# ── FreeIPA ───────────────────────────────────────────────────────────────────
IPA_HOSTNAME=ipa.corp.example.com
IPA_DOMAIN=corp.example.com
IPA_REALM=CORP.EXAMPLE.COM
IPA_ADMIN_PASSWORD=ChangeMe123!
IPA_DM_PASSWORD=ChangeMe456!
IPA_SETUP_DNS=false
IPA_DNS_FORWARDER=
IPA_SETUP_KRA=false

# ── Keycloak ──────────────────────────────────────────────────────────────────
KC_HOSTNAME=keycloak.corp.example.com
KC_REALM=corp
KC_ADMIN=admin
KC_ADMIN_PASSWORD=ChangeMe789!
KC_DB_PASSWORD=ChangeMe000!

# ── Keycloak → FreeIPA LDAP federation ───────────────────────────────────────
# Leave IPA_BIND_PASSWORD blank to reuse IPA_DM_PASSWORD.
# In production, create a dedicated read-only service account in FreeIPA.
IPA_BIND_DN=cn=Directory Manager
IPA_BIND_PASSWORD=
IPA_USE_LDAPS=false