-
-
Notifications
You must be signed in to change notification settings - Fork 176
Configuration Variables
The following environment variables are available to tune your configuration (particularly useful with the docker container).
You can set these values in your .env file, or as a variable to the environment running PLA.
| Variable | Value | Default | Purpose |
|---|---|---|---|
| Required Variables | |||
| APP_KEY | (value from artisan key:generate) |
not defined | This is used to encrypt data used internally. It should only need to be set once for the life of the application. It is in the format of base64:...
|
| LDAP_HOST | hostname to your LDAP server | not defined | A resolvable hostname to your LDAP server eg: my.ldap.server.org
|
| Other Optional Variables | |||
| APP_TIMEZONE | An applicable timezone | UTC | This timezone used, mostly for, logging. eg: Australia/Melbourne
|
| CACHE_DRIVER | preferred caching driver | file | The driver used for LDAP caching - you can use memcached here. Look at config/cache.php for other possible drivers |
| LDAP_ALLOW_GUEST | true/false | false | Used to determine if users must login with their own details to use PLA. When true, the tree will be searched using LDAP_USERNAME to search the LDAP server and populate entries[2] |
| LDAP_BASE_DN | comma delimited list of Base DNs | undefined | Base DN(s) to your LDAP server, if unset, PLA will try to work it out. (v2.2+) note: these DNs must exist if defined |
| LDAP_CACHE | true/false | false | We use internal caching to reduce the impact to your LDAP server, this enables that caching |
| LDAP_CONNECTION | string | ldap |
config/ldap.php can have definitions for multiple LDAP servers or configurations that use ldaps or starttls. This determines the ldap server configuration to use[3]
|
| LDAP_LOGIN_ATTR | LDAP Attribute | uid | Attribute used to login in the login form, if you dont want to use DNs as the login name[1]. This can be any valid LDAP Attribute, or DN to force using the full DN to login. |
| LDAP_LOGIN_ATTR_DESC | Description of login attribute | User ID | A description to show when LDAP_LOGIN_ATTR is used (in the login box), this is a friendly description |
| LDAP_LOGIN_OBJECTCLASS | comma delimited list of objectclasses | posixAccount | Objectclass that must be on the user's DN to login. This is a comma delimited list, but any matched objectclass is sufficient to login, eg: posixAccount,inetOrgPerson the user can login if they have posixAccount OR inetOrgPerson [4] Login limited by objectClass is implemented as an LDAP Rule (see app/Ldap/Rules/LoginObjectclassRule.php. If you want want to implement your own login conditions (to limit which users can login), then you can ignore this configuration item, create your own rule in app/Ldap/Rules and reference that rule in config/auth.php (see the section providers->ldap->rules array). |
| LDAP_NAME | text | LDAP Server | Free form text name for your ldap server, eg: ACME Server
|
| LDAP_PORT | int | 389 | TCP port used to query ldap server. You may need to change this if your LDAP_CONNECTION refers to a server on a non-standard port, or a SSL enabled port |
| LDAP_PASSWORD | text | undefined | Password to ldap server[2], eg: mypassword
|
| LDAP_USERNAME | dn | undefined | Authentication DN to connect to ldap server[2], eg: cn=Admin,dc=Test
|
1 | Your LDAP server LDAP_USERNAME and LDAP_PASSWORD will need to be set - to enable searching the LDAP server to return the DN associated with the LDAP_LOGIN_ATTR. Only one result match must be returned with the query.
2 | Your LDAP server LDAP_USERNAME and LDAP_PASSWORD is mostly used to connect to your LDAP server and obtain the schema (it must have the access to read the schema). If you do use LDAP_ALLOW_GUEST=TRUE, then this LDAP_USERNAME will enable you to browse the LDAP tree and return records that this DN has access to. If LDAP_ALLOW_GUEST=FALSE (the default), then a login box will be presented. When LDAP_LOGIN_ATTR is not DN, then LDAP_USERNAME is used to search the directory to obtain the DN for the attribute value used enable logging into the LDAP server.
3 | PLA comes configured to connect to an LDAP server over an unsecure port ldap, a SSL enabled port ldaps, or with starttls (STARTTLS over an unsecure port). The hostname and port to connect to is configured with LDAP_HOSTNAME/LDAP_PORT respectively for the type of connection you want to use. (In PLA v2.0.0 these values were called openldap/openldaps/openldaptls respectively, but will be changed to ldap/ldaps/starttls in v2.0.1+). See config/ldap.php.
4 | After a DN is retrieved by steps 1/2 above, it is checked to see if it has objectclasses matching LDAP_LOGIN_OBJECTCLASS, and if it does not have any of the objectclasses (if there are more than 1), the user will not be logged in.