Lumi2 is simplistic and makes some assumptions about the structure of your LDAP DIT.
The DIT hierarchy it expects (or creates) looks like this:
![LDAP DIT structure](/docs/ldap-dit-structure.svg)
When deploying a new LDAP server, you don't need to pay too much attention to the rest of this section, as Lumi2 will create the DIT entries for you as necessary.
You should, however, be aware of this structure when configuring other applications to use your LDAP backend.
If you point Lumi2 at an existing LDAP server, make sure its DIT matches the structure shown above and described below, otherwise Lumi2 will not work with your LDAP instance.
It is recommended you use `docker-compose` for Lumi2 and your LDAP server. Use the `docker-compose.yml` and `config.py` files in this repo as a starting point for this.
### Security settings
To generate a secret key and a password hash, you first need to import some of Lumi2's dependencies.
The easiest way to do this is by using a virtual environment. In the repo's root folder, run the following shell commands:
What you put here depends on your environment, but if you are using `docker-compose` with both Lumi2 and OpenLDAP running in the same compose-stack,
you can simply set the LDAP container's hostname here.
By default, Lumi2 tries to connnect on 389, the standard LDAP port, but you can specify a non-standard port as well.
The following are all valid options:
```python
LDAP_HOSTNAME = 'myhost'
LDAP_HOSTNAME = 'ldap.example.com:9000'
LDAP_HOSTNAME = 'ldap://foo.bar.org'
```
**Important:** Communication between Lumi2 and LDAP is currently not encrypted, so anyone listening to the network traffic between the two can read user information being
exchanged between Lumi2 and your LDAP server.
Deploying Lumi2 alongside LDAP using `docker-compose` is therefor highly recommended.
#### Bind user settings
Provide the DN (distinguished name) and password for a user with read- and write-access to your LDAP server by setting the `LDAP_BIND_USER_DN` and `LDAP_BIND_USER_PASSWORD`
You can additionally write the HTTP access logs to a file by specifying `LOG_FILE_PATH`.
Note that the specified path points to *inside* the container, so if you want to persist access logs across container restarts, you should set up a Docker volume accordingly.
Make sure the specified path is writeable by Lumi2.
`LOG_FILE_MAX_SIZE` specifies how large the log file can get before being replaced (log rotation).
Two access log files are kept: the one currently in use, and the previous one which has reached the maximum size. Any older log files are automatically deleted.
To disable log rotation, leave the variable unspecified or set it to `0`.
The `Dockerfile` and `docker-compose.yml` create a Lumi2 instance running behind a [waitress](https://docs.pylonsproject.org/projects/waitress/en/latest/) WSGI server,
To customize the bootstrap theme, some of Bootstrap 5's SASS variables are modified in `/scss/bootstrap.scss` and then compiled using a SASS preprocessor.