-
Notifications
You must be signed in to change notification settings - Fork 128
/
Copy pathldap_attribute_store.yaml.example
147 lines (129 loc) · 5.25 KB
/
ldap_attribute_store.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
module: satosa.micro_services.ldap_attribute_store.LdapAttributeStore
name: LdapAttributeStore
config:
# The microservice may be configured per entityID.
# The configuration key is the entityID of the requesting SP,
# the authenticating IdP, or the entityID of the CO virtual IdP.
# The key "default" specifies the default configuration
default:
ldap_url: "ldaps://ldap.example.org"
bind_dn: cn=admin,dc=example,dc=org
# Obtain bind password from environment variable LDAP_BIND_PASSWORD.
bind_password: !ENV LDAP_BIND_PASSWORD
# Obtain bind password from file pointed to by
# environment variable LDAP_BIND_PASSWORD_FILE.
# bind_password: !ENVFILE LDAP_BIND_PASSWORD
search_base: ou=People,dc=example,dc=org
read_only: true
auto_bind: true
version: 3
## See ldap3 client_strategies. The default is REUSABLE.
client_strategy: RESTARTABLE
## Specify pool settings when using REUSABLE client strategy.
# pool_size: number of open connection; default: 10
pool_size: 10
# pool_keepalive: seconds to wait between calls to server to keep the
# connection alive; default: 10
pool_keepalive: 10
# pool_lifetime: number of seconds before recreating a new connection
# in a pooled connection strategy.
pool_lifetime: None
# Attributes to return from LDAP query.
query_return_attributes:
- sn
- givenName
- mail
- employeeNumber
- isMemberOf
# LDAP attribute to internal attribute mapping.
ldap_to_internal_map:
sn: surname
givenName: givenname
mail: mail
employeeNumber: employeenumber
isMemberOf: ismemberof
# Deprecated.
# Use query_return_attributes and ldap_to_internal_map instead.
# Format is LDAP attribute name: internal attribute name
search_return_attributes:
sn: surname
givenName: givenname
mail: mail
employeeNumber: employeenumber
isMemberOf: ismemberof
# Ordered list of identifiers to use when constructing the search filter
# to find the user record in LDAP directory.
#
# This example searches in order for eduPersonUniqueId,
# eduPersonPrincipalName combined with SAML persistent NameID,
# eduPersonPrincipalName combined with eduPersonTargetedId,
# eduPersonPrincipalName, SAML persistent NameID, and
# eduPersonTargetedId.
ordered_identifier_candidates:
- attribute_names:
- epuid
- attribute_names:
- eppn
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- attribute_names:
- eppn
- edupersontargetedid
- attribute_names:
- eppn
- attribute_names:
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
add_scope: issuer_entityid
- attribute_names:
- edupersontargetedid
add_scope: issuer_entityid
ldap_identifier_attribute: uid
# Override the contructed search_filter with ldap_identifier_attribute
# with an own filter. This allows more complex queries.
# {0} will be injected with the ordered_identifier_candidates.
# For example:
# search_filter: "(&(uid={0})(isMemberOf=authorized))"
search_filter: None
# Whether to clear values for attributes incoming
# to this microservice. Default is no or false.
clear_input_attributes: no
# List of LDAP attributes to use as input to hashing to create
# NameID.
user_id_from_attrs:
- employeeNumber
# If true, do not only process the first ldap result, but iterate over
# the result and process all of them.
use_all_results: false
# Where to redirect the browser if no record is returned
# from LDAP. The default is not to redirect.
on_ldap_search_result_empty: https://my.vo.org/please/go/enroll
# The microservice may be configured per entityID or per extracted attribute.
# The configuration key is the entityID of the requesting SP,
# the authenticating IdP, the entityID of the CO virtual IdP, or the
# extracted attribute defined by `global.provider_attribute`.
# When more than one configured key matches during a flow
# the priority ordering is provider attribute, requesting SP, then authenticating IdP, then
# CO virtual IdP. Αny missing parameters are taken from the
# default configuration.
global:
provider_attribute: domain
# domain attribute is extracted in a previous microserver and used as a key
# here.
company.com:
ldap_url: ldaps://ldap.company.com
search_base: ou=group,dc=identity,dc=company,dc=com
https://sp.myserver.edu/shibboleth-sp:
search_base: ou=People,o=MyVO,dc=example,dc=org
search_return_attributes:
employeeNumber: employeenumber
ordered_identifier_candidates:
- attribute_names:
- eppn
user_id_from_attrs:
- uid
https://federation-proxy.my.edu/satosa/idp/proxy/some_co:
search_base: ou=People,o=some_co,dc=example,dc=org
# The microservice may be configured to ignore a particular entityID.
https://another.sp.myserver.edu:
ignore: true