update from template

eaf3a94c · Marcus · fc3ff636 · eaf3a94c
Commit eaf3a94c authored 3 years ago by Marcus
--- a/tests/feudal_adapter.conf
+++ b/tests/feudal_adapter.conf
@@ -242,6 +242,17 @@ ssh_host_alternative = hdf-ssh.data.kit.edu
 [backend.ldap]
 # Configuration for the ldap backend

+# The ldap backend can function in 3 different modes:
+# - read_only (default): there is read only access to the LDAP, therefore the local accounts
+#       need to already be created in the LDAP and mapped to the federated accounts;
+#       read the docs for more on how to map local <-> federated accounts.
+# - pre_created: the local accounts already exist in the LDAP, but they are not mapped;
+#       the feudal adapter should have write access to the LDAP to modify entries in
+#       order to add the mapping to the federated OIDC account.
+# - full_access: the feudal adapter has full access to the LDAP and can add/delete/update
+#       entries contianing local accounts and mappings.
+mode = read_only
+
 # host where ldap server is running, default: localhost
 host = ldap_server

@@ -249,10 +260,11 @@ host = ldap_server
 port = 1389

 # OPTIONAL: admin credentials to authenticate to the ldap
+# NEEDED for modifying the LDAP
 # when not provided, anonymous bind is used
 # admin user should be fully qualified
-user = cn=admin,dc=cesga,dc=es
-password = adminpassword
+# admin_user = cn=admin,dc=cesga,dc=es
+# admin_password = adminpassword

 # set to true if tls is enabled; default: False
 # not supported yet
@@ -260,18 +272,34 @@ tls = False

 # ldap base for user namespace; default: ou=users,dc=example
 # can include any number of ou / o / dc entries separated by commas
-base = dc=cesga,dc=es
+user_base = ou=usershpc,ou=users,dc=cesga,dc=es

-# attributes containing uids for mapping a user; defaults: gecos & uid
+# user entry attributes containing uids for mapping a user; defaults: gecos & uid
+# users have to be have (at least) the following objectClass: inetOrgPerson, posixAccount
 attribute_oidc_uid = labeledURI
 attribute_local_uid = uid

-### shell  --  default: /bin/sh
-# The unix shell to use
-shell = /bin/bash
+# ldap base for group namespace; default: ou=groups,dc=example
+# can include any number of ou / o / dc entries separated by commas
+group_base = ou=groupshpc,ou=groups,dc=cesga,dc=es
+
+
+#### Options only needed for full_access mode when accounts need to be created
+
+## shell  --  default: /bin/sh
+## The unix shell to use
+# shell = /bin/bash

 ## base directory for home directories -- default /home
-home_base = /home/curso/
+# home_base = /home/curso/
+
+## UID range -- default 1000 -> 60000
+# uid_min = 1000
+# uid_max = 60000
+
+## GID range -- default 1000 -> 60000
+# gid_min = 1000
+# gid_max = 60000

 [backend.ldap.login_info]
 # Static information displayed to the user when deployed to a service.