diff --git a/README.md b/README.md index 14946ee..4309c0e 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ glapi -config glapi.env ``` LISTEN="0.0.0.0:8443" LDAP_HOST="ldap://ldap.example.org" +# The base DN exposed to API. Could be buried in LDAP tree so we expose only a subset of directory. LDAP_BASE_DN="dc=example,dc=org" # This account search for valid user provided by authenticating client. @@ -27,6 +28,9 @@ LDAP_BASE_DN="dc=example,dc=org" LDAP_USER="cn=ldapreaduser,dc=example,dc=org" LDAP_PASS='here_lies_the_password' +# This base DN is where we seach for authenticating accounts. This way we can chose not to expose them to the API. +LDAP_AUTH_BASE_DN="ou=users,dc=example,dc=org" + # Https support HTTPS=true SSL_CERTIFICATE=/etc/ssl/certs/server.pem diff --git a/glapi.env.sample b/glapi.env.sample index c04a1e7..648e1ee 100644 --- a/glapi.env.sample +++ b/glapi.env.sample @@ -3,7 +3,7 @@ LDAP_HOST="ldap://ldap.example.org" # The base DN exposed to API. Could be buried in LDAP tree so we expose only a subset of directory. LDAP_BASE_DN="ou=configuration,dc=example,dc=org" -# This account search for valid user provided by authenticating client. +# This account search for valid users provided by authenticating clients. # Then glapi bind with client provided credentials to operate LDAP. # Thus this account only needs bind privilege, and read access to users organizational unit LDAP_USER="cn=ldapreaduser,dc=example,dc=org"