# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext

# This file is opened as root, so it should be owned by root and mode 0600.
# http://wiki2.dovecot.org/AuthDatabase/LDAP

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = {{ dovecot_ldap_servers | join(" ") }}

# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes

# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
# auth_bind_userdn =

# LDAP protocol version to use. Likely 2 or 3.
ldap_version = {{ dovecot_ldap_version }}

# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = {{ dovecot_ldap_base }}

# Search scope: base, onelevel, subtree
scope = {{ dovecot_ldap_scope }}

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = {{ dovecot_ldap_user_attrs }}

# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if user there's no domain
user_filter = {{ dovecot_ldap_user_filter }}

# Password checking attributes:
#  user: Virtual user name (user@domain), if you wish to change the
#        user-given username to something else
#  password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
# pass_attrs = uid=user,userPassword=password

# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
pass_attrs = {{ dovecot_ldap_pass_attrs }}

# Filter for password lookups
pass_filter = {{ dovecot_ldap_pass_filter }}

# Attributes and filter to get a list of all users
iterate_attrs = {{ dovecot_ldap_iterate_attrs }}
iterate_filter = {{ dovecot_ldap_iterate_filter }}

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
default_pass_scheme = {{ dovecot_ldap_default_pass_scheme }}