Core Configuration

LDAP Configuration

REST Configuration

Complete Examples

Complete Agent Configuration Examples

Reference

Basic Agent Configuration Structure

Every Bond agent configuration has three main sections:

1 bond_version: 2.10.3                    # [REQUIRED] Bond agent version
2 
3 moveworks_config:                       # [REQUIRED] Connection to Moveworks platform
4   access_key: your-org-name
5   auth_url: https://agents.moveworks.com/api/v1/auth
6   config_url: https://agents.moveworks.com/api/v1/config
7   moveworks_access_secret:
8     value: your-secret-here
9 
10 ldap_config:                            # [OPTIONAL] Single domain LDAP
11   host: ldap.company.com
12   port: 636
13   # ... (see LDAP section below)
14 
15 ldap_forest_config:                     # [OPTIONAL] Multiple domains
16   domain1.company.com:
17     host: dc1.company.com
18     # ... (see LDAP Forest section below)
19 
20 rest_configs:                           # [OPTIONAL] REST API clients
21   SERVICE_NAME:
22     service: SERVICE_NAME
23     # ... (see REST section below)
24 
25 secrets_provider_config:                # [OPTIONAL] Azure Key Vault or AWS Secrets Manager
26   azure:
27     default_vault: my-vault-name

Moveworks Config

The Moveworks config connects the Bond agent to the Moveworks platform.

Minimal Example

1 moveworks_config:
2   access_key: your-org-name
3   auth_url: https://agents.moveworks.com/api/v1/auth
4   config_url: https://agents.moveworks.com/api/v1/config
5   moveworks_access_secret:
6     value: your-access-secret

Complete Example with All Options

1 moveworks_config:
2   access_key: your-org-name                                     # [REQUIRED] Organization identifier
3   auth_url: https://agents.moveworks.com/api/v1/auth           # [REQUIRED] Auth endpoint
4   config_url: https://agents.moveworks.com/api/v1/config       # [REQUIRED] Config endpoint
5 
6   moveworks_access_secret:                                      # [REQUIRED] Access secret
7     value: your-access-secret                                   # Use 'value' initially
8 
9   path_to_cert: /path/to/cert.pem                              # [OPTIONAL] TLS certificate path
10   tls_skip_verify: false                                        # [OPTIONAL] Skip TLS verification
11 
12   proxy_url: http://proxy.company.com:8080                      # [OPTIONAL] Proxy URL
13   proxy_url_enc: http://user:pass@proxy.company.com:8080       # [OPTIONAL] Proxy with auth
14 
15   dynamic_config:                                               # [OPTIONAL] Runtime configuration
16     api_url: https://api.moveworks.com
17     log_url: https://logs.moveworks.com
18     metrics_url: https://metrics.moveworks.com
19     auth_refresh_period_secs: 3600
20     pipeline_buf_size: 1000
21     metrics_push_interval_secs: 60
22     max_grpc_msg_size: 4194304

Secrets Management

Bond supports three methods for managing sensitive values:

Method 1: Plain Text Value (Initial Configuration)

Use this when initially configuring. Bond automatically encrypts it.

1 client_secret:
2   value: my-secret-password-123

After Bond processes it, you’ll see:

1 client_secret:
2   encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ==

Method 2: Pre-Encrypted Value

If you already have an encrypted value:

1 client_secret:
2   encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ==

Method 3: Azure Key Vault

1 client_secret:
2   azure_entry:
3     secret_name: my-oauth-client-secret    # [REQUIRED] Secret name in vault
4     vault: my-key-vault                    # [OPTIONAL] Vault name (uses default_vault if omitted)
5     refresh_time_sec: 60                   # [OPTIONAL] Refresh interval

Requires secrets_provider_config:

