Configuration Options

Complete reference for config.yaml options.

Gateway Section


gateway:
  url: wss://api.adunlock.me/ws    # Required
  tenant_id: "uuid"                 # Required
  connector_id: "uuid"              # Required

Option	Type	Required	Description
url	string	Yes	Gateway WebSocket URL
tenant_id	string	Yes	Your tenant UUID
connector_id	string	Yes	This connector’s UUID

TLS Section


tls:
  cert_file: "certs/connector.pem"      # Required
  key_file: "certs/connector-key.pem"   # Required
  ca_file: "certs/ca.pem"               # Required

Option	Type	Required	Description
cert_file	string	Yes	Client certificate path
key_file	string	Yes	Private key path
ca_file	string	Yes	CA certificate path

AD Section


ad:
  server: "dc01.company.local"          # Required
  port: 636                             # Default: 636
  tls_mode: "ldaps"                     # Required
  base_dn: "DC=company,DC=local"        # Required
  service_account: "user@domain"        # Required
  service_password: "${ENV_VAR}"        # Required
  allowed_ous:                          # Optional
    - "OU=Users,DC=company,DC=local"
  denied_groups:                        # Optional
    - "Domain Admins"
  search_attributes:                    # Optional
    - sAMAccountName
    - mail
    - telephoneNumber
  connection_timeout: 30s               # Default: 30s
  request_timeout: 60s                  # Default: 60s

Option	Type	Required	Default	Description
server	string	Yes	-	DC hostname
port	int	No	636	LDAP port
tls_mode	string	Yes	-	`ldaps` or `starttls`
base_dn	string	Yes	-	Search base DN
service_account	string	Yes	-	Bind account
service_password	string	Yes	-	Bind password
allowed_ous	[]string	No	all	Allowed OUs
denied_groups	[]string	No	none	Blocked groups
search_attributes	[]string	No	default	Search attrs
connection_timeout	duration	No	30s	Connect timeout
request_timeout	duration	No	60s	Op timeout

Logging Section


logging:
  level: "info"                         # Default: info
  file: "logs/connector.log"            # Optional
  max_size_mb: 10                       # Default: 10
  max_backups: 5                        # Default: 5
  max_age_days: 30                      # Default: 30
  compress: true                        # Default: true

Option	Type	Required	Default	Description
level	string	No	info	debug/info/warn/error
file	string	No	stdout	Log file path
max_size_mb	int	No	10	Max file size
max_backups	int	No	5	Files to keep
max_age_days	int	No	30	Days to keep
compress	bool	No	true	Gzip old logs

Performance Section


performance:
  worker_count: 4                       # Default: CPU count
  job_buffer_size: 100                  # Default: 100
  heartbeat_interval: 30s               # Default: 30s
  reconnect_delay: 5s                   # Default: 5s
  max_reconnect_delay: 60s              # Default: 60s

Environment Variables

All config values support ${VAR_NAME} syntax:


ad:
  service_password: ${AD_SERVICE_PASSWORD}

Set via:


$env:AD_SERVICE_PASSWORD = "secret"

Or via NSSM for services:


nssm set ADConnector AppEnvironmentExtra AD_SERVICE_PASSWORD=secret

Full Example


gateway:
  url: wss://api.adunlock.me/ws
  tenant_id: "abc123-def456-..."
  connector_id: "conn-789-..."
 
tls:
  cert_file: "certs/connector.pem"
  key_file: "certs/connector-key.pem"
  ca_file: "certs/ca.pem"
 
ad:
  server: "dc01.company.local"
  port: 636
  tls_mode: "ldaps"
  base_dn: "DC=company,DC=local"
  service_account: "svc_adunlock@company.local"
  service_password: "${AD_SERVICE_PASSWORD}"
  allowed_ous:
    - "OU=Staff,OU=Users,DC=company,DC=local"
    - "OU=Remote,OU=Users,DC=company,DC=local"
  denied_groups:
    - "Domain Admins"
    - "Enterprise Admins"
    - "Schema Admins"
 
logging:
  level: "info"
  file: "logs/connector.log"
  max_size_mb: 10
  max_backups: 5
 
performance:
  worker_count: 4
  heartbeat_interval: 30s