Config keys
Config keys
The published file is config/iam-directory.php (php artisan vendor:publish --tag=iam-directory-config).
This is the terse reference; the Configuration guide has recipes and rationale.
Top level
| Key | Type | Default | Meaning |
|---|---|---|---|
organization_id |
?string |
env('IAM_DIRECTORY_ORG') |
Target org for provisioning. null = global users — no membership, no grants. |
jit |
array |
see below | The Just-In-Time provisioning policy. |
group_map |
array |
[] |
Directory group → IAM role(s) mapping. |
jit — the provisioning policy
Mapped to DirectoryJitPolicy::fromArray(). Evaluated in order before any write; a failure returns
pending(reason).
| Key | Type | Default | Meaning | Failure reason |
|---|---|---|---|---|
require_verified_email |
bool |
true |
Require DirectoryUser::emailVerified before provisioning. |
jit_requires_verified_email |
allowed_domains |
list<string> |
[] |
Email-domain allowlist (exact, lowercased). [] = no restriction. |
jit_domain_not_allowed |
approval_required |
bool |
false |
Hold every provisioning for manual approval. | jit_approval_required |
default_roles |
list<string> |
[] |
Bootstrap roles (full_key) granted to every provisioned user. Not filtered by protected_roles. |
— |
group_mapping |
bool |
true |
Whether to apply group_map. false = only default_roles. |
— |
protected_roles |
list<string> |
[] |
Roles never grantable via the directory (subtracted from mapped roles). | — |
fromArray is defensive
Non-array or wrong-typed values fall back to the secure defaults; list fields keep only strings. A malformed
config can’t silently produce a permissive policy.
group_map — group → role mapping
'group_map' => [
'cn=warehouse-admins,ou=groups,dc=acme,dc=com' => 'warehouse:admin',
'developers' => ['app:developer', 'app:deployer'],
],
| Aspect | Rule |
|---|---|
| Key | Group full DN or short CN. Matched case-insensitively (lowercased + trimmed). |
| CN extraction | From a DN, the leftmost cn=… is also tried (^cn=([^,]+)). |
| Value | A single role full_key, or a list<full_key>. |
| Normalization | Empty strings and non-string entries are dropped. |
| Unmapped groups | Ignored — default-deny, no implicit roles. |
| Output | rolesFor() returns unique, sorted roles. |
See Group → role mapping for the full semantics.
Environment variables
| Var | Key |
|---|---|
IAM_DIRECTORY_ORG |
organization_id |
LdapRecord connection settings (host, base DN, bind credentials, TLS) are not in this file — they’re
configured through LdapRecord itself. See LDAP setup.
Full annotated example
return [
// Provisioning scope. null = global users with no membership/grants.
'organization_id' => env('IAM_DIRECTORY_ORG'),
'jit' => [
'require_verified_email' => true, // gate unverified emails
'allowed_domains' => ['acme.com'], // [] = any domain
'approval_required' => false, // true = hold at 'pending'
'default_roles' => ['iam:tenant_member'], // every user; not protected-filtered
'group_mapping' => true, // apply group_map below
'protected_roles' => ['iam:super_admin'], // never via the directory
],
'group_map' => [
'cn=warehouse-admins,ou=groups,dc=acme,dc=com' => 'warehouse:admin',
'developers' => ['app:developer', 'app:deployer'],
],
];
Related
- Configuration guide — recipes and rationale.
- PHP API — the
DirectoryJitPolicy/GroupMappersignatures these keys feed.