canaille-globuzma/oidc_ldap_bridge/conf/config.sample.toml

# The flask secret key for cookies. You MUST change this.
SECRET_KEY = "change me before you go in production"

# Your organization name.
NAME = "MyDomain"

# You can display a logo to be recognized on login screens
# LOGO = "https://path/to/your/organization/logo.png"

# If unset, language is detected
# LANGUAGE = "en"

# Path to the RFC8414 metadata file. You should update those files
# with your production URLs.
OAUTH2_METADATA_FILE = "oidc_ldap_bridge/conf/oauth-authorization-server.json"
OIDC_METADATA_FILE = "oidc_ldap_bridge/conf/openid-configuration.json"

# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"

[LDAP]
URI = "ldap://ldap"
ROOT_DN = "dc=mydomain,dc=tld"
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
BIND_PW = "admin"

# Where to search for users?
USER_BASE = "ou=users,dc=mydomain,dc=tld"

# Filter to match users on sign in. Supports a variable
# {login}. For sigin against either uid or mail use:
# USER_FILTER = "(|(uid={login})(mail={login}))"
USER_FILTER = "(|(uid={login})(cn={login}))"

# Filter to match admin users. If your server has memberof
# you can filter against group membership
# ADMIN_FILTER = "uid=admin"
ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"

# The jwt configuration. You can generate a RSA keypair with:
# ssh-keygen -t rsa -b 4096 -m PEM -f private.pem
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
PUBLIC_KEY = "oidc_ldap_bridge/conf/public.pem"
PRIVATE_KEY = "oidc_ldap_bridge/conf/private.pem"
KTY = "RSA"
ALG = "RS256"
EXP = 3600

[JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass. Default values fits inetOrgPerson.
SUB = "uid"
NAME = "cn"
PHONE_NUMBER = "telephoneNumber"
EMAIL = "mail"
GIVEN_NAME = "givenName"
FAMILIY_NAME = "sn"
PREFERRED_USERNAME = "displayName"
LOCALE = "preferredLanguage"
PICTURE = "photo"