dgalli1/authelia-config.yml

## authelia-config.yml
ldap:
    ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
    ## Acceptable options are as follows:
    ## - 'activedirectory' - For Microsoft Active Directory.
    ## - 'custom' - For custom specifications of attributes and filters.
    ## This currently defaults to 'custom' to maintain existing behaviour.
    ##
    ## Depending on the option here certain other values in this section have a default value, notably all of the
    ## attribute mappings have a default value that this config overrides, you can read more about these default values
    ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
    implementation: custom

    ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
    ## Scheme can be ldap or ldaps in the format (port optional).
    url: ldap://openldap

    ## Use StartTLS with the LDAP connection.
    start_tls: false

    tls:
      ## Server Name for certificate validation (in case it's not set correctly in the URL).
      # server_name: ldap.example.com

      ## Skip verifying the server certificate (to allow a self-signed certificate).
      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
      skip_verify: false

      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
      minimum_version: TLS1.2

    ## The distinguished name of the container searched for objects in the directory information tree.
    ## See also: additional_users_dn, additional_groups_dn.
    base_dn: dc=domain,dc=tld

    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
    ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
    ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
    ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
    ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
    ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
    ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
    ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
    # username_attribute: uid

    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
    additional_users_dn: ou=people

    ## The users filter used in search queries to find the user profile based on input filled in login form.
    ## Various placeholders are available in the user filter:
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## Recommended settings are as follows:
    ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
    ## - OpenLDAP:
    ##   - (&({username_attribute}={input})(objectClass=person))
    ##   - (&({username_attribute}={input})(objectClass=inetOrgPerson))
    ##
    ## To allow sign in both with username and email, one can use a filter like
    ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: (&({username_attribute}={input})(objectClass=person))

    ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
    ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
    additional_groups_dn: ou=groups

    ## The groups filter used in search queries to find the groups of the user.
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
    ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
    ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## If your groups use the `groupOfUniqueNames` structure use this instead:
    ##    (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
    #groups_filter: (&(member={dn})(objectclass=groupOfNames))
    groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
    ## The attribute holding the name of the group.
    group_name_attribute: cn

    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
    ## first one returned by the LDAP server is used.
    # mail_attribute: mail

    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
    # display_name_attribute: displayname

    ## The username and password of the admin user.
    user: cn=admin,dc=domain,dc=tld
    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
    password: adminpasswordsetvialdapusermanager

## docker-compose.yaml
version: '3.3'
services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    networks:
      - default
    ports:
      - 9191:9091
    depends_on:
      - openldap
    restart: always
    environment:
      - TZ=Europe/London
  openldap:
    image: osixia/openldap:latest
    container_name: openldap
    hostname: #doesn't have to be accesible outside of docker network e.x ldap.example.com
    volumes:
      - ./ldap/db:/var/lib/ldap
      - ./ldap/conf:/etc/ldap/slapd.d
    networks:
      - default
    expose:
      - 389
      - 636
    restart: always
    environment:
      TZ: "Europe/London"
      LDAP_ORGANISATION: "" # Org name
      LDAP_DOMAIN: "" # domain.tld
      LDAP_BASE_DN: "dc=domain,dc=tld" # edit domain tld
      LDAP_ADMIN_PASSWORD: "" # password for admin@domain.tld
      LDAP_CONFIG_PASSWORD: "" # password for config (not sure what this does)
      LDAP_TLS_VERIFY_CLIENT: "try"
      LDAP_READONLY_USER: "false"
      LDAP_READONLY_USER_USERNAME: "readonly"
      LDAP_READONLY_USER_PASSWORD: "readonly"
      LDAP_RFC2307BIS_SCHEMA: "true"
      LDAP_BACKEND: "mdb"
      LDAP_REPLICATION: "false"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"

  ldap-user-manager:
    image: wheelybird/ldap-user-manager:latest
    container_name: ldap-user-manager
    networks:
      - default
    ports:
      - 8785:80
    restart: always
    depends_on:
      - openldap
    environment:
      TZ: "Europe/Lisbon"
      SERVER_HOSTNAME: "" # url for webui
      ORGANISATION_NAME: "" # Org name
      LDAP_URI: "ldap://openldap"
      LDAP_BASE_DN: "dc=hostanme,dc=tld" # edit domain tld same as above
      LDAP_REQUIRE_STARTTLS: "FALSE"
      LDAP_ADMINS_GROUP: "admins" # admin group
      LDAP_ADMIN_BIND_DN: "cn=admin,dc=hostname,dc=tld" # edit domain tld
      LDAP_ADMIN_BIND_PWD: "" # admin password set above
      LDAP_DEBUG: "true"
      LDAP_USES_NIS_SCHEMA: "false"
      LDAP_IGNORE_CERT_ERRORS: "true"
      LDAP_REQUIRE_STARTTLS: "false"
      EMAIL_DOMAIN: "" # email @this.part.here
      NO_HTTPS: "true"
      SMTP_HOSTNAME: "" # email SMTP
      SMTP_HOST_PORT: 465
      SMTP_USERNAME: "" # email username (usually your email)
      SMTP_PASSWORD: "" #email password
      SMTP_USE_TLS: "true"
      EMAIL_FROM_ADDRESS: "" # your email address
      REMOTE_HTTP_HEADERS_LOGIN: "TRUE"
	ldap:
	## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
	## Acceptable options are as follows:
	## - 'activedirectory' - For Microsoft Active Directory.
	## - 'custom' - For custom specifications of attributes and filters.
	## This currently defaults to 'custom' to maintain existing behaviour.
	##
	## Depending on the option here certain other values in this section have a default value, notably all of the
	## attribute mappings have a default value that this config overrides, you can read more about these default values
	## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
	implementation: custom

