
**Section type** '``ad``':  AD realm configuration properties.




*Required properties:*

``server1`` : ``<string>``
  AD server address




*Optional properties:*

``base-dn`` : ``<string>``
  LDAP Domain



``bind-dn`` : ``<string>``
  LDAP Domain



``capath`` : ``<string>``
  CA certificate to use for the server. The path can point to
  either a file, or a directory. If it points to a file,
  the PEM-formatted X.509 certificate stored at the path
  will be added as a trusted certificate.
  If the path points to a directory,
  the directory replaces the system's default certificate
  store at `/etc/ssl/certs` - Every file in the directory
  will be loaded as a trusted certificate.



``comment`` : ``<string>``
  Comment.



``filter`` : ``<string>``
  Custom LDAP search filter for user sync



``mode`` : ``ldap|ldap+starttls|ldaps   (default=ldap)``
  LDAP connection type



``port`` : ``<integer> (0 - 65535)``
  AD server Port



``server2`` : ``<string>``
  Fallback AD server address



``sync-attributes`` : ``[[email=<string>] [,firstname=<string>] [,lastname=<string>]]``
  Comma-separated list of key=value pairs for specifying which LDAP attributes map
  to which PBS user field. For example, to map the LDAP attribute ``mail`` to
  PBS's ``email``, write ``email=mail``.


  ``email`` = ``<string>``
    Name of the LDAP attribute containing the user's email address
  
  
  
  ``firstname`` = ``<string>``
    Name of the LDAP attribute containing the user's first name
  
  
  
  ``lastname`` = ``<string>``
    Name of the LDAP attribute containing the user's last name
  
  
  

``sync-defaults-options`` : ``[[enable-new=<1|0>] [,remove-vanished=<string>]]``
  sync defaults options


  ``enable-new`` = ``<boolean>``
    Enable new users after sync
  
  
  
  ``remove-vanished`` = ``[acl|entry|properties, ...]``
    A semicolon-seperated list of things to remove when they or the user vanishes
    during user synchronization. The following values are possible: ``entry``
    removes the user when not returned from the sync; ``properties`` removes any
    properties on existing user that do not appear in the source. ``acl`` removes
    ACLs when the user is not returned from the sync.
  
  
  

``user-classes`` : ``[<string>, ...]   (default=inetorgperson,posixaccount,person,user)``
  Comma-separated list of allowed objectClass values for user synchronization.
  For instance, if ``user-classes`` is set to ``person,user``, then user
  synchronization will consider all LDAP entities where ``objectClass: person``
  `or` ``objectClass: user``.



``verify`` : ``<boolean>   (default=false)``
  Verify server certificate




**Section type** '``ldap``':  LDAP configuration properties.




*Required properties:*

``base-dn`` : ``<string>``
  LDAP Domain



``server1`` : ``<string>``
  LDAP server address



``user-attr`` : ``<string>``
  Username attribute. Used to map a ``userid`` to LDAP to an LDAP ``dn``.




*Optional properties:*

``bind-dn`` : ``<string>``
  LDAP Domain



``capath`` : ``<string>``
  CA certificate to use for the server. The path can point to
  either a file, or a directory. If it points to a file,
  the PEM-formatted X.509 certificate stored at the path
  will be added as a trusted certificate.
  If the path points to a directory,
  the directory replaces the system's default certificate
  store at `/etc/ssl/certs` - Every file in the directory
  will be loaded as a trusted certificate.



``comment`` : ``<string>``
  Comment.



``filter`` : ``<string>``
  Custom LDAP search filter for user sync



``mode`` : ``ldap|ldap+starttls|ldaps   (default=ldap)``
  LDAP connection type



``port`` : ``<integer> (0 - 65535)``
  Port



``server2`` : ``<string>``
  Fallback LDAP server address



``sync-attributes`` : ``[[email=<string>] [,firstname=<string>] [,lastname=<string>]]``
  Comma-separated list of key=value pairs for specifying which LDAP attributes map
  to which PBS user field. For example, to map the LDAP attribute ``mail`` to
  PBS's ``email``, write ``email=mail``.


  ``email`` = ``<string>``
    Name of the LDAP attribute containing the user's email address
  
  
  
  ``firstname`` = ``<string>``
    Name of the LDAP attribute containing the user's first name
  
  
  
  ``lastname`` = ``<string>``
    Name of the LDAP attribute containing the user's last name
  
  
  

``sync-defaults-options`` : ``[[enable-new=<1|0>] [,remove-vanished=<string>]]``
  sync defaults options


  ``enable-new`` = ``<boolean>``
    Enable new users after sync
  
  
  
  ``remove-vanished`` = ``[acl|entry|properties, ...]``
    A semicolon-seperated list of things to remove when they or the user vanishes
    during user synchronization. The following values are possible: ``entry``
    removes the user when not returned from the sync; ``properties`` removes any
    properties on existing user that do not appear in the source. ``acl`` removes
    ACLs when the user is not returned from the sync.
  
  
  

``user-classes`` : ``[<string>, ...]   (default=inetorgperson,posixaccount,person,user)``
  Comma-separated list of allowed objectClass values for user synchronization.
  For instance, if ``user-classes`` is set to ``person,user``, then user
  synchronization will consider all LDAP entities where ``objectClass: person``
  `or` ``objectClass: user``.



``verify`` : ``<boolean>   (default=false)``
  Verify server certificate




**Section type** '``openid``':  OpenID configuration properties.




*Required properties:*

``client-id`` : ``<string>``
  OpenID Client ID



``issuer-url`` : ``<string>``
  OpenID Issuer Url




*Optional properties:*

``acr-values`` : ``[<string>, ...]``
  OpenID ACR List



``autocreate`` : ``<boolean>   (default=false)``
  Automatically create users if they do not exist.



``client-key`` : ``<string>``
  OpenID Client Key



``comment`` : ``<string>``
  Comment.



``prompt`` : ``<string>``
  OpenID Prompt



``scopes`` : ``[<string>, ...]   (default=email profile)``
  OpenID Scope List



``username-claim`` : ``<string>``
  Use the value of this attribute/claim as unique user name. It is up to the
  identity provider to guarantee the uniqueness. The OpenID specification only
  guarantees that Subject ('sub') is unique. Also make sure that the user is not
  allowed to change that attribute by himself!




