<LDAP>
	# LDAP server URL
	URL		ldap://ldap1.example.org

	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com

	# Bind Password
	# Password	SecretPassword

	# Network timeout (in seconds)
	Timeout		15

	# Enable Start TLS
	TLSEnable	yes

	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes

	# TLS CA Certificate File
	TLSCACertFile	/usr/local/etc/ssl/ca.pem

	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs

	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	TLSKeyFile	/usr/local/etc/ssl/client-key.pem

	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
	# Base DN
	BaseDN		"ou=People,dc=example,dc=com"

	# User Search Filter
	SearchFilter	"(&(uid=%u)(accountStatus=active))"

	# Require Group Membership
	RequireGroup	false

	# Add non-group members to a PF table (disabled)
	#PFTable	ips_vpn_users

	# Uncomment and set to true to support OpenVPN Challenge/Response
	#PasswordIsCR	false
	<Group>
		# Default is true. Match full user DN if true, uid only if false.
		# RFC2307bis   true

		# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
		# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
		# required in certain LDAP environments.
		# UseCompareOperation   true

		BaseDN		"ou=Groups,dc=example,dc=com"
		SearchFilter	"(|(cn=developers)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	</Group>
</Authorization>