..
   Copyright (C) 2025 Internet Systems Consortium, Inc. ("ISC")

   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, You can obtain one at http://mozilla.org/MPL/2.0/.

   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.


``stork-server-ldap`` - The Stork Server hook for LDAP authentication
--------------------------------------------------------------------------

Description
~~~~~~~~~~~

The ``stork-server-ldap`` is a hook/plugin for the ``stork-server``
application that enables an authentication mechanism based on LDAP (Lightweight
Directory Access Protocol). Hook is a binary file with the .so extension, and
must be placed in the server hook directory

Arguments
~~~~~~~~~

The hook behavior can be controlled with command-line switches and/or
environment variables that must to be passed to ``stork-server``. The
environment variables can be set before running the server (equivalent
environment variables are listed in square brackets, where applicable).

``--ldap.url=``
   The LDAP server access URL (use ldaps:// protocol to connect over TLS) (default: ldap://127.0.0.1:1389). ``[$STORK_SERVER_HOOK_LDAP_URL]``
   
``--ldap.root=``
   The LDAP root for login user (default: dc=example,dc=org). ``[$STORK_SERVER_HOOK_LDAP_ROOT]``
   
``--ldap.bind-userdn=``
   The maintenance userdn used to bind to the server for reading user profiles (default: cn=admin,dc=example,dc=org). ``[$STORK_SERVER_HOOK_LDAP_BIND_USERDN]``
   
``--ldap.bind-password=``
   The maintenance password used to bind to the server for reading user profiles (default: adminpassword). ``[$STORK_SERVER_HOOK_LDAP_BIND_PASSWORD]``
   
``--ldap.skip-tls-server-verification``
   Skip the TLS server certificate verification - not recommended for the production environments. ``[$STORK_SERVER_HOOK_LDAP_SKIP_SERVER_TLS_VERIFICATION]``
   
``--ldap.group-allow=``
   The mandatory group that must be assigned to user to access Stork, empty for allow all users. ``[$STORK_SERVER_HOOK_LDAP_GROUP_ALLOW]``
   
``--ldap.map-groups``
   Enable mapping LDAP groups into Stork groups. ``[$STORK_SERVER_HOOK_LDAP_MAP_GROUPS]``
   
``--ldap.debug``
   Enable additional debug information about connection to LDAP server. ``[$STORK_SERVER_HOOK_LDAP_DEBUG]``
   
``--ldap.timeout=``
   The LDAP server connection timeout (default: 30s). ``[$STORK_SERVER_HOOK_LDAP_TIMEOUT]``

LDAP to Stork group mapping:

``--ldap.group-admin=``
   The LDAP group corresponding to Stork 'admin' group (default: stork-admin). ``[$STORK_SERVER_HOOK_LDAP_GROUP_ADMIN]``

``--ldap.group-super-admin=``
   The LDAP group corresponding to Stork 'super-admin' group (default: stork-super-admin). ``[$STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN]``

``--ldap.group-read-only=``
   The LDAP group corresponding to Stork 'read-only' group (default: stork-read-only). ``[$STORK_SERVER_HOOK_LDAP_GROUP_READ_ONLY]``

LDAP schema attributes:

``--ldap.object-class-group=``
   The name of the group object class in the group schema (preferred 'groupOfNames' or 'groupOfUniqueNames') (default: groupOfNames). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP]``

``--ldap.object-class-group-member=``
   The name of the member property in the group object class (for 'groupOfUniqueNames' use 'uniqueMember') (default: member). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP_MEMBER]``

``--ldap.object-class-group-common-name=``
   The name of the common name property in the group object class (default: cn). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP_COMMON_NAME]``

``--ldap.object-class-user=``
   The name of the user object class in the user schema (default: organizationalPerson). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER]``

``--ldap.object-class-user-id=``
   The name of the ID property in the user object class (default: uid). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_ID]``

``--ldap.object-class-user-first-name=``
   The name of the first name property in the user object class, optional (default: givenName). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_FIRST_NAME]``

``--ldap.object-class-user-last-name=``
   The name of the last name property in the user object class, optional (default: sn). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_LAST_NAME]``

``--ldap.object-class-user-email=``
   The name of the email property in the user object class, optional (default: mail). ``[$STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_EMAIL]``

Stork evaluates and prioritizes the settings it receives based on where they are applied.
Command-line flags have the highest priority; next are parameters from the
environment file. The lowest priority is given to environment variables.

Mailing Lists and Support
~~~~~~~~~~~~~~~~~~~~~~~~~

There are public mailing lists available for the Stork project. **stork-users**
(stork-users at lists.isc.org) is intended for Stork users. **stork-dev**
(stork-dev at lists.isc.org) is intended for Stork developers, prospective
contributors, and other advanced users. The lists are available at
https://www.isc.org/mailinglists. The community provides best-effort support
on both of those lists.

See Also
~~~~~~~~

:manpage:`stork-server(8)`
