homePhone: homePhone_value_from_server
# Initial (Mr. or Mrs.) <String>
initials: initials_value_from_server
# User city <String>
l: l_value_from_server
# User mobile number <String>
mobile: mobile_value_from_server
# User shortcut number <String>
pager: pager_value_from_server
# Postal code <String>
postalCode: postalCode_value_from_server
# User state <String>
st: st_value_from_server
# User street <String>
street: street_value_from_server
# User phone <String>
telephoneNumber: telephoneNumber_value_from_server
# User title <String>
title: title_value_from_server
# Password hash <String>
userPassword: userPassword_value_from_server
# Account status (default active) <String(active, closed, locked)>
zimbraAccountStatus: zimbraAccountStatus_value_from_server
# Class of service Id <String>
zimbraCOSId: zimbraCOSId_value_from_server
# Briefcase tab <String (TRUE, FALSE)>
zimbraFeatureBriefcasesEnabled: zimbraFeatureBriefcasesEnabled_value_from_server
# Calendar tab <String (TRUE, FALSE)>
zimbraFeatureCalendarEnabled: zimbraFeatureCalendarEnabled_value_from_server
# Mail tab <String (TRUE, FALSE)>
zimbraFeatureMailEnabled: zimbraFeatureMailEnabled_value_from_server
# Allow user to specify forward address <String (TRUE, FALSE)>
zimbraFeatureMailForwardingEnabled: zimbraFeatureMailForwardingEnabled_value_from_server
# Options tab <String (TRUE, FALSE)>
zimbraFeatureOptionsEnabled: zimbraFeatureOptionsEnabled_value_from_server
# Tasks tab <String (TRUE, FALSE)>
zimbraFeatureTasksEnabled: zimbraFeatureTasksEnabled_value_from_server
# Hide in GAL <String (TRUE, FALSE)>
zimbraHideInGal: zimbraHideInGal_value_from_server
# 0=unlimited <Integer (bytes)>
zimbraMailQuota: zimbraMailQuota_value_from_server
# Free notes <String>
zimbraNotes: zimbraNotes_value_from_server
# Must change password at next login <String (TRUE, FALSE)>
zimbraPasswordMustChange: zimbraPasswordMustChange_value_from_server
# Forward address entered by user <Valid email address>
zimbraPrefMailForwardingAddress: zimbraPrefMailForwardingAddress_value_from_server
# Do not keep a copy of mails on the local client <String (TRUE, FALSE)>
zimbraPrefMailLocalDeliveryDisabled: zimbraPrefMailLocalDeliveryDisabled_value_from_server
# Email address visible for outgoing messages <String>
zimbraMailCanonicalAddress: zimbraMailCanonicalAddress_value_from_server
# Display name visible for outgoing messages <String>
zimbraPrefFromDisplay: zimbraPrefFromDisplay_value_from_server
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
# Password hash <String>
userPassword: userPassword_value_from_server
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
# Group primary email address <Valid email address>
name: name_value_from_server
# Discriminant distribution list/group <String (enabled, disabled)>
zimbraMailStatus: zimbraMailStatus_value_from_server
# List of aliases for this group <String[]>
aliases: aliases_value_from_server
# Group description <String>
description: description_value_from_server
# Display name <String>
displayName: displayName_value_from_server
# Report available shares to new members <String (TRUE, FALSE)>
zimbraDistributionListSendShareMessageToNewMembers: zimbraDistributionListSendShareMessageToNewMembers_value_from_server
# Hide group in GAL <String (TRUE, FALSE)>
zimbraHideInGal: zimbraHideInGal_value_from_server
# Free notes <String>
zimbraNotes: zimbraNotes_value_from_server
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
user_pkey: user_pkey_value_from_server
group_pkey: group_pkey_value_from_server
GroupsSenders:
hermesType: your_server_GroupsSenders_type_name
attrsmapping:
user_pkey: user_pkey_value_from_server
group_pkey: group_pkey_value_from_server
Resources:
hermesType: your_server_Resources_type_name
attrsmapping:
# Resource primary email address <Valid email address>
name: name_value_from_server
# Display name <String>
displayName: displayName_value_from_server
# Resource type <String (Location, Equipment)>
zimbraCalResType: zimbraCalResType_value_from_server
# Country name <String>
co: co_value_from_server
# Description <String>
description: description_value_from_server
# Resource city <String>
l: l_value_from_server
# Postal code <String>
postalCode: postalCode_value_from_server
# Resource state <String>
st: st_value_from_server
# Resource street <String>
street: street_value_from_server
# Password hash <String>
userPassword: userPassword_value_from_server
# Resource status (default active) <String (active, closed)>
zimbraAccountStatus: zimbraAccountStatus_value_from_server
# Automatically accept or decline invitations <String (TRUE, FALSE)>
zimbraCalResAutoAcceptDecline: zimbraCalResAutoAcceptDecline_value_from_server
# Automatically decline invitations if there is a risk of conflict <String (TRUE, FALSE)>
zimbraCalResAutoDeclineIfBusy: zimbraCalResAutoDeclineIfBusy_value_from_server
# Automatically decline recurring invitations <String (TRUE, FALSE)>
zimbraCalResAutoDeclineRecurring: zimbraCalResAutoDeclineRecurring_value_from_server
# Building <String>
zimbraCalResBuilding: zimbraCalResBuilding_value_from_server
# Capacity <Integer>
zimbraCalResCapacity: zimbraCalResCapacity_value_from_server
# Contact email address <String>
zimbraCalResContactEmail: zimbraCalResContactEmail_value_from_server
# Contact name <String>
zimbraCalResContactName: zimbraCalResContactName_value_from_server
# Contact phone <String>
zimbraCalResContactPhone: zimbraCalResContactPhone_value_from_server
# Floor <String>
zimbraCalResFloor: zimbraCalResFloor_value_from_server
# Name of the displayed location <String>
zimbraCalResLocationDisplayName: zimbraCalResLocationDisplayName_value_from_server
# Room <String>
zimbraCalResRoom: zimbraCalResRoom_value_from_server
# Site <String>
zimbraCalResSite: zimbraCalResSite_value_from_server
# Free notes <String>
zimbraNotes: zimbraNotes_value_from_server
# Forward calendar invitations to this address <Array>
zimbraPrefCalendarForwardInvitesTo: zimbraPrefCalendarForwardInvitesTo_value_from_serverThis client will generate a flat txt file by Groups, containing the e-mail addresses of its members (one by line).
hermes-client-usersgroups_flatfiles_emails_of_groups:
# MANDATORY
destDir: "/path/where/files/are/stored"
# Facultative: if set, will generate a file only for the specified group names in list
onlyTheseGroups:
- group1
- group2The following data types must be set up:
Users, requires the following attribute names:
user_pkey: the user primary keymail: the user email addressGroups, requires the following attribute names:
group_pkey: the group primary keyname: the group name, that will be compared to those in onlyTheseGroups, and used to name the destination file “groupName.txt”GroupsMembers, requires the following attribute names:
user_pkey: the user primary keygroup_pkey: the group primary key datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
user_pkey: user_pkey_on_server
mail: mail_on_server
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
group_pkey: group_pkey_on_server
name: group_name_on_server
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
user_pkey: user_pkey_on_server
group_pkey: group_pkey_on_serverThis client will handle Users and UserPassword, and store data in an Heimdal Kerberos server.