1 secrets_provider_config:
2   azure:
3     default_vault: my-default-vault

Method 4: AWS Secrets Manager

1 client_secret:
2   aws_entry:
3     secret_name: my-oauth-client-secret    # [REQUIRED] Secret name
4     region: us-west-2                      # [OPTIONAL] AWS region (uses default if omitted)
5     refresh_time_sec: 60                   # [OPTIONAL] Refresh interval

Requires secrets_provider_config:

1 secrets_provider_config:
2   aws:
3     default_region: us-west-2

Fields that should be encrypted:

moveworks_access_secret - Agent access secret
ldap_service_password - LDAP service password
client_secret - OAuth2 client secret
client_refresh_token - OAuth2 refresh token
password - Basic auth password
url (in rest_call_config) - Token endpoint URLs (recommended)
Any sensitive header or query parameter values

LDAP Configuration

Bond supports two LDAP configuration modes:

ldap_config - Single domain LDAP
ldap_forest_config - Multiple domains/forests

LDAP Config Structure

1 ldap_config:                              # Single domain configuration
2   host: ldap.company.com                  # [REQUIRED] LDAP host
3   port: 636                               # [REQUIRED] LDAP port
4   service_user: DOMAIN\svc_moveworks      # [REQUIRED] Service account
5   ldap_service_password:                  # [REQUIRED] Service account password
6     value: password-here
7 
8   # Optional fields
9   domain: company.com                     # [OPTIONAL] Domain name
10   use_ssl: true                           # [OPTIONAL] Use SSL/TLS
11   use_start_tls: false                    # [OPTIONAL] Use StartTLS
12   path_to_cert: /path/to/cert.pem         # [OPTIONAL] Certificate path
13   tls_skip_verify: false                  # [OPTIONAL] Skip TLS verification
14 
15   dynamic_config:                         # [OPTIONAL] Runtime configuration
16     pool_size: 10
17     timeout_ms: 30000

Single Domain LDAP

Minimal Example (LDAPS on Port 636)

1 ldap_config:
2   host: ldap.company.com
3   port: 636
4   service_user: COMPANY\svc_moveworks
5   ldap_service_password:
6     value: your-ldap-password
7   use_ssl: true

Complete Example with All Options

1 ldap_config:
2   # Connection Settings
3   host: ldap.company.com                  # [REQUIRED] LDAP server hostname
4   port: 636                               # [REQUIRED] LDAP port (636 for LDAPS, 389 for LDAP/StartTLS)
5   domain: company.com                     # [OPTIONAL] Domain name
6 
7   # Authentication
8   service_user: COMPANY\svc_moveworks     # [REQUIRED] Service account username
9   ldap_service_password:                  # [REQUIRED] Service account password
10     value: your-ldap-password             # Use 'value' initially
11 
12   # TLS/SSL Settings
13   use_ssl: true                           # [OPTIONAL] Use LDAPS (default: false)
14   use_start_tls: false                    # [OPTIONAL] Use StartTLS (default: false)
15   path_to_cert: /home/moveworks/agent/certs/ldap-cert.pem  # [OPTIONAL] CA certificate path
16   tls_skip_verify: false                  # [OPTIONAL] Skip TLS verification (not recommended)
17 
18   # Performance Settings
19   dynamic_config:                         # [OPTIONAL] Runtime configuration
20     pool_size: 10                         # Connection pool size
21     timeout_ms: 30000                     # Timeout in milliseconds (30 seconds)

LDAPS (Port 636)

Standard LDAP over SSL:

1 ldap_config:
2   host: ldap.company.com
3   port: 636
4   service_user: COMPANY\svc_moveworks
5   ldap_service_password:
6     value: your-password
7   use_ssl: true
8   path_to_cert: /home/moveworks/agent/certs/cert.pem

LDAP with StartTLS (Port 389)

LDAP with opportunistic TLS upgrade:

1 ldap_config:
2   host: ldap.company.com
3   port: 389
4   service_user: COMPANY\svc_moveworks
5   ldap_service_password:
6     value: your-password
7   use_start_tls: true
8   path_to_cert: /home/moveworks/agent/certs/cert.pem

LDAP with Azure Key Vault

1 ldap_config:
2   host: ldap.company.com
3   port: 636
4   service_user: COMPANY\svc_moveworks
5   ldap_service_password:
6     azure_entry:
7       secret_name: ldap-service-password
8       vault: my-vault
9       refresh_time_sec: 60
10   use_ssl: true

LDAP Forest (Multiple Domains)

Use ldap_forest_config when you have multiple LDAP domains or forests.

