security: providers: chain_provider: chain: providers: [kimai_ldap] firewalls: secured_area: kimai_ldap: ~ kimai: user: registration: __REGISTRATION__ ldap: activate: true # more infos about the connection params can be found at: # https://docs.laminas.dev/laminas-ldap/api/ connection: # The default hostname of the LDAP server (mandatory setting). # You can connect to multiple servers by setting their URLs like this: # host: "ldap://ldap.example.local ldap://ldap2.example.local" # host: "ldaps://ldap.example.local ldaps://ldap2.example.local" host: "ldap://127.0.0.1" # Default port for your LDAP port server # default: 389 port: 389 # Whether or not the LDAP client should use SSL encrypted transport. # The useSsl and useStartTls options are mutually exclusive. # default: false #useSsl: false # Enable TLS negotiation (should be favoured over useSsl). # The useSsl and useStartTls options are mutually exclusive. # default: false #useStartTls: false # The default credentials username (your service account). Some servers # require that this is given in DN form. # It must be given in DN form if the LDAP server requires # a DN to bind and binding should be possible with simple usernames. # default: empty #username: # Password for the username (service-account) above # default: empty #password: # LDAP search filter to find the user (%s will be replaced by the username). # Should be set, to be compatible with your object structure. # You don not need to set this filter, unless you have a very special setup # or use Microsofts Active directory. # # Defaults: # - if bindRequiresDn is false: (&(objectClass=user)(sAMAccountName=%s)) # - if bindRequiresDn is true: (&%filter%(uid=%s)) # - %filter% = empty # accountFilterFormat = (&(usernameAttribute=%s)) # - %filter% = (&(objectClass=posixAccount)) # accountFilterFormat = (&(objectClass=posixAccount))(&(usernameAttribute=%s)) # # %filter% is the "filter" configuration defined below in the "user" section #accountFilterFormat: (&(objectClass=inetOrgPerson)(uid=%s)) # If true, this instructs Kimai to retrieve the DN for the account, # used to bind if the username is not already in DN form. # default: true #bindRequiresDn: true # If set to true, this option indicates to the LDAP client that # referrals should be followed, default: false #optReferrals: false # for the next options please refer to: # https://docs.laminas.dev/laminas-ldap/api/ #allowEmptyPassword: false #tryUsernameSplit: #networkTimeout: #accountCanonicalForm: 3 #accountDomainName: HOST #accountDomainNameShort: HOST user: # baseDn to query for users (mandatory setting). baseDn: "ou=users, dc=yunohost, dc=org" # Field used to match the login username in your LDAP. # If "bindRequiresDn: false" is set, the username is used in "bind". # Otherwise a search is executed to find the users "dn" by finding the user # via this attribute with his "baseDn" and the "filter" below. # default: uid usernameAttribute: "uid" # LDAP search base filter to find the user / the users DN. # Do NOT include the rule (&(usernameAttribute=%s)), it will be appended # automatically. The result of the search filter must return 1 result only. # default: empty (results in (&(uid=%s)) with default usernameAttribute) filter: "(&(objectClass=inetOrgPerson))" # LDAP search base filter to find the user attributes. # This is used for a slightly different query than the one above, which is # used to query the users DN only. # AD users might have too many results (Exchange activesync devices # attributes) and therefor an incompatible result structure if not changed. # See https://github.com/kevinpapst/kimai2/issues/875 # default: (objectClass=*) #attributesFilter: (objectClass=Person) # Configure the mapping between LDAP attributes and user entity # The ldap_attr must be given in lowercase! attributes: # The following 2 rules are automatically prepended and can be overwritten. # Username is set to the value of the configured "usernameAttribute" field - { ldap_attr: "uid", user_method: setUsername } # Only applied if you don't configure a mapping for setEmail() - { ldap_attr: "mail", user_method: setEmail } # An example which will set the display name in Kimai from the # value of the "common name" field in your LDAP - { ldap_attr: "cn", user_method: setAlias } # You can comment the following section, if you don't want to manage # user roles in Kimai via LDAP groups. If you want to use the group # sync, you have to set at least the "role.baseDn" config. # default: deactivated as "role.baseDn" is empty by default role: # baseDn to query for groups, MUST be set to activate the "group import" # default: empty (deactivated) baseDn: "ou=permission, dc=yunohost, dc=org" # Filter to query user groups, all results will be matched against # the configured "groups" mapping below. # The full search filter will ALWAYS be generated like this: # (&%filter(userDnAttribute=valueOfUsernameAttribute)) # The following example rule will be expanded to (for user "foo"): # (&(&(objectClass=groupOfNames))(member=foo)) # default: empty filter: "(&(objectClass=posixGroup)(cn=__APP__*))" # The following field is taken from the LDAP user entry and its # value is used in the filter above as "valueOfUsernameAttribute". # The attribute must be given in lowercase! # The example below uses "posix group style memberUid". # default: dn usernameAttribute: "dn" # Field that holds the group name, which will be used to map the # LDAP groups with Kimai roles (see groups mapping below). # default: cn nameAttribute: "cn" # Field that holds the users dn in your LDAP group definition. # Value of this configuration is used in the filter (see above). # default: member userDnAttribute: "inheritPermission" # Convert LDAP group name (nameAttribute) to Kimai role # You will very likely have to define mappings, unless your groups # are called "teamlead", "admin" or "super_admin" groups: # - { ldap_value: group1, role: ROLE_TEAMLEAD } # - { ldap_value: kimai_admin, role: ROLE_ADMIN } - { ldap_value: "__APP__.teamlead", role: ROLE_TEAMLEAD } - { ldap_value: "__APP__.admin", role: ROLE_ADMIN } - { ldap_value: "__APP__.super_admin", role: ROLE_SUPER_ADMIN }