	## The url to the ldap server. Format: <scheme>://<address>[:<port>].
	## Scheme can be ldap or ldaps in the format (port optional).
	url: ldap://openldap

	## Use StartTLS with the LDAP connection.
	start_tls: false

	tls:
	## Server Name for certificate validation (in case it's not set correctly in the URL).
	# server_name: ldap.example.com

	## Skip verifying the server certificate (to allow a self-signed certificate).
	## In preference to setting this we strongly recommend you add the public portion of the certificate to the
	## certificates directory which is defined by the `certificates_directory` option at the top of the config.
	skip_verify: false

	## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
	minimum_version: TLS1.2

	## The distinguished name of the container searched for objects in the directory information tree.
	## See also: additional_users_dn, additional_groups_dn.
	base_dn: dc=domain,dc=tld

	## The attribute holding the username of the user. This attribute is used to populate the username in the session
	## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
	## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
	## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
	## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
	## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
	## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
	## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
	# username_attribute: uid

	## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
	## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
	additional_users_dn: ou=people

	## The users filter used in search queries to find the user profile based on input filled in login form.
	## Various placeholders are available in the user filter:
	## - {input} is a placeholder replaced by what the user inputs in the login form.
	## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
	## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
	##
	## Recommended settings are as follows:
	## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
	## - OpenLDAP:
	## - (&({username_attribute}={input})(objectClass=person))
	## - (&({username_attribute}={input})(objectClass=inetOrgPerson))
	##
	## To allow sign in both with username and email, one can use a filter like
	## (&(\|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
	users_filter: (&({username_attribute}={input})(objectClass=person))

	## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
	## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
	additional_groups_dn: ou=groups

	## The groups filter used in search queries to find the groups of the user.
	## - {input} is a placeholder replaced by what the user inputs in the login form.
	## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
	## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
	## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
	## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
	##
	## If your groups use the `groupOfUniqueNames` structure use this instead:
	## (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
	#groups_filter: (&(member={dn})(objectclass=groupOfNames))
	groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
	## The attribute holding the name of the group.
	group_name_attribute: cn

	## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
	## first one returned by the LDAP server is used.
	# mail_attribute: mail

	## The attribute holding the display name of the user. This will be used to greet an authenticated user.
	# display_name_attribute: displayname

	## The username and password of the admin user.
	user: cn=admin,dc=domain,dc=tld
	## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
	password: adminpasswordsetvialdapusermanager
	version: '3.3'
	services:
	authelia:
	image: authelia/authelia
	container_name: authelia
	volumes:
	- ./authelia:/config
	networks:
	- default
	ports:
	- 9191:9091
	depends_on:
	- openldap
	restart: always
	environment:
	- TZ=Europe/London
	openldap:
	image: osixia/openldap:latest
	container_name: openldap
	hostname: #doesn't have to be accesible outside of docker network e.x ldap.example.com
	volumes:
	- ./ldap/db:/var/lib/ldap
	- ./ldap/conf:/etc/ldap/slapd.d
	networks:
	- default
	expose:
	- 389
	- 636
	restart: always
	environment:
	TZ: "Europe/London"
	LDAP_ORGANISATION: "" # Org name
	LDAP_DOMAIN: "" # domain.tld
	LDAP_BASE_DN: "dc=domain,dc=tld" # edit domain tld
	LDAP_ADMIN_PASSWORD: "" # password for admin@domain.tld
	LDAP_CONFIG_PASSWORD: "" # password for config (not sure what this does)
	LDAP_TLS_VERIFY_CLIENT: "try"
	LDAP_READONLY_USER: "false"
	LDAP_READONLY_USER_USERNAME: "readonly"
	LDAP_READONLY_USER_PASSWORD: "readonly"
	LDAP_RFC2307BIS_SCHEMA: "true"
	LDAP_BACKEND: "mdb"
	LDAP_REPLICATION: "false"
	KEEP_EXISTING_CONFIG: "false"
	LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"

	ldap-user-manager:
	image: wheelybird/ldap-user-manager:latest
	container_name: ldap-user-manager
	networks:
	- default
	ports:
	- 8785:80
	restart: always
	depends_on:
	- openldap
	environment:
	TZ: "Europe/Lisbon"
	SERVER_HOSTNAME: "" # url for webui
	ORGANISATION_NAME: "" # Org name
	LDAP_URI: "ldap://openldap"
	LDAP_BASE_DN: "dc=hostanme,dc=tld" # edit domain tld same as above
	LDAP_REQUIRE_STARTTLS: "FALSE"
	LDAP_ADMINS_GROUP: "admins" # admin group
	LDAP_ADMIN_BIND_DN: "cn=admin,dc=hostname,dc=tld" # edit domain tld
	LDAP_ADMIN_BIND_PWD: "" # admin password set above
	LDAP_DEBUG: "true"
	LDAP_USES_NIS_SCHEMA: "false"
	LDAP_IGNORE_CERT_ERRORS: "true"
	LDAP_REQUIRE_STARTTLS: "false"
	EMAIL_DOMAIN: "" # email @this.part.here
	NO_HTTPS: "true"
	SMTP_HOSTNAME: "" # email SMTP
	SMTP_HOST_PORT: 465
	SMTP_USERNAME: "" # email username (usually your email)
	SMTP_PASSWORD: "" #email password
	SMTP_USE_TLS: "true"
	EMAIL_FROM_ADDRESS: "" # your email address
	REMOTE_HTTP_HEADERS_LOGIN: "TRUE"