This is an example /config/authsources.php when using Kanidm’s LDAP connector to provide user details and authentication.
The user needs to be posix-enabled and members of a posix-enabled group saml_admins will be marked as Administrators in SimpleSAMLphp.
<?php
$KANIDM_HOSTNAME = 'ldaps://kanidm.example.com';
$KANIDM_SEARCHBASE = 'dc=kanidm,dc=example,dc=com';
$KANIDM_LDAP_PORT = 636;
$config = [
// admin creds, user needs to be part of the posix-enabled group "saml_admins"
'admin' => [
// The default is to use core:AdminPassword, but it can be replaced with any authentication source.
'ldap:LDAP',
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
'remember.username.enabled' => false,
'remember.username.checked' => false,
// The hostname of the LDAP server.
'hostname' => $KANIDM_HOSTNAME,
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => true,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => false,
// The timeout for accessing the LDAP server, in seconds. The default is 0, which means no timeout.
'timeout' => 30,
// The port used when accessing the LDAP server.
// The default is 389.
'port' => $KANIDM_LDAP_PORT,
// Set whether to follow referrals. AD Controllers may require FALSE to function.
'referrals' => true,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
'attributes' => array('uid'),
// The pattern which should be used to create the users DN given the username.
// %username% in this pattern will be replaced with the users username.
//
// This option is not used if the search.enable option is set to TRUE.
'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
// As an alternative to specifying a pattern for the users DN, it is possible to
// search for the username in a set of attributes. This is enabled by this option.
'search.enable' => true,
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is searched, or an
// array of strings, in which case they will be searched in the order given.
// kanidm
'search.base' => $KANIDM_SEARCHBASE,
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => [
'name',
],
// Additional LDAP filters appended to the search attributes
'search.filter' => '(&(class=posixaccount)(memberof=saml_admins))',
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => null,
'search.password' => null,
// If the directory uses privilege separation, the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required to get them. This is enabled with this option.
'priv.read' => false,
],
// normal users, account needs to be posix-enabled
'ldap' => [
'ldap:LDAP',
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
'remember.username.enabled' => false,
'remember.username.checked' => false,
// The hostname of the LDAP server.
'hostname' => $KANIDM_HOSTNAME,
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => true,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => false,
// The timeout for accessing the LDAP server, in seconds. The default is 0, which means no timeout.
'timeout' => 30,
// The port used when accessing the LDAP server. The default is 389.
'port' => $KANIDM_LDAP_PORT,
// Set whether to follow referrals. AD Controllers may require FALSE to function.
'referrals' => true,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case all attributes are fetched.
'attributes' => array('uid', 'mail', 'memberOf', 'displayName'),
// As an alternative to specifying a pattern for the users DN, it is possible to
// search for the username in a set of attributes. This is enabled by this option.
'search.enable' => true,
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is searched, or an
// array of strings, in which case they will be searched in the order given.
'search.base' => $KANIDM_SEARCHBASE,
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => [
'name',
],
// Additional LDAP filters appended to the search attributes
'search.filter' => '(class=posixaccount)',
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => null,
'search.password' => null,
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => false,
],
];