|
|
|
|
@ -429,41 +429,43 @@ services: |
|
|
|
|
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. |
|
|
|
|
# |
|
|
|
|
# The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap. |
|
|
|
|
- DEFAULT_AUTHENTICATION_METHOD=ldap |
|
|
|
|
#- DEFAULT_AUTHENTICATION_METHOD=ldap |
|
|
|
|
# |
|
|
|
|
# Enable or not the connection by the LDAP |
|
|
|
|
- LDAP_ENABLE=true |
|
|
|
|
#- LDAP_ENABLE=true |
|
|
|
|
# |
|
|
|
|
# The port of the LDAP server |
|
|
|
|
- LDAP_PORT=636 |
|
|
|
|
#- LDAP_PORT=389 |
|
|
|
|
# |
|
|
|
|
# The host server for the LDAP server |
|
|
|
|
- LDAP_HOST=win100a002.verband.creditreform.de |
|
|
|
|
|
|
|
|
|
#- LDAP_HOST=localhost |
|
|
|
|
# |
|
|
|
|
# set to true, if you want to connect with Active Directory by Simple Authentication |
|
|
|
|
- LDAP_AD_SIMPLE_AUTH=true |
|
|
|
|
# |
|
|
|
|
# set to true, if the login user is used for binding |
|
|
|
|
- LDAP_USER_AUTHENTICATION=true |
|
|
|
|
# |
|
|
|
|
# The base DN for the LDAP Tree |
|
|
|
|
- LDAP_BASEDN=OU=Benutzer,dc=verband,dc=creditreform,dc=de |
|
|
|
|
#- LDAP_BASEDN=dc=verband,dc=creditreform,dc=de |
|
|
|
|
#- LDAP_BASEDN=ou=user,dc=example,dc=org |
|
|
|
|
# |
|
|
|
|
# Fallback on the default authentication method |
|
|
|
|
- LDAP_LOGIN_FALLBACK=true |
|
|
|
|
#- LDAP_LOGIN_FALLBACK=false |
|
|
|
|
# |
|
|
|
|
# Reconnect to the server if the connection is lost |
|
|
|
|
- LDAP_RECONNECT=true |
|
|
|
|
#- LDAP_RECONNECT=true |
|
|
|
|
# |
|
|
|
|
# Overall timeout, in milliseconds |
|
|
|
|
- LDAP_TIMEOUT=10000 |
|
|
|
|
#- LDAP_TIMEOUT=10000 |
|
|
|
|
# |
|
|
|
|
# Specifies the timeout for idle LDAP connections in milliseconds |
|
|
|
|
- LDAP_IDLE_TIMEOUT=10000 |
|
|
|
|
#- LDAP_IDLE_TIMEOUT=10000 |
|
|
|
|
# |
|
|
|
|
# Connection timeout, in milliseconds |
|
|
|
|
- LDAP_CONNECT_TIMEOUT=10000 |
|
|
|
|
#- LDAP_CONNECT_TIMEOUT=10000 |
|
|
|
|
# |
|
|
|
|
# If the LDAP needs a user account to search |
|
|
|
|
- LDAP_AUTHENTIFICATION=true |
|
|
|
|
#- LDAP_AUTHENTIFICATION=true |
|
|
|
|
# |
|
|
|
|
# The search user DN - You need quotes when you have spaces in parameters |
|
|
|
|
# 2 examples: |
|
|
|
|
@ -471,24 +473,25 @@ services: |
|
|
|
|
#- LDAP_AUTHENTIFICATION_USERDN=CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com |
|
|
|
|
# |
|
|
|
|
# The password for the search user |
|
|
|
|
#- LDAP_AUTHENTIFICATION_PASSWORD= |
|
|
|
|
#- LDAP_AUTHENTIFICATION_PASSWORD=pwd |
|
|
|
|
# |
|
|
|
|
# Enable logs for the module |
|
|
|
|
- LDAP_LOG_ENABLED=true |
|
|
|
|
- INTERNAL_LOG_LEVEL=DEBUG |
|
|
|
|
#- LDAP_LOG_ENABLED=true |
|
|
|
|
# |
|
|
|
|
# If the sync of the users should be done in the background |
|
|
|
|
- LDAP_BACKGROUND_SYNC=false |
|
|
|
|
#- LDAP_BACKGROUND_SYNC=false |
|
|
|
|
# |
|
|
|
|
# At which interval does the background task sync in milliseconds |
|
|
|
|
- LDAP_BACKGROUND_SYNC_INTERVAL=2000 |
|
|
|
|
# At which interval does the background task sync. |
|
|
|
|
# The format must be as specified in: |
|
|
|
|
