# graylog-groups configuration example / documentation
# =====================================================

# LDAP server configuration
# --------------------------
ldap:

  # The LDAP server's host name or IP address. REQUIRED.
  host: ldap.example.org

  # Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
  # 389.
  port: 636

  # TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
  # "starttls" for TLS over a clear connection, or "no" to use a clear
  # connection. Defaults to "no".
  tls: yes

  # Skip server certificate check. Defaults to false.
  tls_skip_verify: false

  # CA certificate chain. Can be omitted if the systems' trusted CAs must be
  # used, or if no TLS is being used.
  cachain: /path/to/ca/chain.pem

  # LDAP user (as a DN) and password to bind with. Both fields may be omitted
  # if anonymous binding is to be used.
  bind_user: cn=graylog,ou=automation,dc=example,dc=org
  bind_password: drowssap

  # LDAP attributes which may contain either the UIDs or the DNs of the groups'
  # members. If the fields contain the DN, the first element will be extracted
  # and used as the username. REQUIRED.
  member_fields:
    - member
    - uniqueMember
    - memberUid

  # Username attribute. This is used when group member fields contain the '='
  # ',' character, in which case the value will be considered a DN and looked up
  # in the LDAP. The field specified by this configuration value will be read
  # and used as the login name. If this configuration value is not set, the
  # first element in the DN will be extracted and used as the username.
  username_attribute: uid

# Graylog server info
# --------------------
graylog:

  # API base URL. REQUIRED.
  api_base: https://graylog.example.org/api

  # Username and password to use to authenticate to the API. REQUIRED
  username: admin
  password: drowssap

  # Should accounts be deleted when they no longer have any privileges? Warning,
  # this option is rather dangerous. Can be omitted, defaults to false.
  delete_accounts: false

# Group -> privileges mappings
# -----------------------------
mapping:

  # Each entry in this table must use a LDAP group name as its key.
  cn=g1,ou=groups,dc=example,dc=org:

    # List of Graylog roles that users in this group should have. The names
    # must match the ones in the Graylog administration section.
    roles:
      - Reader

    # Privileges on various Graylog objects. This is a list of records.
    privileges:

      # Each privilege record includes a type of object ("dashboard", "search"
      # or "stream"), an identifier (which is generated by Graylog, and must
      # be extracted from the pages' URLs or from the API) and a level, which
      # may be either "read" or "write", the latter implying the former. Should
      # an user be a member of groups that grant both privilege levels, the
      # highest level will be kept.
      - type: dashboard
        id: 12345
        level: read

      - type: stream
        id: 12345
        level: read

  cn=g2,ou=groups,dc=example,dc=org:
    roles:
      - Event Definition Creator
      - Event Notification Creator
    privileges:
      - type: dashboard
        id: 12345
        level: write