{
  "_secrets": "Admin-004: no secrets are committed here. Supply the ConfigDb connection string and the LDAP service-account password via user-secrets (dev) or environment variables / a secret store (prod). Env-var keys: ConnectionStrings__ConfigDb and Authentication__Ldap__ServiceAccountPassword. The connection string defaults to Encrypt=True (TLS); use a least-privilege SQL login, not 'sa'.",
  "ConnectionStrings": {
    "ConfigDb": ""
  },
  "Authentication": {
    "Ldap": {
      "Enabled": true,
      "Server": "localhost",
      "Port": 3893,
      "UseTls": false,
      "AllowInsecureLdap": true,
      "SearchBase": "dc=lmxopcua,dc=local",
      "ServiceAccountDn": "cn=serviceaccount,dc=lmxopcua,dc=local",
      "ServiceAccountPassword": "",
      "DisplayNameAttribute": "cn",
      "GroupAttribute": "memberOf",
      "GroupToRole": {
        "ReadOnly": "ConfigViewer",
        "ReadWrite": "ConfigEditor",
        "AlarmAck": "FleetAdmin"
      }
    }
  },
  "Serilog": {
    "MinimumLevel": "Information"
  },
  "Metrics": {
    "Prometheus": {
      "Enabled": true
    }
  }
}