forked from grnet/SATOSA
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathldap_attribute_store.yaml.example
122 lines (109 loc) · 4.26 KB
/
ldap_attribute_store.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
module: LdapAttributeStore
name: LdapAttributeStore
config:
# The microservice may be configured per entityID.
# The configuration key is the entityID of the requesting SP,
# the authenticating IdP, or the entityID of the CO virtual IdP.
# The key "default" specifies the default configuration
default:
ldap_url: ldaps://ldap.example.org
bind_dn: cn=admin,dc=example,dc=org
# Obtain bind password from environment variable LDAP_BIND_PASSWORD.
bind_password: !ENV LDAP_BIND_PASSWORD
# Obtain bind password from file pointed to by
# environment variable LDAP_BIND_PASSWORD_FILE.
# bind_password: !ENVFILE LDAP_BIND_PASSWORD
search_base: ou=People,dc=example,dc=org
read_only: true
auto_bind: true
version: 3
## See ldap3 client_strategies. The default is REUSABLE.
client_strategy: RESTARTABLE
## Specify pool settings when using REUSABLE client strategy.
# pool_size: number of open connection; default: 10
pool_size: 10
# pool_keepalive: seconds to wait between calls to server to keep the
# connection alive; default: 10
pool_keepalive: 10
# Attributes to return from LDAP query.
query_return_attributes:
- sn
- givenName
- mail
- employeeNumber
- isMemberOf
# LDAP attribute to internal attribute mapping.
ldap_to_internal_map:
sn: surname
givenName: givenname
mail: mail
employeeNumber: employeenumber
isMemberOf: ismemberof
# Deprecated.
# Use query_return_attributes and ldap_to_internal_map instead.
# Format is LDAP attribute name: internal attribute name
search_return_attributes:
sn: surname
givenName: givenname
mail: mail
employeeNumber: employeenumber
isMemberOf: ismemberof
# Ordered list of identifiers to use when constructing the search filter
# to find the user record in LDAP directory.
#
# This example searches in order for eduPersonUniqueId,
# eduPersonPrincipalName combined with SAML persistent NameID,
# eduPersonPrincipalName combined with eduPersonTargetedId,
# eduPersonPrincipalName, SAML persistent NameID, and
# eduPersonTargetedId.
ordered_identifier_candidates:
- attribute_names:
- epuid
- attribute_names:
- eppn
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- attribute_names:
- eppn
- edupersontargetedid
- attribute_names:
- eppn
- attribute_names:
- name_id
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
add_scope: issuer_entityid
- attribute_names:
- edupersontargetedid
add_scope: issuer_entityid
ldap_identifier_attribute: uid
# Whether to clear values for attributes incoming
# to this microservice. Default is no or false.
clear_input_attributes: no
# List of LDAP attributes to use as input to hashing to create
# NameID.
user_id_from_attrs:
- employeeNumber
# Where to redirect the browser if no record is returned
# from LDAP. The default is not to redirect.
on_ldap_search_result_empty: https://my.vo.org/please/go/enroll
# The microservice may be configured per entityID.
# The configuration key is the entityID of the requesting SP,
# the authenticating IdP, or the entityID of the CO virtual IdP.
# When more than one configured entityID matches during a flow
# the priority ordering is requesting SP, then authenticating IdP, then
# CO virtual IdP. Αny missing parameters are taken from the
# default configuration.
https://sp.myserver.edu/shibboleth-sp:
search_base: ou=People,o=MyVO,dc=example,dc=org
search_return_attributes:
employeeNumber: employeenumber
ordered_identifier_candidates:
- attribute_names:
- eppn
user_id_from_attrs:
- uid
https://federation-proxy.my.edu/satosa/idp/proxy/some_co
search_base: ou=People,o=some_co,dc=example,dc=org
# The microservice may be configured to ignore a particular entityID.
https://another.sp.myserver.edu:
ignore: true