# https://bunkat.github.io/later/parsers.html#text |
|
|
|
|
#- LDAP_BACKGROUND_SYNC_INTERVAL='every 1 hour' |
|
|
|
|
# |
|
|
|
|
- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true |
|
|
|
|
#- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false |
|
|
|
|
# |
|
|
|
|
- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true |
|
|
|
|
#- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false |
|
|
|
|
# |
|
|
|
|
# If using LDAPS: LDAP_ENCRYPTION=ssl / none |
|
|
|
|
- LDAP_ENCRYPTION=ssl |
|
|
|
|
# If using LDAPS: LDAP_ENCRYPTION=ssl |
|
|
|
|
#- LDAP_ENCRYPTION=false |
|
|
|
|
# |
|
|
|
|
# The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file. |
|
|
|
|
#- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE----- |
|
|
|
|
@ -503,83 +506,86 @@ services: |
|
|
|
|
#- LDAP_USER_AUTHENTICATION_FIELD=uid |
|
|
|
|
# |
|
|
|
|
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed |
|
|
|
|
- LDAP_USER_SEARCH_FILTER=(objectClass=user) |
|
|
|
|
#- LDAP_USER_SEARCH_FILTER= |
|
|
|
|
# |
|
|
|
|
# base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree) |
|
|
|
|
- LDAP_USER_SEARCH_SCOPE=one |
|
|
|
|
#- LDAP_USER_SEARCH_SCOPE=one |
|
|
|
|
# |
|
|
|
|
# Which field is used to find the user, like uid / sAMAccountName |
|
|
|
|
- LDAP_USER_SEARCH_FIELD=sAMAccountName |
|
|
|
|
#- LDAP_USER_SEARCH_FIELD=sAMAccountName |
|
|
|
|
# |
|
|
|
|
# Used for pagination (0=unlimited) |
|
|
|
|
- LDAP_SEARCH_PAGE_SIZE=0 |
|
|
|
|
#- LDAP_SEARCH_PAGE_SIZE=0 |
|
|
|
|
# |
|
|
|
|
# The limit number of entries (0=unlimited) |
|
|
|
|
- LDAP_SEARCH_SIZE_LIMIT=0 |
|
|
|
|
#- LDAP_SEARCH_SIZE_LIMIT=0 |
|
|
|
|
# |
|
|
|
|
# Enable group filtering |
|
|
|
|
- LDAP_GROUP_FILTER_ENABLE=false |
|
|
|
|
# Enable group filtering. Note the authenticated ldap user must be able to query all relevant group data with own login data from ldap. |
|
|
|
|
#- LDAP_GROUP_FILTER_ENABLE=false |
|
|
|
|
# |
|
|
|
|
# The object class for filtering. Example: group |
|
|
|
|
# - LDAP_GROUP_FILTER_OBJECTCLASS=person |
|
|
|
|
#- LDAP_GROUP_FILTER_OBJECTCLASS= |
|
|
|
|
# |
|
|
|
|
# - LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=cn |
|
|
|
|
# The attribute of a group identifying it. Example: cn |
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE= |
|
|
|
|
# |
|
|
|
|
# - LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= |
|
|
|
|
# The attribute inside a group object listing its members. Example: member |
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= |
|
|
|
|
# |
|
|
|
|
# The format of the value of LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE. Example: 'dn' if the users dn is saved as value into the attribute. |
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= |
|
|
|
|
# |
|
|
|
|
# - LDAP_GROUP_FILTER_GROUP_NAME= |
|
|
|
|
# The group name (id) that matches all users. |
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_NAME= |
|
|
|
|
# |
|
|
|
|
# LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid |
|
|
|
|
# - LDAP_UNIQUE_IDENTIFIER_FIELD= |
|
