From c74855d06437fe20a4e19efddd415bf44132d666 Mon Sep 17 00:00:00 2001 From: yo Date: Mon, 7 Aug 2023 13:59:12 +0200 Subject: [PATCH] v0.5.5: Add "ldap-auth-base-dn" parameter to search autenticating accounts, so we can separate authentication and manipulated base DN --- glapi.env.sample | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/glapi.env.sample b/glapi.env.sample index 732e747..c04a1e7 100644 --- a/glapi.env.sample +++ b/glapi.env.sample @@ -1,6 +1,7 @@ LISTEN="0.0.0.0:8080" LDAP_HOST="ldap://ldap.example.org" -LDAP_BASE_DN="dc=example,dc=org" +# The base DN exposed to API. Could be buried in LDAP tree so we expose only a subset of directory. +LDAP_BASE_DN="ou=configuration,dc=example,dc=org" # This account search for valid user provided by authenticating client. # Then glapi bind with client provided credentials to operate LDAP. @@ -8,6 +9,9 @@ LDAP_BASE_DN="dc=example,dc=org" LDAP_USER="cn=ldapreaduser,dc=example,dc=org" LDAP_PASS='here_lies_the_password' +# This base DN is where we seach for authenticating accounts. This way we can chose not to expose them to the API. +LDAP_AUTH_BASE_DN="ou=users,dc=example,dc=org" + # Https support HTTPS=false SSL_CERTIFICATE=/etc/ssl/certs/server.pem