#Управление LDAP

apiVersion: dex.coreos.com/v1
kind: Connector
id: ldap        # Connector ID
name: ldap      # Connector display name
type: ldap      # Connector type is LDAP
metadata:
  name: ldap
  namespace: cpaas-system
spec:
  config:
    # LDAP server address and port
    host: ldap.example.com:636
    # DN and password for the service account used by the connector.
    # This DN is used to search for users and groups.
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
    # Service account password, required when creating a connector.
    bindPW: password

    # Login account prompt. For example, username
    usernamePrompt: SSO Username

    # User search configuration
    userSearch:
      # Start searching from the base DN
      baseDN: cn=users,dc=example,dc=com
      # LDAP query statement, used to search for users.
      # For example: "(&(objectClass=person)(uid=<username>))"
      filter: (&(objectClass=organizationalPerson))

      # The following fields are direct mappings of user entry attributes.
      # User ID attribute
      idAttr: uid
      # Required. Attribute to map to email
      emailAttr: mail
      # Required. Attribute to map to username
      nameAttr: cn
      # Login username attribute
      # Filter condition will be converted to "(<attr>=<username>)", such as (uid=example).
      username: uid

      # Extended attributes
      # phoneAttr: phone

    # Group search configuration
    groupSearch:
      # Start searching from the base DN
      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
      # Group filter condition
      # "(&(objectClass=group)(member=<user uid>))".
      filter: "(objectClass=group)"
      # User group matching field
      # Group attribute
      groupAttr: member
      # User group member attribute
      userAttr: uid
      # 组显示名称
      nameAttr: cn

# 1. Basic filter: Find all users
(&(objectClass=person))

# 2. Multiple conditions combination: Find users in a specific department
(&(objectClass=person)(departmentNumber=1000))

# 3. Find enabled users (Active Directory)
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# 4. Find users with a specific email domain
(&(objectClass=person)(mail=*@example.com))

# 5. Find members of specific group
(&(objectClass=person)(memberOf=cn=developers,ou=groups,dc=example,dc=com))

# 6. Find recently logged in users (Active Directory)
(&(objectClass=user)(lastLogon>=20240101000000.0Z))

# 7. Exclude system accounts
(&(objectClass=person)(!(uid=admin))(!(uid=system)))

# 8. Find users with a specific attribute
(&(objectClass=person)(mobile=*))

# 9. Find users in multiple departments
(&(objectClass=person)(|(ou=IT)(ou=HR)(ou=Finance)))

# 10. Complex condition combination example
(&
  (objectClass=person)
  (|(department=IT)(department=Engineering))
  (!(title=Intern))
  (manager=cn=John Doe,ou=People,dc=example,dc=com)
)

# 1. Basic filter: Find all groups
(objectClass=groupOfNames)

# 2. Find groups with a specific prefix
(&(objectClass=groupOfNames)(cn=dev-*))

# 3. Find non-empty groups
(&(objectClass=groupOfNames)(member=*))

# 4. Find groups with a specific member
(&(objectClass=groupOfNames)(member=uid=john,ou=People,dc=example,dc=com))

# 5. Find nested groups (Active Directory)
(&(objectClass=group)(|(groupType=-2147483646)(groupType=-2147483644)))

# 6. Find groups with a specific description
(&(objectClass=groupOfNames)(description=*admin*))

# 7. Exclude system groups
(&(objectClass=groupOfNames)(!(cn=system*)))

# 8. Find groups with specific members
(&(objectClass=groupOfNames)(|(cn=admins)(cn=developers)(cn=operators)))

# 9. Find groups in a specific OU
(&(objectClass=groupOfNames)(ou=IT))

# 10. Complex condition combination example
(&
  (objectClass=groupOfNames)
  (|(cn=prod-*)(cn=dev-*))
  (!(cn=deprecated-*))
  (owner=cn=admin,dc=example,dc=com)
)

# AND operator (&) - All conditions must be met
# Syntax: (&(condition1)(condition2)(condition3)...)

# Multiple attribute AND example
(&
  (objectClass=person)
  (mail=*@example.com)
  (title=Engineer)
  (manager=*)
)

# OR operator (|) - At least one condition must be met
# Syntax: (|(condition1)(condition2)(condition3)...)

# Multiple attribute OR example
(|
  (department=IT)
  (department=HR)
  (department=Finance)
)

# Combining AND and OR
(&
  (objectClass=person)
  (|
    (department=IT)
    (department=R&D)
  )
  (employeeType=FullTime)
)

# Complex condition combination
(&
  (objectClass=person)
  (|
    (&
      (department=IT)
      (title=*Engineer*)
    )
    (&
      (department=R&D)
      (title=*Developer*)
    )
  )
  (!(status=Inactive))
  (|(manager=*)(isManager=TRUE))
)