[Docs] Add Puavo config example

58f6f1b7 · magicfelix · 1d379571 · 58f6f1b7
Verified Commit 58f6f1b7 authored 2 years ago by magicfelix
--- a/docs/admin/30_examples.rst
+++ b/docs/admin/30_examples.rst
+Application integration examples
+================================
+
+Connecting with Puavo
+---------------------
+
+The school management system `Puavo`_ provides an LDAP server.
+To connect AlekSIS to it, the CA certificate the LDAP TLS certificate is signed with has to
+be copied to the AlekSIS server. It can be found in `/etc/ssl/certs/ca.PUAVODOMAIN.crt`.
+Reference it in `/etc/ldap/ldap.conf` using::
+
+  TLS_CACERT	/etc/ssl/certs/ca.PUAVODOMAIN.crt
+
+Furthermore, an LDAP service has to be created for AlekSIS to query users.
+In Puavo Web, create an LDAP service named `AlekSIS` and tick the checkbox `LDAP bind`.
+
+After saving it, one can see its Bind DN in the format `uid=AlekSIS,ou=System Accounts,dc=edu,dc=example,dc=org`.
+
+For LDAP configuration in AlekSIS, the configuration seen above can be
+adapted as follows::
+
+  [ldap]
+  uri = "ldaps://puavoserver.PUAVODOMAIN"
+  bind = { dn = "uid=AlekSIS,ou=System Accounts,dc=edu,dc=example,dc=org", password = "PASSWORD" }
+
+  [ldap.users]
+  search = { base = "ou=People,dc=edu,dc=example,dc=org", filter = "(uid=%(user)s)" }
+  map = { first_name = "givenName", last_name = "sn", email = "mail" }
+
+  [ldap.groups]
+  search = { base = "ou=Groups,dc=edu,dc=example,dc=org" }
+  type = "posixGroup"
+
+`PUAVODOMAIN` is independent from `example.org`. For a Puavo web instance located under `city.state.schools.example`
+it likely is `state.schools.example`, so the LDAP server uri would be `puavoserver.state.schools.example`.
+
+Find the `GROUP_ID` of the Administrator's group in Puavo Web, where you can copy the whole `DN` from the group detail page.
+
+Now, after a restart of AlekSIS, Puavo users can log in with their credentials.
+Use an admin account to do the last required configuration in AlekSIS' web interface.
+
+Go to `Admin → Configuration` and the `Accounts` tab to activate `Automatically create new persons for new users`.
+Then, go to the `LDAP` tab, tick `Enable LDAP sync`, `Enable ldap group sync` and `Change LDAP password on AlekSIS password change`.
+As a last step, fill out the LDAP matching fields `First name` as `givenName`, `Last name` as `sn`, `Home phone` as `telephoneNumber`, `E-mail address` as `mail` and `Photo` as `jpegPhoto`.
+
+.. _Puavo: https://puavo.org