uid nslcd
gid ldap

uri {% for server in ldap_server %}ldaps://{{ server }} {% endfor %}
base {{ ldap_basedn }}

# time out searches after 30 seconds
timelimit 30
# close idle connections after 10 minutes
idle_timelimit 600
# do not search group memberships for local users
nss_initgroups_ignoreusers ALLLOCAL

pagesize 500
map group member uniqueMember

# use ssl and verify server cert
ssl on
tls_reqcert demand
tls_cacertfile {{ tls_bundle }}

# use local host cert/key for authentication
tls_key {{ tls_private }}/{{ inventory_hostname }}.key
tls_cert {{ tls_certs }}/{{ inventory_hostname }}.crt
sasl_mech EXTERNAL