-
Notifications
You must be signed in to change notification settings - Fork 7
/
ctldap.yml
72 lines (64 loc) · 3.81 KB
/
ctldap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
config:
# Add debug infos to log, non-empty string means "true"!
debug: ${DEBUG:false}
# Add verbose debug infos to log, non-empty string means "true"!
trace: ${TRACE:false}
# LDAP server ip to listen on, change it to 0.0.0.0 when external access required
ldapIp: ${LDAP_IP:0.0.0.0}
# LDAP server port, you may change this to the privileged default port 389.
ldapPort: ${LDAP_PORT:1389}
# This controls (in milliseconds) how old the user/group data can be until it is fetched from ChurchTools again
cacheLifetime: ${CACHE_LIFETIME_MS:300000}
# This is required for clients using lowercase DNs, e.g. ownCloud/nextCloud
dnLowerCase: ${IS_DN_LOWER_CASE:true}
# This is required for clients that need lowercase email addresses, e.g. Seafile
emailLowerCase: ${IS_EMAIL_LOWER_CASE:true}
# LDAP admin user, can be a "virtual" root user or a ChurchTools username (virtual root is recommended!)
ldapUser: ${LDAP_USER:root}
# The static password to be used for the virtual ldapUser, i.e. if that one is NOT a CT account.
# Ideally, choose a LONG SECURE RANDOM password from a password generator like KeePass and hash it with argon2!
ldapPassword: ${LDAP_PW:some-bcrypt-hash-or-argon2-hash-or-plaintext-password}
# LDAP base DN, "o=<xxx>", e.g. "o=churchtools"
ldapBaseDn: ${LDAP_BASE_DN:churchtools}
# The URI pointing to the root of your ChurchTools installation
ctUri: ${CT_URI:#https://mysite.church.tools}
# This access token is used to authenticate against ChurchTools for API access.
# The backing user must be granted sufficient rights for the wrapper to work properly! Typically, these are:
# churchdb:{ view | view alldata(-1) | view grouptype(-1) | security level person(1,2*) | security level group(1*) }
# * = additional security levels might be required, depending on your ChurchTools settings.
# IMPORTANT: It is strongly recommended to use a LONG SECURE RANDOM password from a generator like KeePass for this user!
# You can obtain the API token from the API:
# - Login via https://your.ct.domain/api > "General" > "login" (copy your "personId" from the shown output!)
# - Get your token via "Person" > "/persons/{personId}/logintoken"
apiToken: ${API_TOKEN}
# This map specifies special group properties, typically yes/no-columns, that, when found in the group information,
# are translated to additional LDAP object classes that will be attached to the group and user objects.
# Doing so, it is possible to use e.g. additional group columns in ChurchTools to "tag" groups and users in LDAP.
specialGroupMappings:
nextcloud:
groupClass: NextCloudGroup
personClass: NextCloudUser
# To use SSL/TLS, provide file names for x509 certificate and key here
# Use this command to create a private key and a certificate:
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
# Use this command to remove the encryption password:
# openssl rsa -in key.pem -out newkey.pem && mv newkey.pem key.pem
# ldapCertFilename: cert.pem
# ldapKeyFilename: key.pem
# Define the sites here. For each site please enter one section.
# If ldapBaseDn is set above, the global settings above are treated as an additional site.
# The sites have to be named like their desired LDAP BASE DN organization, i.e. "foobar" for foobar.church.tools.
# dnLowerCase is optional, if not specified, the default value will be taken from the config above.
# emailLowerCase is optional, if not specified, the default value will be taken from the config above.
sites:
# xxxxxxxxxx:
# dnLowerCase: true
# emailLowerCase: true
# ldapUser: root
# ldapPassword: $argon2id$XXXXXXXXXXXXXXXXXXXX
# ctUri: https://XXXXXXXXXXXXXXXXXXXX.church.tools/
# apiToken: XXXXXXXXXXXXXXXXXXXX
# specialGroupMappings:
# nextcloud:
# groupClass: NextCloudGroup
# personClass: NextCloudUser