# The sync account token as generated by "system sync generate-token". sync_token = "eyJhb..." # A cron-like expression of when to run when in scheduled mode. The format is: # sec min hour day of month month day of week year # # The default of this value is "0 */5 * * * * *" which means "run every 5 minutes". # schedule = "" # If you want to monitor the status of the scheduled sync tool (you should) # then you can set a bind address here. # # If not set, defaults to no status listener. # status_bind = "" # The LDAP URI to the server. This MUST be LDAPS. You should connect to a unique single # server in the LDAP topology rather than via a load balancer or dns srv records. This # is to prevent replication conflicts and issues due to how 389-ds and openldap sync works. ldap_uri = "ldaps://specific-server.ldap.kanidm.com" # Path to the LDAP CA certificate in PEM format. ldap_ca = "/path/to/kanidm-ldap-ca.pem" # The DN of an account with content sync rights. On 389-ds, by default cn=Directory Manager has # this access. On OpenLDAP you must grant this access. ldap_sync_dn = "cn=Directory Manager" ldap_sync_pw = "directory manager password" # The basedn to search ldap_sync_base_dn = "dc=ldap,dc=dev,dc=kanidm,dc=com" # Filter the entries that are synchronised with this filter # NOTE: attribute-value-assertions with spaces require quoting! ldap_filter = "(|(objectclass=person)(objectclass=posixgroup))" # ldap_filter = "(cn=\"my value\")" # The objectclass used to identify persons to import to Kanidm. # # If not set, defaults to "person" # person_objectclass = "" # Attribute mappings. These allow you to bind values from your directory server # to the values that Kanidm will import. # # person_attr_user_name = "uid" # person_attr_display_name = "cn" # person_attr_gidnumber = = "uidnumber" # person_attr_login_shell = "loginshell" # person_attr_password = "userpassword" # If the password value requires a prefix for Kanidm to import it, this can be optionally # provided here. # # person_password_prefix = "" # The objectclass used to identify groups to import to Kanidm. # # If not set, defaults to "groupofnames" # group_objectclass = "" # Attribute mappings. These allow you to bind values from your directory server # to the values that Kanidm will import. # # group_attr_name = "cn" # group_attr_description = "description" # group_attr_member = "member" # group_attr_gidnumber = "gidnumber" # The sync tool can alter or exclude entries. These are mapped by their syncuuid # The syncuuid is derived from nsUniqueId in 389-ds. It is the entryUUID for OpenLDAP # This is chosen oven DN because DN's can change with modrdn where nsUniqueId/entryUUID is # immutable and requires an entry to be deleted and recreated. [ac60034b-3498-11ed-a50d-919b4b1a5ec0] # my-problematic-entry exclude = true # Remap the uuid of this entry to a new uuid on Kanidm # # map_uuid = # Remap the name of this entry to a new name on Kanidm # # map_name = # Remap the gidnumber for groups, and uidnumber for users # # map_gidnumber =