ConductorOne · pquerna · Oct 15, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 15, 2024
diff --git a/README.md b/README.md
@@ -2,94 +2,56 @@
 
 # `baton-ldap` [![Go Reference](https://pkg.go.dev/badge/github.com/conductorone/baton-ldap.svg)](https://pkg.go.dev/github.com/conductorone/baton-ldap) ![main ci](https://github.com/conductorone/baton-ldap/actions/workflows/main.yaml/badge.svg)
 
-`baton-ldap` is a connector for LDAP built using the [Baton SDK](https://github.com/conductorone/baton-sdk). It communicates with the LDAP API to sync data about roles, users, and groups.
+`baton-ldap` is a connector for LDAP built using the [Baton SDK](https://github.com/conductorone/baton-sdk). It communicates with the LDAP protocol to sync data about roles, users, and groups.
 
 Check out [Baton](https://github.com/conductorone/baton) to learn more about the project in general.
 
-## LDAP 
+## LDAP
 
 ## Credentials
 
-To access the API, you must provide the username and password you use to login to the LDAP server. 
+To access the LDAP server, you must provide the username and password you use to login to the LDAP server. 
 
 # Getting Started
 
-## brew
+_Also see [Set up an LDAP connector](https://www.conductorone.com/docs/product/integrations/ldap/) in the ConductorOne documentation for instructions including using LDAP from ConductorOne._
 
-```
-brew install conductorone/baton/baton conductorone/baton/baton-ldap
+## Installing
 
-BATON_PASSWORD=admin_pass BATON_BASE_DN=base_dn BATON_USER_DN=user_dn BATON_DOMAIN=ldap_url baton-ldap
-baton resources
-```
+The latest release is available from the [`baton-ldap` Github releases page](https://github.com/ConductorOne/baton-ldap/releases).
 
-## docker
+Pre-built container images compatible with Docker and other container runtimes are [published to GHCR](https://github.com/ConductorOne/baton-ldap/pkgs/container/baton-ldap):
+```
+docker pull ghcr.io/conductorone/baton-ldap:latest
+```
 
+Additionally for testing on workstations, `baton-ldap` can be installed from Homebrew:
 ```
-docker run --rm -v $(pwd):/out -e BATON_TOKEN=token BATON_UNSAFE=true ghcr.io/conductorone/baton-ldap:latest -f "/out/sync.c1z"
-docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
+brew install conductorone/baton/baton conductorone/baton/baton-ldap
 ```
 
-## source
+## Common Configuration Options
 
-```
-go install github.com/conductorone/baton/cmd/baton@main
-go install github.com/conductorone/baton-ldap/cmd/baton-ldap@main
+| CLI Flag | Environment Variable | Explaination |
+|----------|----------|----------|
+| `--bind-dn` | `BATON_BIND_DN` | **required** Username to bind to the LDAP server with, for example: `cn=baton-service-account,ou=users,dc=baton,dc=example,dc=com` |
+| `--password` | `BATON_PASSWORD` | **optional**  Password to bind to the LDAP server with.  If unset, an unathenticated bind is attempted. |
+| `--url` | `BATON_URL` | **required** URL to the LDAP server. Can be either `ldap:` or `ldaps:` schemes, sets the hostname, and optionally a port number. For example: `ldaps://ldap.example.com:636` |
+| `--base-dn` | `BATON_BASE_DN`   |  **optional** Base Distinguished name to search for LDAP objects in, for example `DC=example,DC=com` |
+| `--user-search-dn` | `BATON_USER_SEARCH_DN` |  **optional**  Distinguished name to search for User objects in.  If unset the Base DN is used. |
+| `--group-search-dn` | `BATON_GROUP_SEARCH_DN` |  **optional**  Distinguished name to search for User objects in.  If unset the Base DN is used. |
+| `--provisioning` | `BATON_PROVISIONING` |  **optional** Enable Provisioning of Groups by `baton-ldap`. `true` or `false`.  Defaults to `false` |
 
-BATON_PASSWORD=admin_pass BATON_BASE_DN=base_dn BATON_USER_DN=user_dn BATON_DOMAIN=ldap_url baton-ldap
-baton resources
-```
+Use `baton-ldap --help` to see all configuration flags and environment variables.
 
-## how to test 
-you can use this compose.yaml to launch an LDAP server and a PHP LDAP admin server to interact with the LDAP server.
+# Developing baton-ldap
 
-```
-version: '3.7'
-services:
-  openldap:
-    image: osixia/openldap:latest
-    container_name: openldap
-    hostname: openldap
-    ports: 
-      - "389:389"
-      - "636:636"
-    volumes:
-      - ./data/certificates:/container/service/slapd/assets/certs
-      - ./data/slapd/database:/var/lib/ldap
-      - ./data/slapd/config:/etc/ldap/slapd.d
-    environment: 
-      - LDAP_ORGANISATION=example
-      - LDAP_DOMAIN=example.org
-      - LDAP_ADMIN_USERNAME=admin
-      - LDAP_ADMIN_PASSWORD=admin
-      - LDAP_CONFIG_PASSWORD=config_pass
-      - "LDAP_BASE_DN=dc=example,dc=org"
-      - LDAP_REMOVE_CONFIG_AFTER_SETUP=false
-      - DISABLE_CHOWN=true
-    networks:
-      - openldap
-
-  phpldapadmin:
-    image: osixia/phpldapadmin:latest
-    container_name: phpldapadmin
-    hostname: phpldapadmin
-    ports: 
-      - "80:80"
-    environment: 
-      - PHPLDAPADMIN_LDAP_HOSTS=openldap
-      - PHPLDAPADMIN_HTTPS=false
-    depends_on:
-      - openldap
-    networks:
-      - openldap
-
-networks:
-  openldap:
-    driver: bridge
-```
+## How to test with Docker Compose
+You can use [compose.yaml](./compose.yaml) to launch an LDAP server and a PHP LDAP admin server to interact with the LDAP server.
+
+Run `docker-compose up` to launch the containers.
 
