ldap.conf

[ldap]
  enabled = true
  # run on a non privileged port
  listen = "0.0.0.0:3893"
[ldaps]
  enabled = false
[backend]
  datastore = "config"
  baseDN = "dc=acme,dc=local"
  nameformat = "cn"
  groupformat = "ou"
[behaviors]
  # Ignore all capabilities restrictions, for instance allowing every user to perform a search
  IgnoreCapabilities = false
  # Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts
  LimitFailedBinds = true
  # How many failed login attempts are allowed before a ban is imposed
  NumberOfFailedBinds = 3
  # How long (in seconds) is the window for failed login attempts
  PeriodOfFailedBinds = 10
  # How long (in seconds) is the ban duration
  BlockFailedBindsFor = 60
  # Clean learnt IP addresses every N seconds
  PruneSourceTableEvery = 600
  # Clean learnt IP addresses not seen in N seconds
  PruneSourcesOlderThan = 600
[[users]]
  name = "alice"
  givenname = "Alice"
  sn = "Henderson"
  mail = "alice@acme.local"
  uidnumber = 5001
  primarygroup = 5501
  passsha256 = "8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9"   # passw0rd
[[users]]
  name = "bob"
  givenname = "Bob"
  sn = "Sanders"
  mail = "bob@acme.local"
  uidnumber = 5002
  primarygroup = 5501
  passsha256 = "8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9"   # passw0rd
[[users]]
  name = "walter" # our example administrator
  givenname = "Walter"
  sn = "Linz"
  mail = "walter@acme.local"
  uidnumber = 5003
  primarygroup = 5501
  passsha256 = "8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9"   # passw0rd
[[users]]
  name = "ldap-tec-user"
  givenname = "John"
  sn = "Doe"
  uidnumber = 5501
  primarygroup = 5502
  passsha256 = "8241458a26f1d73036ce59d448ed11d49d01cdc11fcef87c1050a165ca298c96"   # ldapsecr3t
    [[users.capabilities]]
      action = "search"
      object = "ou=superheros,dc=acme,dc=local"
[[groups]]
  name = "superheros"
  gidnumber = 5501
[[groups]]
  name = "svcaccts"
  gidnumber = 5502