{
   "mailFrom" : "{{ general.lemonldap.lemon_mail_admin }}",
   "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
   "portalSkinBackground" : "",
   "portalCustomCss": "risotto/risotto.css",
   "authentication" : "LDAP",
   "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
   "managerDn" : "{{ general.ldap.client.ldapclient_user }}",
   "managerPassword" : "{{ general.ldap.client.ldapclient_user_password }}",
   "ldapPpolicyControl" : 1,
   "ldapAllowResetExpiredPassword" : 1,
   "ldapChangePasswordAsUser" : 1,
   "ldapBase" : "{{ general.ldap.client.ldapclient_search_dn }}",
   "ldapExportedVars" : {
      "uid" : "uid",
      "cn" : "cn",
      "sn" : "sn",
      "mail" : "mail",
      "givenName" : "givenName",
      "home" : "homeDirectory"
   },
   "ldapGroupBase" : "{{ general.ldap.client.ldapclient_group_dn }}",
   "ldapGroupAttributeName" : "member",
   "ldapGroupAttributeNameUser" : "cn",
   "ldapGroupAttributeNameGroup" : "dn",
   "ldapGroupAttributeNameSearch" : "cn",
   "ldapGroupAttributeNameUser" : "dn",
   "ldapGroupObjectClass" : "groupOfNames",
   "ldapPort" : "636",
   "ldapServer" : "ldaps://{{ general.ldap.server.ldap_server_address }}",
   "ldapVerify" : "required",
   "ldapTimeout" : 120,
   "cfgAuthor" : "Risotto",
   "cfgNum" : 1,
   "cfgVersion" : "2.0.9",
   "demoExportedVars" : {
      "cn" : "cn",
      "mail" : "mail",
      "uid" : "uid"
   },
   "domain" : "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}",
   "exportedVars" : {
       "UA" : "HTTP_USER_AGENT",
       "cn" : "cn",
       "mail" : "mail"
   },
   "globalStorageOptions" : {
      "Directory" : "/srv/lemonldap-ng/sessions",
      "LockDirectory" : "/srv/lemonldap-ng/sessions/lock"
   },
   "issuerDBOpenIDConnectActivation" : 1,
   "localSessionStorageOptions" : {
      "cache_depth" : 3,
      "cache_root" : "/srv/lemonldap-ng/cache",
      "default_expires_in" : 600,
      "directory_umask" : "007",
      "namespace" : "lemonldap-ng-sessions"
  },
   "locationRules" : {
      "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}" : {
         "default" : "accept"
{% set domains = [] %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% for external in oauth2['oauth2_' + key]['external_' + key]['hosts_' + key] %}
{% set domain = (external|string).split('/', 3)[-2] %}
{% if domain not in domains %}
     },
     "{{ domain }}" : {
        "^/logout" : "logout_sso",
        "default" : "$groups eq \"{{ external['family_' + key] }}\""
{{ domains.append(domain) }}
{% endif %}
{% endfor %}
{% endfor %}
      }
   },
   "loginHistoryEnabled" : 1,
   "macros" : {
      "UA" : "$ENV{HTTP_USER_AGENT}",
      "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
   },
   "mailUrl" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/resetpwd",
   "mySessionAuthorizedRWKeys" : [
      "_appsListOrder",
      "_oidcConnectedRP",
      "_oidcConsents"
   ],
   "notification" : 1,
   "notificationStorageOptions" : {
       "dirName" : "/srv/lemonldap-ng/notifications"
   },
   "oidcRPMetaDataExportedVars" : {
{% set len_app = oauth2.remotes|length %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
      "{{ app }}" : {
         "email" : "mail",
         "family_name" : "sn",
         "name" : "cn",
	 "nickname" : "uid",
	 "home" : "home"
{% if len_app == loop.index %}
      }
{% else %}
      },
{% endif %}
{% endfor %}
   },
   "oidcRPMetaDataOptions" : {
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
      "{{ app }}" : {
         "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
         "oidcRPMetaDataOptionsAllowOffline" : 1,
         "oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
         "oidcRPMetaDataOptionsBypassConsent" : 1,
         "oidcRPMetaDataOptionsClientID" : "{{ oauth2['oauth2_' + key]['client_id_' + key] }}",
         "oidcRPMetaDataOptionsClientSecret" : "{{ oauth2['oauth2_' + key]['secret_' + key] }}",
         "oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
         "oidcRPMetaDataOptionsIDTokenSignAlg" : "{{ oauth2['oauth2_' + key]['token_signature_algo_' + key] }}",
         "oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
         "oidcRPMetaDataOptionsLogoutType" : "front",
         "oidcRPMetaDataOptionsPublic" : 0,
{% if oauth2['oauth2_' + key]['login_' + key] %}
         "oidcRPMetaDataOptionsRedirectUris" : "{{ oauth2['oauth2_' + key]['login_' + key] }}",
{% endif %}
         "oidcRPMetaDataOptionsRefreshToken" : 0,
         "oidcRPMetaDataOptionsRequirePKCE" : 0
{% if len_app == loop.index %}
      }
{% else %}
      },
{% endif %}
{% endfor %}
   },
   "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
   "oidcServiceMetaDataAuthnContext" : {
      "loa-1" : 1,
      "loa-2" : 2,
      "loa-3" : 3,
      "loa-4" : 4,
      "loa-5" : 5
   },
{% set tpub = domain_name_eth0|get_public_key(hide=hide_secret) %}
{% set pub = tpub.split("\n")|join('\\n') %}
   "oidcServicePublicKeySig" : "{{ pub }}",
{% set tpriv = domain_name_eth0|get_private_key(hide=hide_secret) %}
{% set priv = tpriv.split("\n")|join('\\n') %}
   "oidcServicePrivateKeySig" : "{{ priv }}",
   "passwordDB" : "LDAP",
   "persistentStorage" : "Apache::Session::File",
   "persistentStorageOptions" : {
      "Directory": "/srv/lemonldap-ng/psessions",
      "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
   },
   "portal" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/",
   "portalCheckLogins": 0,
   "portalDisplayRegister": 0,
   "portalDisplayResetPassword": 0,
   "portalMainLogo": "risotto/logo.png",
   "showLanguages": 0,
   "requireToken": "$env->{REMOTE_ADDR} ne '{{ gateway_eth0 }}'",
   "whatToTrace" : "_whatToTrace",
{% set remotes = {} %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
{% if description %}
{% set dico = {'key': key,
               'description': description,
               'logo': "risotto/" + oauth2['oauth2_' + key]['logo_' + key],
               'name': oauth2['oauth2_' + key]['name_' + key],
               'uri': oauth2['oauth2_' + key]['external_' + key]['hosts_' + key]} %}
{{ remotes.setdefault(oauth2['oauth2_' + key]['category_' + key], []).append(dico) }}
{% endif %}
{% endfor %}
   "applicationList" : {
{% for cat in remotes %}
{% if loop.index != 1 %}
,
{% endif %}
      "cat_{{ loop.index - 1 }}" : {
         "catname" : "{{ cat }}",
{% for dico in remotes[cat] %}
{% for uri in dico['uri'] %}
         "{{ dico['key'] }}_{{ loop.index - 1 }}" : {
            "options" : {
               "description" : "{{ dico['description'] }}",
               "display" : "auto",
               "logo" : "{{ dico['logo'] }}",
               "name" : "{{ dico['name'] }}",
               "uri" : "{{ uri }}"
            },
            "type" : "application"
         },
{% endfor %}
{% endfor %}
         "type" : "category"
      }
{%- endfor -%}

   }
}