---
# Secret containing LDAP bind password
apiVersion: v1
kind: Secret
metadata:
  name: netbox-ldap-openldap-secret
  namespace: default
type: Opaque
stringData:
  # LDAP service account bind password
  password: "YourSecurePasswordHere"

---
# NetBoxEnterprise with OpenLDAP authentication
apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox-ldap-openldap
  namespace: default
spec:
  imagePullPolicy: IfNotPresent
  netbox:
    replicas: 1
    image:
      pullPolicy: IfNotPresent
    config:
      auth:
        # Auto-create users on first login (default: true)
        autoCreateUser: true

        # LDAP authentication configuration for OpenLDAP
        ldap:
          # LDAP server URI - use ldaps:// for SSL/TLS
          serverUri: "ldaps://ldap.example.com:636"

          # Service account distinguished name for LDAP bind
          # OpenLDAP typically uses cn= in service account DNs
          bindDn: "cn=netbox,ou=Service Accounts,dc=example,dc=com"

          # Reference to secret containing bind password
          bindPassword:
            name: netbox-ldap-openldap-secret
            key: password

          # Ignore certificate errors (default: false)
          # Set to true only for testing with self-signed certificates
          ignoreCertErrors: false

          # LDAP connection options as Python dict
          # Default prevents following LDAP referrals
          connectionOptions: "{ ldap.OPT_REFERRALS: 0 }"

          # Cache timeout in seconds (default: 300)
          cacheTimeout: 300

          # User search configuration
          userSearch:
            # LDAP attribute containing username
            # OpenLDAP typically uses uid for usernames
            searchAttr: "uid"

            # Base DN for user searches
            # OpenLDAP often organizes users under ou=People
            searchBaseDn: "ou=People,dc=example,dc=com"

            # Search scope (default: "subtree")
            searchScope: "subtree"

            # Optional: Custom search filter template
            # If not specified, defaults to "(uid=%(user)s)"
            # searchFilter: "(uid=%(user)s)"

          # Group configuration
          groups:
            # Type of LDAP group structure
            # OpenLDAP typically uses POSIX groups
            # Options: "posixGroup", "groupOfNames", "groupOfUniqueNames", "nestedGroupOfNames"
            groupType: "posixGroup"

            # Base DN for group searches
            # OpenLDAP often organizes groups under ou=Groups
            searchBaseDn: "ou=Groups,dc=example,dc=com"

            # Enable group-based access control (default: true)
            findGroupPerms: true

            # Auto-create NetBox groups matching LDAP groups (default: true)
            mirrorGroups: true

            # Optional: Required group DN for login access
            # Users must be members of this group to log in
            requireGroupDn: "cn=netbox-users,ou=Groups,dc=example,dc=com"

            # Optional: Group DN for staff/admin status
            # Members can access the NetBox admin interface
            isAdminDn: "cn=netbox-admins,ou=Groups,dc=example,dc=com"

            # Optional: Group DN for superuser status
            # Members have all permissions and unrestricted access
            isSuperuserDn: "cn=netbox-superusers,ou=Groups,dc=example,dc=com"

    worker:
      replicas: 1

  # Diode configuration (optional)
  diode:
    enabled: false

  # PostgreSQL configuration (operator-managed)
  postgresql:
    external: false

  # Redis configuration (operator-managed)
  redis:
    external: false