|
|
|
#- LDAP_UNIQUE_IDENTIFIER_FIELD= |
|
|
|
|
# |
|
|
|
|
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8 |
|
|
|
|
#- LDAP_UTF8_NAMES_SLUGIFY=true |
|
|
|
|
# |
|
|
|
|
# LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName |
|
|
|
|
- LDAP_USERNAME_FIELD=sAMAccountName |
|
|
|
|
#- LDAP_USERNAME_FIELD=sAMAccountName |
|
|
|
|
# |
|
|
|
|
# LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName |
|
|
|
|
- LDAP_FULLNAME_FIELD=cn |
|
|
|
|
#- LDAP_FULLNAME_FIELD=fullname |
|
|
|
|
# |
|
|
|
|
- LDAP_MERGE_EXISTING_USERS=true |
|
|
|
|
#- LDAP_MERGE_EXISTING_USERS=false |
|
|
|
|
# |
|
|
|
|
# Allow existing account matching by e-mail address when username does not match |
|
|
|
|
- LDAP_EMAIL_MATCH_ENABLE=true |
|
|
|
|
#- LDAP_EMAIL_MATCH_ENABLE=true |
|
|
|
|
# |
|
|
|
|
# LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match |
|
|
|
|
- LDAP_EMAIL_MATCH_REQUIRE=false |
|
|
|
|
#- LDAP_EMAIL_MATCH_REQUIRE=true |
|
|
|
|
# |
|
|
|
|
# LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching |
|
|
|
|
- LDAP_EMAIL_MATCH_VERIFIED=false |
|
|
|
|
#- LDAP_EMAIL_MATCH_VERIFIED=true |
|
|
|
|
# |
|
|
|
|
# LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address |
|
|
|
|
- LDAP_EMAIL_FIELD=mail |
|
|
|
|
#- LDAP_EMAIL_FIELD=mail |
|
|
|
|
#----------------------------------------------------------------- |
|
|
|
|
- LDAP_SYNC_USER_DATA=true |
|
|
|
|
#- LDAP_SYNC_USER_DATA=false |
|
|
|
|
# |
|
|
|
|
- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} |
|
|
|
|
#- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} |
|
|
|
|
# |
|
|
|
|
#- LDAP_SYNC_GROUP_ROLES= |
|
|
|
|
# |
|
|
|
|
# The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP |
|
|
|
|
# example : |
|
|
|
|
- LDAP_DEFAULT_DOMAIN=verband.creditreform.de |
|
|
|
|
#- LDAP_DEFAULT_DOMAIN=mydomain.com |
|
|
|
|
# |
|
|
|
|
# Enable/Disable syncing of admin status based on ldap groups: |
|
|
|
|
- LDAP_SYNC_ADMIN_STATUS=false |
|
|
|
|
#- LDAP_SYNC_ADMIN_STATUS=true |
|
|
|
|
# |
|
|
|
|
# Comma separated list of admin group names to sync. |
|
|
|
|
#- LDAP_SYNC_ADMIN_GROUPS=group1,group2 |
|
|
|
|
#--------------------------------------------------------------------- |
|
|
|
|
# Login to LDAP automatically with HTTP header. |
|
|
|
|
# In below example for siteminder, at right side of = is header name. |
|
|
|
|
#- HEADER_LOGIN_ID=BNPPUID |
|
|
|
|
#- HEADER_LOGIN_FIRSTNAME=BNPPFIRSTNAME |
|
|
|
|
#- HEADER_LOGIN_LASTNAME=BNPPLASTNAME |
|
|
|
|
#- HEADER_LOGIN_EMAIL=BNPPEMAILADDRESS |
|
|
|
|
#- HEADER_LOGIN_ID=HEADERUID |
|
|
|
|
#- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME |
|
|
|
|
#- HEADER_LOGIN_LASTNAME=HEADERLASTNAME |
|
|
|
|
#- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS |
|
|
|
|
#--------------------------------------------------------------------- |
|
|
|
|
# ==== LOGOUT TIMER, probably does not work yet ==== |
|
|
|
|
# LOGOUT_WITH_TIMER : Enables or not the option logout with timer |
|
|
|
|
|
Stefan Maaßen
5 years ago