--- # geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/ server.address: "0.0.0.0:9091" log: level: debug identity_validation: reset_password: jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_jwt_secret', 'password') }} totp: issuer: totp.mgrote.net access_control: default_policy: deny rules: - domain: wiki.mgrote.net policy: one_factor subject: - 'group:authelia_wiki' session: name: authelia_session secret: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_session_secret', 'password') }} expiration: 3600 inactivity: 300 cookies: - name: mgrote.net domain: mgrote.net authelia_url: https://auth.mgrote.net redis: host: authelia-redis port: 6379 regulation: max_retries: 3 find_time: 120 ban_time: 300 storage: encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_storage_encryption_key', 'password') }} mysql: database: authelia address: 'tcp://authelia-db:3306' username: authelia password: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }} notifier: smtp: address: postfix:25 sender: no-reply-authelia@mgrote.net disable_require_tls: true # ldap # https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml authentication_backend: password_reset: disable: true refresh_interval: 1m ldap: implementation: custom address: ldap://ldap.mgrote.net:3890 timeout: 5s start_tls: false base_dn: dc=mgrote,dc=net additional_users_dn: ou=people users_filter: "(&({username_attribute}={input})(objectClass=person))" additional_groups_dn: ou=groups groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))" attributes: display_name: displayName username: uid group_name: cn mail: mail user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net password: '{{ lookup('viczem.keepass.keepass', 'lldap/lldap_authelia_bind_user', 'password') }}' # Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/