docs: add comprehensive examples and LDIF setup guide

Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com>

Author: Copilot

examples/README.md

@@ -0,0 +1,108 @@
+# Examples
+
+This directory contains examples demonstrating how to use the LDAP Role Manager with Casbin.
+
+## Files
+
+- **main.go** - A simple example showing how to integrate LDAP role manager with Casbin
+- **rbac_model.conf** - Casbin RBAC model configuration
+- **rbac_policy.csv** - Sample policies for role-based access control
+- **example.ldif** - Sample LDIF file for populating an LDAP directory
+
+## Running the Example
+
+### 1. Set up an LDAP Server
+
+You can use OpenLDAP or any other LDAP server. For testing, you can use Docker:
+
+```bash
+docker run -d \
+  --name openldap \
+  -p 389:389 \
+  -e LDAP_ORGANISATION="Example Inc." \
+  -e LDAP_DOMAIN="example.com" \
+  -e LDAP_ADMIN_PASSWORD="admin" \
+  osixia/openldap:latest
+```
+
+### 2. Populate the LDAP Directory
+
+Load the example LDIF file into your LDAP server:
+
+```bash
+# Using ldapadd
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f example.ldif
+
+# Or using Docker
+docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/example.ldif
+```
+
+You may need to copy the LDIF file into the container first:
+
+```bash
+docker cp example.ldif openldap:/tmp/example.ldif
+```
+
+### 3. Run the Example
+
+Update the connection details in `main.go` if needed, then run:
+
+```bash
+cd examples
+go run main.go
+```
+
+## Expected Output
+
+The example will check permissions for alice (admin) and bob (user):
+
+```
+✓ alice can read data1
+✓ alice can write data1
+✓ bob can read data1
+✗ bob cannot write data1
+
+Roles for alice: [admin user]
+Roles for bob: [user]
+```
+
+## Verifying LDAP Setup
+
+You can verify your LDAP setup using ldapsearch:
+
+```bash
+# Search for all users
+ldapsearch -x -D "cn=admin,dc=example,dc=com" -w admin -b "ou=users,dc=example,dc=com"
+
+# Search for all groups
+ldapsearch -x -D "cn=admin,dc=example,dc=com" -w admin -b "ou=groups,dc=example,dc=com"
+
+# Search for alice's groups
+ldapsearch -x -D "cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" "(member=uid=alice,ou=users,dc=example,dc=com)"
+```
+
+## Customization
+
+You can customize the example by:
+
+1. Modifying the LDAP connection parameters in `main.go`
+2. Adding more users and groups to `example.ldif`
+3. Creating different policies in `rbac_policy.csv`
+4. Adjusting the model in `rbac_model.conf`
+
+## Active Directory Example
+
+For Active Directory, you would use different filters and configuration:
+
+```go
+opts := &ldaprolemanager.LDAPOptions{
+    URL:          "ldaps://ad.example.com:636",
+    BaseDN:       "dc=example,dc=com",
+    UserFilter:   "(sAMAccountName=%s)",
+    GroupFilter:  "(member=%s)",
+    RoleAttr:     "cn",
+    BindDN:       "cn=service-account,ou=users,dc=example,dc=com",
+    BindPassword: "password",
+    UseTLS:       true,
+}
+```

examples/example.ldif

@@ -0,0 +1,48 @@
+# Example LDIF file for setting up LDAP structure
+# This file can be used to populate an LDAP server for testing
+
+# Create organizational units
+dn: ou=users,dc=example,dc=com
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+# Create users
+dn: uid=alice,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Alice Smith
+sn: Smith
+uid: alice
+uidNumber: 1001
+gidNumber: 1001
+homeDirectory: /home/alice
+userPassword: password
+
+dn: uid=bob,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Bob Jones
+sn: Jones
+uid: bob
+uidNumber: 1002
+gidNumber: 1002
+homeDirectory: /home/bob
+userPassword: password
+
+# Create groups
+dn: cn=admin,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: admin
+member: uid=alice,ou=users,dc=example,dc=com
+
+dn: cn=user,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: user
+member: uid=alice,ou=users,dc=example,dc=com
+member: uid=bob,ou=users,dc=example,dc=com

examples/main.go

@@ -0,0 +1,104 @@
+// Copyright 2026 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/casbin/casbin/v2"
+	ldaprolemanager "github.com/casbin/ldap-role-manager"
+)
+
+func main() {
+	// Initialize LDAP role manager
+	opts := &ldaprolemanager.LDAPOptions{
+		URL:               "ldap://localhost:389",
+		BaseDN:            "dc=example,dc=com",
+		UserFilter:        "(uid=%s)",
+		GroupFilter:       "(member=%s)",
+		RoleAttr:          "cn",
+		BindDN:            "cn=admin,dc=example,dc=com",
+		BindPassword:      "password",
+		MaxHierarchyLevel: 10,
+	}
+
+	rm, err := ldaprolemanager.NewRoleManager(opts)
+	if err != nil {
+		log.Fatalf("Failed to create role manager: %v", err)
+	}
+	defer rm.Close()
+
+	// Create a new enforcer
+	e, err := casbin.NewEnforcer("rbac_model.conf", "rbac_policy.csv")
+	if err != nil {
+		log.Fatalf("Failed to create enforcer: %v", err)
+	}
+
+	// Set the role manager
+	e.SetRoleManager(rm)
+
+	// Load policy
+	err = e.LoadPolicy()
+	if err != nil {
+		log.Fatalf("Failed to load policy: %v", err)
+	}
+
+	// Check permissions
+	// In this example, we assume alice is in the admin group in LDAP
+	// and bob is in the user group in LDAP
+	
+	// Alice (admin) can read and write data1
+	if res, _ := e.Enforce("alice", "data1", "read"); res {
+		fmt.Println("✓ alice can read data1")
+	} else {
+		fmt.Println("✗ alice cannot read data1")
+	}
+
+	if res, _ := e.Enforce("alice", "data1", "write"); res {
+		fmt.Println("✓ alice can write data1")
+	} else {
+		fmt.Println("✗ alice cannot write data1")
+	}
+
+	// Bob (user) can read but not write data1
+	if res, _ := e.Enforce("bob", "data1", "read"); res {
+		fmt.Println("✓ bob can read data1")
+	} else {
+		fmt.Println("✗ bob cannot read data1")
+	}
+
+	if res, _ := e.Enforce("bob", "data1", "write"); res {
+		fmt.Println("✓ bob can write data1")
+	} else {
+		fmt.Println("✗ bob cannot write data1")
+	}
+
+	// Get roles for alice
+	roles, err := rm.GetRoles("alice")
+	if err != nil {
+		log.Printf("Failed to get roles for alice: %v", err)
+	} else {
+		fmt.Printf("\nRoles for alice: %v\n", roles)
+	}
+
+	// Get roles for bob
+	roles, err = rm.GetRoles("bob")
+	if err != nil {
+		log.Printf("Failed to get roles for bob: %v", err)
+	} else {
+		fmt.Printf("Roles for bob: %v\n", roles)
+	}
+}

examples/rbac_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

examples/rbac_policy.csv

@@ -0,0 +1,6 @@
+p, admin, data1, read
+p, admin, data1, write
+p, admin, data2, read
+p, admin, data2, write
+p, user, data1, read
+p, user, data2, read