# Example configuration for the LDAP identity provider plug-in.
# Adjust values to match your directory deployment before enabling the plugin.

connection:
  host: "ldaps://ldap.example.internal"
  port: 636
  useStartTls: false
  validateCertificates: true
  clientCertificate:
    pfxPath: "file:/etc/stellaops/certs/ldap-client.pfx"
    passwordSecret: "file:/etc/stellaops/secrets/ldap-client-pfx.txt"
    sendChain: true
  trustStore:
    mode: system # system | bundle
    bundlePath: "file:/etc/stellaops/trust/ldap-root.pem"
  searchBase: "ou=people,dc=example,dc=internal"
  usernameAttribute: "uid"
  userDnFormat: "uid={username},ou=people,dc=example,dc=internal"
  bindDn: "cn=stellaops-bind,ou=service,dc=example,dc=internal"
  bindPasswordSecret: "file:/etc/stellaops/secrets/ldap-bind.txt"

security:
  requireTls: true
  requireClientCertificate: false # set to true to enforce mutual TLS client authentication
  allowInsecureWithEnvToggle: false # set STELLAOPS_LDAP_ALLOW_INSECURE=true to permit TLS downgrade
  allowedCipherSuites:
    - "TLS_AES_256_GCM_SHA384"
    - "TLS_AES_128_GCM_SHA256"
  referralChasing: false

lockout:
  useAuthorityPolicies: true
  directoryLockoutAttribute: "pwdAccountLockedTime"

claims:
  groupAttribute: "memberOf"
  groupToRoleMap:
    "cn=stellaops-admins,ou=groups,dc=example,dc=internal": "operators"
    "cn=stellaops-read,ou=groups,dc=example,dc=internal": "auditors"
  regexMappings:
    - pattern: "^cn=stellaops-(?P<role>[a-z-]+),ou=groups,dc=example,dc=internal$"
      roleFormat: "{role}" # {role} comes from the named capture group in the pattern above
  extraAttributes:
    displayName: "displayName"
    email: "mail"
  cache:
    enabled: true # enable Mongo-backed cache to avoid hammering LDAP for repeat grants
    collectionName: "ldap_claims_cache" # optional; defaults to ldap_claims_cache_<pluginName> when omitted
    ttlSeconds: 600
    maxEntries: 5000

queries:
  userFilter: "(&(objectClass=person)(uid={username}))"
  attributes:
    - "displayName"
    - "mail"
    - "memberOf"

clientProvisioning:
  enabled: false
  containerDn: "ou=service,dc=example,dc=internal"
  secretAttribute: "userPassword"
  auditMirror:
    enabled: true
    collectionName: "ldap_client_provisioning" # Mongo mirror ships inside the Offline Kit for auditors

bootstrap:
  enabled: false
  containerDn: "ou=people,dc=example,dc=internal"
  rdnAttribute: "uid"
  usernameAttribute: "uid"
  displayNameAttribute: "displayName"
  givenNameAttribute: "givenName"
  surnameAttribute: "sn"
  emailAttribute: "mail"
  secretAttribute: "userPassword"
  staticAttributes:
    description: "StellaOps bootstrap user for {username}"
  auditMirror:
    enabled: true
    collectionName: "ldap_bootstrap_audit"

health:
  probeIntervalSeconds: 60
  timeoutSeconds: 5