-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.yaml
75 lines (64 loc) · 3.78 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
log:
level: info
ldap:
sync_freq: 3600 # seconds - if 0 runs once and exit
auth:
url: <LDAP EP e.g., "ldap://LDAP_domain.internal">
tls: false
user: <LDAP access user CN, e.g., "CN=Administrator,CN=Users,DC=ds,DC=user-win-ldap-srv,DC=c,DC=determined-ai,DC=internal">
password: <LDAP access user password>
#password: !ENV 'LDAP_SYNC_LDAP_PASSWORD' # '!ENV' is parameter retrieved from an environment variable (it can be used everywhere)
ldap_plugin: ms_active_directory # (mandatory) LDAP vendor-specific entries management and mapping
users:
dn: "CN=Users,DC=ds,DC=det-dcellai-win-ldap-srv,DC=c,DC=determined-ai,DC=internal"
attr:
- objectGUID
- cn
- sn
- givenName
- mail
- userPrincipalName
- displayName
- memberOf
- whenChanged
- userAccountControl
filter: "(&(objectCategory=person)(objectClass=user)(name=*)(memberOf=CN=DetGroup,CN=Users,DC=ds,DC=det-dcellai-win-ldap-srv,DC=c,DC=determined-ai,DC=internal))"
custom_plugin: custom_plugin_template # (optional) Customer-specific plug-ing. It executes customer-specific commands before/after all/each user/s is sent to LDAP user management APIs
scim_api:
url: <MLDE SCIM API EP e.g., "http://localhost:8080/scim/v2">
auth:
type: basic
username: <scim user name e.g., "scim-user" as configured on MLDE master.yaml>
password: <scim-user password as configured on MLDE master.yaml>
#password: !ENV 'LDAP_SYNC_SCIM_PASSWORD' # if '!ENV' is present the param is retrieved from the passed environment variable (it can be used everywhere)
attr_mapping:
#
# SCIM fields requested by the MLDE SCIM API and related LDAP field mapping.
# The fields adaptation and mapping is executed by the ldap_plugin.
# SCIM fields can contain const (str|int|float|bool) or LDAP fields ${...}
#
# NOTE: SCIM field list can be extended as preferred, even if not managed (mandatory fields must be present).
#
id: null # (mandatory field) - r/o filled by the SCIM API
userName: ${userPrincipalName} # (mandatory field) - it could be also the email or cn
externalId: ${objectGUID} # (mandatory field) - it could be also the UUID
emails.work.value: ${mail} # (mandatory field) - emails (value: email addr, type: 'work', primary: T)
active: ${userAccountControl} # (mandatory field) - user activation status
name.givenName: ${givenName} # (mandatory field) - first name
name.familyName: ${sn} # (mandatory field) - last name
displayName: ${cn}
preferredLanguage: en_US
whenChanged: ${whenChanged}
memberOf: ${memberOf} # it could be a single group DN
# or as in MS A/D a list of group DN
det_api:
url: <MLDE DET API EP e.g., "http://localhost:8080">
auth:
username: <det APIs user name as configured on MLDE e.g., "admin" User ACL>
password: <det APIs user password as configured on MLDE User ACL>
#password: !ENV 'LDAP_SYNC_DET_ADMIN_PASSWORD' # if '!ENV' is present the param is retrieved from the passed environment variable (it can be used everywhere)
auto_assign_mlde_groups:
enabled: true # if enabled assigns users to specific MLDE groups that have the same name on LDAP
auto_removal_enabled: true # if enabled automatically removes group/s assignments for users that are not assigned anymore to groups that have the same name on LDAP
group_string_filter: '^CN=(.+?)\,' # regex to extract the group from the memberOf field
# For instance, if memberOf is: 'CN=DetGroup,CN=Users,DC=ds,DC=user_name,DC=c,DC=determined-ai,DC=internal'