Update configuration docs, include imageAttribute

README.md

@@ -79,6 +79,10 @@ extauthmod = true
 ; set this to true if you'd like that as well
 ; Drawpile flag: HOST
 extauthhost = true
+; drawpile-ldap-auth-server may additionally retrieve user avatars from LDAP; set this to true
+; if you want Drawpile to request user avatars upon authentication
+; You must also configure ldap.imageAttribute in your drawpile-ldap-auth-server configuration
+extAuthAvatars = true
 ; should guests be allowed to access Drawpile?
 ; this setting must match the setting in config.toml for drawpile-ldap-auth-server
 allowGuests = false

config.example.toml

@@ -7,58 +7,72 @@
 # Env: DRAWPILE_AUTH_TOKEN_SIGNING_KEY
 # Arg: drawpile-auth-token-signing-key
 signingKey = ""
-# The port this auth server should listen on. 8081 by default
+# Port the auth server should listen on
+# Default: 8081
 # Env: PORT
 # Arg: port
 port = 8081
-# The route path the express application should look for
+# Route to serve requests on
 # Useful if you run this behind a reverse proxy on a shared domain
+# Default: /ext-auth
 # Env: ROUTE
 # Arg: route
 path = "/ext-auth"
 # Should guests be allowed to authenticate with the server?
+# Default: false
 # Env: ALLOW_GUESTS
 # Arg: allow-guests
 allowGuests = true
 
 # General LDAP settings
 # Additional options may be found at https://github.com/ldapts/ldapts#create-a-client
 [ldap]
-# The URL to your LDAP server
+# URL to connect to your LDAP server
 # Env: LDAP_URL
 # Arg: ldap-url
 url = "ldap://localhost:389"
-# The bind DN to access LDAP information without a user login
+# DN of the LDAP user to bind to when looking up user info
 # Env: LDAP_BIND_DN
 # Arg: ldap-bind-dn
 bindDN = "cn=admin,dc=example,dc=com"
-# The LDAP password for the above bind user
+# Password of the LDAP user to bind to when looking up user info
 # Env: LDAP_BIND_PASS
 # Arg: ldap-bind-pass
 bindPW = "admin"
-# The DN which contains your LDAP users
+# DN where LDAP users are stored
 # Env: LDAP_USER_DN
 # Arg: ldap-user-dn
 userDN = "ou=users,dc=example,dc=com"
 # The search filter to apply when searching for users
 # %u is replaced with the logging-in user's username
+# Default: (uid=%u)
 # Env: LDAP_USER_FILTER
 # Arg: ldap-user-filter
 userSearchFilter = "(uid=%u)"
-# DN which contains your LDAP groups
+# DN where LDAP groups are stored
+# Since this library does all group lookups in this DN, you may
+# consider making an OU for Drawpile groups specifically
 # Env: LDAP_GROUP_DN
 # Arg: ldap-group-dn
 groupDN = "ou=drawpile,ou=groups,dc=example,dc=com"
-# The attribute used by your server to test if a user is member of a group
+# memberOf attribute used by your LDAP server
 # You can probably leave this as the default
+# Default: memberOf
 # Env: LDAP_MEMBER_OF_ATTR
 # Arg: ldap-member-of-attr
 memberOfAttribute = "memberOf"
-# The attribute which stores display names for users
+# LDAP attribute used to store the display name to use for users
 # Optional; user display name defaults to provided username
 # Env: LDAP_DISPLAY_NAME_ATTR
 # Arg: ldap-display-name-attr
 displayNameAttribute = "displayName"
+# LDAP attribute used to store profile images for users
+# Optional; no avatars will be served if this isn't set
+# Drawpile must also be configured to request auth server avatars by setting
+# extAuthAvatars = true
+# Env: LDAP_IMAGE_ATTR
+# Arg: ldap-image-attr
+imageAttribute = "jpegPhoto"
 
 [ldap.flagGroups]
 # Defines a mapping between LDAP groups and Drawpile flags

src/config.ts

@@ -16,21 +16,21 @@ const config = convict({
 		sensitive: true,
 	},
 	port: {
-		doc: 'Port to listen on',
+		doc: 'Port the auth server should listen on',
 		format: 'port',
 		default: DEFAULT_PORT,
 		env: 'PORT',
 		arg: 'port',
 	},
 	path: {
-		doc: 'Route to serve requests on; useful if this running behind a reverse proxy like nginx',
+		doc: 'Route to serve requests on; useful you run this behind a reverse proxy like nginx',
 		format: '*',
 		default: DEFAULT_ROUTE,
 		env: 'ROUTE',
 		arg: 'route',
 	},
 	allowGuests: {
-		doc: 'Should guests be allowed to authenticate?',
+		doc: 'Should guests be allowed to authenticate with the server?',
 		format: Boolean,
 		default: false,
 		env: 'ALLOW_GUESTS',