## Authorizations
# Uncomment out the merging for each environment that you'd like to include.
# You can also just copy and paste the tree (do not include the "authorizations") to each
# environment if you need something different per environment.
authorizations: &AUTHORIZATIONS
  allow_unauthenticated_bind: false
  # group_base: ou=groups,dc=test,dc=com
  ## Requires config.ldap_check_group_membership in devise.rb be true
  # Can have multiple values, must match all to be authorized
  # required_groups:
    # If only a group name is given, membership will be checked against "uniqueMember"
    # - cn=admins,ou=groups,dc=test,dc=com
    # - cn=users,ou=groups,dc=test,dc=com
    # If an array is given, the first element will be the attribute to check against, the second the group name
    # - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
  ## Requires config.ldap_check_attributes in devise.rb to be true
  ## Can have multiple attributes and values, must match all to be authorized
  # require_attribute:
  #   objectClass: inetOrgPerson
    # authorizationRole: postsAdmin
  ## Requires config.ldap_check_attributes_presence in devise.rb to be true
  ## Can have multiple attributes set to true or false to check presence, all must match all to be authorized
  require_attribute_presence:
    mail: true

## Environment

development:
  host: <%= ENV["LDAP_HOST"] || "localhost" %>
  port: <%= ENV["LDAP_PORT"] || "389" %>
  attribute: cn
  base: <%= ENV["LDAP_BASE"] || "ou=kosmos.org,cn=users,dc=kosmos,dc=org" %>
  admin_user: "cn=Directory Manager"
  admin_password: <%= ENV["LDAP_ADMIN_PASSWORD"] %>
  ssl: <%= ENV["LDAP_USE_TLS"] || "false" %>
  # <<: *AUTHORIZATIONS

test:
  host: localhost
  port: 3389
  attribute: cn
  base: ou=kosmos.org,cn=users,dc=kosmos,dc=org
  admin_user: "cn=Directory Manager"
  admin_password: adminpass
  # ssl: false
  # <<: *AUTHORIZATIONS

production:
  host: ldap.kosmos.local
  port: 389
  attribute: cn
  base: ou=kosmos.org,cn=users,dc=kosmos,dc=org
  admin_user: <%= Rails.application.credentials.ldap[:username] rescue nil %>
  admin_password: <%= Rails.application.credentials.ldap[:password] rescue nil %>
  # ssl: false
  # <<: *AUTHORIZATIONS