From 0d2c61d6a6c611fc41ecb3f11caa1c8100d87c88 Mon Sep 17 00:00:00 2001
From: le-firehawk <firehawk@opayq.net>
Date: Tue, 4 Jun 2024 12:38:25 +0000
Subject: [PATCH] env.example: add LDAP filters, include additional LDAP sample
 values

Signed-off-by: le-firehawk <firehawk@opayq.net>
---
 env.example | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/env.example b/env.example
index 30dafb31a9..b6747394c3 100644
--- a/env.example
+++ b/env.example
@@ -144,26 +144,64 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background
 #
 
 # LDAP url for connection
-#LDAP_URL=ldaps://ldap.domain.com/
+# ldaps:// not compatible with LDAP_START_TLS
+#LDAP_URL=ldap://ldap.domain.com
 
 # LDAP base DN. Can be empty
 #LDAP_BASE=DC=example,DC=domain,DC=com
+# FreeIPA should be based at accounts
+#LDAP_BASE=CN=accounts,DC=example,DC=domain,DC=com
 
 # LDAP user DN. Do not specify this parameter for the anonymous bind
 #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+# FreeIPA uses different scheme
+#LDAP_BINDDN=UID=binduser,CN=users,CN=accounts,DC=example,DC=domain,DC=com
 
 # LDAP user password. Do not specify this parameter for the anonymous bind
 #LDAP_BINDPW=LdapUserPassw0rd
 
+# Many LDAP providers may obfuscate tree information
+# required for advanced filtering when using anonymous
+# bind
+
 # LDAP filter. Tokens example:
 # %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
 # %s - %s is replaced by the complete service string
 # %r - %r is replaced by the complete realm string
+# (&(filter1)(filter2)(...)) - require multiple filters to be true
+# (|(filter1)(filter2)(...)) - require one filter to be true
+# (!(filter1)) - require one or more filters to be false
 #LDAP_FILTER=(sAMAccountName=%u)
 
+# FreeIPA, other LDAP providers, use UID
+#LDAP_FILTER=(UID=%u)
+# FreeIPA group filtering
+#LDAP_FILTER=(&(UID=%u)(memberOf=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com))
+
 # LDAP authentication method
 #LDAP_AUTH_METHOD=bind
 
+# LDAP group member attribute
+#LDAP_GROUP_ATTR=uniqueMember
+# FreeIPA, other LDAP providers, use memberOf
+#LDAP_GROUP_ATTR=memberOf
+
+# LDAP group membership requirement
+#LDAP_GROUP_DN=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com
+
+# LDAP group match method
+# filter implies LDAP_GROUP_FILTER. attr implies LDAP_GROUP_SEARCH_BASE
+# ignored without LDAP_GROUP_DN
+#LDAP_GROUP_MATCH_METHOD=filter
+
+# LDAP group filter
+# Respects tokens common to LDAP filtering
+#LDAP_GROUP_FILTER=(CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com)
+
+# LDAP group search base
+# Defaults to LDAP_BASE
+#LDAP_GROUP_SEARCH_BASE=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com
+
 # LDAP version
 #LDAP_VERSION=3