hermes-client-usersgroups_kadmin_heimdal:
# MANDATORY: Principal with required rights to manage users and passwords in kadmin
kadmin_login: root/admin
# MANDATORY: Password of principal above
kadmin_password: "s3cReT_p4s5w0rD"
# MANDATORY: Name of Kerberos realm
kadmin_realm: KERBEROS_REALM
# Service principal name to get ticket for. Default: kadmin/admin
kinit_spn: kadmin/admin
# kinit command to use. Default: kinit.heimdal
kinit_cmd: kinit.heimdal
# kadmin command to use. Default: kadmin.heimdal
kadmin_cmd: kadmin.heimdal
# kdestroy command to use. Default: kdestroy.heimdal
kdestroy_cmd: kdestroy.heimdal
# kadmin additional args to use when adding a user. Must be a list of strings. Default:
# - "--max-ticket-life=1 day"
# - "--max-renewable-life=1 week"
# - "--attributes="
# - "--expiration-time=never"
# - "--policy=default"
# - "--pw-expiration-time=never"
kadmin_user_add_additional_options:
- "--max-ticket-life=1 day"
- "--max-renewable-life=1 week"
- "--attributes="
- "--expiration-time=never"
- "--policy=default"
- "--pw-expiration-time=never"
# Set to true to start with an already filled Kerberos database. Default: false
dont_fail_on_existing_user: false
# Optional random password generation settings. Default: values specified below
# Random password is generated to initialize a user whose password is not yet available,
# or when the user password is removed but the user still exists
random_passwords:
# Password length
length: 32
# If true, the generated password may contains some upper case letters
with_upper_letters: true
# The generated password will contain at least this number of upper case letters
minimum_number_of_upper_letters: 1
# If true, the generated password may contains some lower case letters
with_lower_letters: true
# The generated password will contain at least this number of lower case letters
minimum_number_of_lower_letters: 1
# If true, the generated password may contains some numbers
with_numbers: true
# The generated password will contain at least this number of numbers
minimum_number_of_numbers: 1
# If true, the generated password may contains some special chars
with_special_chars: true
# The generated password will contain at least this number of special chars
minimum_number_of_special_chars: 1
# If true, the generated password won't contains the chars specified in 'ambigous_chars_dictionary'
avoid_ambigous_chars: false
# The dictionary of ambigous chars (case sensitive) that may be forbidden in password, even if some are present in other dictionnaries
ambigous_chars_dictionary: "lIO01"
# The dictionary of letters (case unsensitive) allowed in password
letters_dictionary: "abcdefghijklmnopqrstuvwxyz"
# The dictionary of special chars allowed in password
special_chars_dictionary: "!@#$%^&*"The following data types must be set up:
Users, requires the following attribute names:
login: the user login, that will be used as principalUserPasswords, requires the following attribute names:
password: the password of the userObviously, the primary keys of Users and UserPasswords must match to be able to link login with password.
datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
login: login_on_server
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
password: password_on_serverThis client will handle Users, Groups and UserPasswords events, and store data in an LDAP directory.
The local Datamodel keys will be used as LDAP attributes names, without any constraints, and it is possible to specify some Datamodel keys to ignore (typically the primary keys) that won’t be stored in LDAP directory with the attributesToIgnore setting.
The GroupMembers will only store data (typically LDAP member attribute) in LDAP group entries as it is possible to use LDAP overlays (dynlist or the deprecated memberOf) to dynamically generate the corresponding data in user entries. You should consider reading the propagateUserDNChangeOnGroupMember setting documentation.
If you need to generate LDAP password hashes, you may consider looking at ldapPasswordHash attribute plugin.