-Run `docker-compose up -d` to launch the containers.
-You can then access the PHP LDAP admin server at http://localhost:80 and login with the admin credentials you provided in the docker-compose file.
+You can then access the PHP LDAP admin server at http://localhost:8080 and login with the admin credentials you provided in the docker-compose file.
 
 username: `CN=admin,DC=example,DC=org`
 password: `admin`
@@ -118,37 +80,3 @@ After successfully syncing data, use the baton CLI to list the resources and see
 We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!
 
 See [CONTRIBUTING.md](https://github.com/ConductorOne/baton/blob/main/CONTRIBUTING.md) for more details.
-
-# `baton-ldap` Command Line Usage
-
-```
-baton-ldap
-
-Usage:
-  baton-ldap [flags]
-  baton-ldap [command]
-
-Available Commands:
-  completion         Generate the autocompletion script for the specified shell
-  help               Help about any command
-
-Flags:
-      --base-dn string                The base DN used to specify where in the tree to sync resources under. ($BATON_BASE_DN)
-      --client-id string              The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
-      --client-secret string          The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
-      --domain                        The domain of the LDAP url. ($BATON_DOMAIN)
-  -f, --file string                   The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
-      --grant-entitlement string      The entitlement to grant to the supplied principal ($BATON_GRANT_ENTITLEMENT)
-      --grant-principal string        The resource to grant the entitlement to ($BATON_GRANT_PRINCIPAL)
-      --grant-principal-type string   The resource type of the principal to grant the entitlement to ($BATON_GRANT_PRINCIPAL_TYPE)
-  -h, --help                          help for baton-ldap
-      --log-format string             The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
-      --log-level string              The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
-      --password string               The password of the user to bind to. ($BATON_PASSWORD)
-      --revoke-grant string           The grant to revoke ($BATON_REVOKE_GRANT)
-      --user-dn string                The user DN for the user to bind to. i.e. cn=admin,dc=example,dc=org ($BATON_USER_DN)
-  -v, --version                       version for baton-ldap
-
-Use "baton-ldap [command] --help" for more information about a command.
-
-```
diff --git a/cmd/baton-ldap/config.go b/cmd/baton-ldap/config.go
diff --git a/cmd/baton-ldap/main.go b/cmd/baton-ldap/main.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/conductorone/baton-ldap/pkg/config"
 	"github.com/conductorone/baton-ldap/pkg/connector"
 	configschema "github.com/conductorone/baton-sdk/pkg/config"
 	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
@@ -19,7 +20,7 @@ var version = "dev"
 func main() {
 	ctx := context.Background()
 
-	_, cmd, err := configschema.DefineConfiguration(ctx, "baton-ldap", getConnector, configuration)
+	_, cmd, err := configschema.DefineConfiguration(ctx, "baton-ldap", getConnector, config.Configuration)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err.Error())
 		os.Exit(1)
@@ -37,22 +38,14 @@ func main() {
 func getConnector(ctx context.Context, v *viper.Viper) (types.ConnectorServer, error) {
 	l := ctxzap.Extract(ctx)
 
-	if err := validateConfig(ctx, v); err != nil {
+	cf, err := config.New(ctx, v)
+	if err != nil {
 		return nil, err
 	}
 
-	if v.GetString(urlField.FieldName) == "" && v.GetString(domainField.FieldName) != "" {
-		v.Set(urlField.FieldName, fmt.Sprintf("ldap://%s", v.GetString(domainField.FieldName)))
-	}
-
 	ldapConnector, err := connector.New(
 		ctx,
-		v.GetString(urlField.FieldName),
-		v.GetString(baseDNField.FieldName),
-		v.GetString(passwordField.FieldName),
-		v.GetString(userDNField.FieldName),
-		v.GetBool(disableOperationalAttrsField.FieldName),
-		v.GetBool(insecureSkipVerifyField.FieldName),
+		cf,
 	)
 	if err != nil {
 		l.Error("error creating connector", zap.Error(err))

diff --git a/compose.yaml b/compose.yaml
@@ -1,4 +1,4 @@
-version: '3.7'
+version: '3'
 services:
   openldap:
     image: osixia/openldap:latest
@@ -8,10 +8,10 @@ services:
       - "389:389"
       - "636:636"
     # Uncomment these lines if you want to persist data.
-    # volumes:
-    #   - ./data/certificates:/container/service/slapd/assets/certs
-    #   - ./data/slapd/database:/var/lib/ldap
-    #   - ./data/slapd/config:/etc/ldap/slapd.d
+    volumes:
+      - ./data/certificates:/container/service/slapd/assets/certs
+      - ./data/slapd/database:/var/lib/ldap
+      - ./data/slapd/config:/etc/ldap/slapd.d
     environment:
       # If you want to persist data, set the UID/GID to the owner user/groups in your volume mounts
       # - LDAP_OPENLDAP_UID=501
@@ -39,7 +39,7 @@ services:
     container_name: phpldapadmin
     hostname: phpldapadmin
     ports:
-      - "80:80"
+      - "8080:80"
     environment:
       - PHPLDAPADMIN_LDAP_HOSTS=openldap
       - PHPLDAPADMIN_HTTPS=false