-
-
Notifications
You must be signed in to change notification settings - Fork 176
Configuration Variables
The following environment variables are available to tune your configuration (particularly useful with the docker container):
| Variable | Value | Default | Purpose |
|---|---|---|---|
| Required Variables | |||
| APP_KEY | (value from artisan key:generate) |
not defined | This is used to encrypt data used internally. It should only need to be set once for the life of the application. It is in the format of base64:...
|
| APP_URL | http[s]://URL | not defined | The URL used to get to your PLA instance, eg: https://demo.phpldapadmin.org
|
| LDAP_HOST | hostname to your LDAP server | not defined | A resolvable hostname to your LDAP server eg: my.ldap.server.org
|
| Other Optional Variables | |||
| APP_TIMEZONE | An applicable timezone | UTC | This timezone used, mostly for, logging. eg: Australia/Melbourne
|
| CACHE_DRIVER | preferred caching driver | file | The driver used for LDAP caching - you can use memcached here. Look at config/cache.php for other possible drivers |
| LDAP_ALLOW_GUEST | true/false | false | Used to determine if users must login with their own details to use PLA. When true, the tree will be searched using LDAP_USERNAME to search the LDAP server and populate entries[2] |
| LDAP_CACHE | true/false | false | We use internal caching to reduce the impact to your LDAP server, this enables that caching |
| LDAP_CONNECTION | string | ldap |
config/ldap.php can have definitions for multiple LDAP servers or configurations that use ldaps or starttls. This determines the ldap server configuration to use[3]
|
| LDAP_BASE_DN | Base DN | undefined | Base DN to your LDAP server, if unset, PLA will try to work it out |
| LDAP_LOGIN_ATTR | LDAP Attribute | uid | Attribute used to login in the login form, if you dont want to use a DN[1] |
| LDAP_LOGIN_ATTR_DESC | Description of login attribute | User ID | A description to show when LDAP_LOGIN_ATTR is used (in the login box), this is a friendly description |
| LDAP_LOGIN_OBJECTCLASS | comma delimited list of objectclasses | posixAccount | Objectclass that must be on the user's DN to login. This is a comma delimited list, but any matched objectclass is sufficient to login, eg: posixAccount,inetOrgPerson the user can login if they have posixAccount OR inetOrgPerson [4] |
| LDAP_NAME | text | LDAP Server | Free form text name for your ldap server, eg: ACME Server
|
| LDAP_PORT | int | 389 | TCP port used to query ldap server. You may need to change this if your LDAP_CONNECTION refers to a server on a non-standard port, or a SSL enabled port |
| LDAP_PASSWORD | text | undefined | Password to ldap server[2], eg: mypassword
|
| LDAP_USERNAME | dn | undefined | Authentication DN to connect to ldap server[2], eg: cn=Admin,dc=Test
|
1 | Your LDAP server LDAP_USERNAME and LDAP_PASSWORD will need to be set - to enable searching the LDAP server to return the DN associated with the LDAP_LOGIN_ATTR. Only one result match must be returned with the query.
2 | Your LDAP server LDAP_USERNAME and LDAP_PASSWORD is mostly used to connect to your LDAP server and obtain the schema (it must have the access to read the schema). If you do use LDAP_ALLOW_GUEST=TRUE, then this LDAP_USERNAME will enable you to browse the LDAP tree and return records that this DN has access to. If LDAP_ALLOW_GUEST=FALSE (the default), then a login box will be presented. When LDAP_LOGIN_ATTR is not DN, then LDAP_USERNAME is used to search the directory to obtain the DN for the attribute value used enable logging into the LDAP server.
3 | PLA comes configured to connect to an LDAP server over an unsecure port ldap, a SSL enabled port ldaps, or with starttls (STARTTLS over an unsecure port). The hostname and port to connect to is configured with LDAP_HOSTNAME/LDAP_PORT respectively for the type of connection you want to use. (In PLA v2.0.0 these values were called openldap/openldaps/openldaptls respectively, but will be changed to ldap/ldaps/starttls in v2.0.1+). See config/ldap.php.
4 | After a DN is retrieved by steps 1/2 above, it is checked to see if it has objectclasses matching LDAP_LOGIN_OBJECTCLASS, and if it does not have any of the objectclasses (if there are more than 1), the user will not be logged in.