hermes-client-usersgroups_ldap:
# MANDATORY: LDAP server URI
uri: ldaps://ldap.example.com:636
# MANDATORY: LDAP server credentials to use
binddn: cn=account,dc=example,dc=com
bindpassword: s3cReT_p4s5w0rD
# MANDATORY: LDAP base DN
basedn: dc=example,dc=com
users_ou: ou=users,dc=example,dc=com
groups_ou: ou=groups,dc=example,dc=com
ssl: # Facultative
# Path to PEM file with CA certs
cafile: /path/to/INTERNAL-CA-chain.crt # Facultative
# Path to file with PEM encoded cert for client cert authentication, requires keyfile
certfile: /path/to/client.crt # Facultative
# Path to file with PEM encoded key for client cert authentication, requires certfile
keyfile: /path/to/client.pem # Facultative
# MANDATORY: Name of DN attribute for Users, UserPasswords and Groups
# You have to set up values for the three, even if you don't use some of the types
dnAttributes:
Users: uid
UserPasswords: uid
Groups: cn
# Depending on group and group membership settings in LDAP, you may use another
# attribute than the default 'member' attribute to store the DN of group member
# Facultative. Default value: "member"
groupMemberAttribute: member
# Depending on group and group membership settings in LDAP, you usually may want
# to propagate a user DN change on group member attributes. But sometimes, it
# may be handled by an overlay, e.g. with memberOf overlay and the
# memberof-refint/olcMemberOfRefint setting to TRUE
# If set to true, it requires 'groupsObjectclass' to be defined
# Facultative. Default value: true
propagateUserDNChangeOnGroupMember: true
# If you've set 'propagateUserDNChangeOnGroupMember' to true,
# you MUST indicate your group objectClass that will be used to search
# your groups entries
# Mandatory only if 'propagateUserDNChangeOnGroupMember' is true
groupsObjectclass: groupOfNames
# It is possible to set a default value for some attributes for Users, UserPasswords and Groups
# The default value will be set on added and modified events if the local attribute has no value
defaultValues:
Groups:
member: "" # Hack to allow creation of an empty group, because of the "MUST member" in schema
# The local attributes listed here won't be stored in LDAP for Users, UserPasswords and Groups
attributesToIgnore:
Users:
- user_pkey
UserPasswords:
- user_pkey
Groups:
- group_pkeyThe following data types may be set up:
UsersUserPasswords: obviously require Users, and requires the following attribute names user_pkey corresponding to the primary keys of UsersGroupsGroupsMembers: obviously require Users and Groups, and requires the following attribute names user_pkey group_pkey corresponding to the primary keys of Users and Groups datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
uid: login_on_server
# ...
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
userPassword: ldap_pwd_hash_list_on_server
# ...
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
group_pkey: group_primary_key_on_server
cn: group_name_on_server
# ...
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
user_pkey: user_primary_key_on_server
group_pkey: group_primary_key_on_server
# ...This client will handle Users, Groups and UserPasswords events, but does nothing but logging.
Nothing to configure for the plugin.
hermes-client-usersgroups_null:The following data types may be set up, without any specific constraint as nothing will be processed.
datamodel:
Users:
hermesType: your_server_Users_type_name
attrsmapping:
attr1_client: attr1_server
# ...
UserPasswords:
hermesType: your_server_UserPasswords_type_name
attrsmapping:
attr1_client: attr1_server
# ...
Groups:
hermesType: your_server_Groups_type_name
attrsmapping:
attr1_client: attr1_server
# ...
GroupsMembers:
hermesType: your_server_GroupsMembers_type_name
attrsmapping:
attr1_client: attr1_server
# ...This plugin allows hermes-client to receive events from an Apache Kafka server.
It is possible to connect to Kafka server without authentication, or with SSL (TLS) authentication.
hermes:
plugins:
messagebus:
kafka:
settings:
# MANDATORY: the Kafka server or servers list that can be used
servers:
- dummy.example.com:9093
# Facultative: which Kafka API version to use. If unset, the
# api version will be detected at startup and reported in the logs.
# Don't set this directive unless you encounter some
# "kafka.errors.NoBrokersAvailable: NoBrokersAvailable" errors raised
# by a "self.check_version()" call.
api_version: [2, 6, 0]
# Facultative: enables SSL authentication. If set, the 3 options below
# must be defined
ssl:
# MANDATORY: hermes-client cert file that will be used for
# authentication
certfile: /path/to/.hermes/dummy.crt
# MANDATORY: hermes-client cert file private key
keyfile: /path/to/.hermes/dummy.pem
# MANDATORY: The PKI CA cert
cafile: /path/to/.hermes/INTERNAL-CA-chain.crt
# MANDATORY: the topic to send events to
topic: hermes
# MANDATORY: the group_id to assign client to. Set what you want here.
group_id: hermes-grpThis plugin allows hermes-client to receive events from an SQLite database.
hermes:
plugins:
messagebus:
sqlite:
settings:
# MANDATORY:
uri: /path/to/.hermes/bus.sqlite