Director
The director configuration file (dcvix-director.conf) uses INI format with the following sections.
[director]
| Field |
Type |
Default |
Description |
director_host |
string |
0.0.0.0 |
Hostname or IP the director listens on |
director_port |
int |
8445 |
HTTPS listener port |
agent_port |
int |
8446 |
Port agents listen on (used for outbound connections) |
auth_type |
string |
pam |
Authentication backend: pam, ldap, radius, external |
policydb_folder |
string |
policydb |
Path to the policy JSON directory |
data_dir |
string |
/var/lib/dcvix-director |
Persistent state directory (CA keys, agents.db, server cert) |
token_key |
string |
(auto-generated) |
Base64-encoded PASETO symmetric key. Set this to persist tokens across restarts. |
[pam_auth]
| Field |
Type |
Default |
Description |
pam_service_name |
string |
login |
PAM service name |
[ldap_auth]
| Field |
Type |
Default |
Description |
ldap_address |
string |
ldap://127.0.0.1:389 |
LDAP server URL |
ldap_base_dn |
string |
dc=example,dc=com |
LDAP base DN |
ldap_bind_user |
string |
cn=admin,dc=example,dc=com |
Bind DN |
ldap_bind_password |
string |
password |
Bind password |
ldap_filter |
string |
(sAMAccountName=%s) |
Search filter (%s = userID) |
otp_type |
string |
disabled |
OTP backend: disabled, privacyidea, external |
privacyidea_url |
string |
https://mfaserver.domain.com |
PrivacyIDEA server URL (calls POST /validate/check) |
privacyidea_tls_strict |
bool |
true |
Verify PrivacyIDEA TLS certificate |
otp_external_command |
string |
/usr/bin/external-auth |
External OTP verification command |
otp_external_args |
string |
"" |
Arguments for external OTP command |
[radius_auth]
| Field |
Type |
Default |
Description |
radius_server |
string |
127.0.0.1 |
RADIUS server address |
radius_port |
int |
1812 |
RADIUS server port |
radius_secret |
string |
secret |
RADIUS shared secret |
[external_auth]
| Field |
Type |
Default |
Description |
external_command |
string |
/usr/bin/external-auth |
External auth binary path |
args |
string |
"" |
Command-line arguments |
The external command receives UserID\nPassword\nOTP\n on stdin and must exit 0 for success, 1 for failure.
[gateway]
| Field |
Type |
Default |
Description |
gateways_list |
string |
127.0.0.1 |
Comma-separated IPs allowed to access /resolveSession |
[housekeeper]
| Field |
Type |
Default |
Description |
housekeeper_frequency |
duration |
40s |
Housekeeper run interval |
max_age |
duration |
30s |
Max age of stale sessions before cleanup |
[log]
| Field |
Type |
Default |
Description |
level |
string |
info |
Log verbosity: debug, info, warning, error, critical |
directory |
string |
log |
Log output directory |
rotation |
int |
2 |
Number of 100 MB log files to keep |
Policy JSON Files
policydb/users.json
[
{
"UserID": "user1",
"Workstations": ["ws1.domain.com", "ws2.domain.com"],
"Pools": ["testing"]
},
{
"UserID": "user2",
"Workstations": ["ws3.domain.com"],
"Pools": ["engineering"]
}
]
Special workstation ALLOW_CUSTOM grants access to all servers (launcher shows a custom hostname input).
policydb/pools.json
[
{
"PoolID": "testing",
"Workstations": ["ws5.domain.com", "ws6.domain.com"]
},
{
"PoolID": "engineering",
"Workstations": ["ws8.domain.com", "ws9.domain.com"]
}
]
Example Minimal Config
[director]
director_host = "0.0.0.0"
director_port = 8445
auth_type = "pam"
policydb_folder = "/etc/dcvix-director/policydb"
data_dir = "/var/lib/dcvix-director"