Structure

1 ldap_forest_config:
2   domain1.company.com:              # Domain identifier (map key)
3     domain: domain1.company.com
4     host: dc1.company.com
5     port: 636
6     service_user: service_account
7     ldap_service_password:
8       value: password1
9     # ... (same options as ldap_config)
10 
11   domain2.company.com:              # Second domain
12     domain: domain2.company.com
13     host: dc2.company.com
14     port: 636
15     service_user: service_account2
16     ldap_service_password:
17       value: password2

Minimal Example

1 ldap_forest_config:
2   east.company.com:
3     domain: east.company.com
4     host: ldap-east.company.com
5     port: 636
6     service_user: EAST\svc_moveworks
7     ldap_service_password:
8       value: password-east
9     use_ssl: true
10 
11   west.company.com:
12     domain: west.company.com
13     host: ldap-west.company.com
14     port: 636
15     service_user: WEST\svc_moveworks
16     ldap_service_password:
17       value: password-west
18     use_ssl: true

Complete Example with All Options

1 ldap_forest_config:
2   primary.company.com:
3     # Connection Settings
4     domain: primary.company.com
5     host: dc-primary.company.com
6     port: 636
7 
8     # Authentication
9     service_user: PRIMARY\svc_moveworks
10     ldap_service_password:
11       value: password-primary
12 
13     # TLS/SSL Settings
14     use_ssl: true
15     use_start_tls: false
16     path_to_cert: /home/moveworks/agent/certs/primary-cert.pem
17     tls_skip_verify: false
18 
19     # Performance Settings
20     dynamic_config:
21       pool_size: 10
22       timeout_ms: 30000
23 
24   subsidiary.partner.com:
25     domain: subsidiary.partner.com
26     host: dc-subsidiary.partner.com
27     port: 389
28     service_user: SUBSIDIARY\svc_moveworks
29     ldap_service_password:
30       azure_entry:
31         secret_name: ldap-subsidiary-password
32         vault: my-vault
33     use_start_tls: true
34     path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem

LDAP Field Reference

Field	Required	Default	Description
`host`	✅ Yes	-	LDAP server hostname or IP
`port`	✅ Yes	-	LDAP port (636 for LDAPS, 389 for LDAP/StartTLS)
`service_user`	✅ Yes	-	Service account username (format: DOMAIN\username)
`ldap_service_password`	✅ Yes	-	Service account password (encrypted)
`domain`	❌ No	-	Domain name
`use_ssl`	❌ No	`false`	Use LDAPS (SSL/TLS from start)
`use_start_tls`	❌ No	`false`	Use StartTLS (upgrade connection to TLS)
`path_to_cert`	❌ No	-	Path to CA certificate for TLS verification
`tls_skip_verify`	❌ No	`false`	Skip TLS certificate verification (not recommended)
`dynamic_config.pool_size`	❌ No	-	Connection pool size
`dynamic_config.timeout_ms`	❌ No	-	Connection timeout in milliseconds

Important Notes:

Use either use_ssl (port 636) OR use_start_tls (port 389), not both
path_to_cert is required when using SSL/TLS unless tls_skip_verify is true
ldap_forest_config uses the same fields, but as a map with domain identifiers as keys

REST Configuration

Bond supports REST API clients with various authentication methods.

REST Config Structure

1 rest_configs:
2   CLIENT_NAME:                          # Client identifier (map key)
3     service: SERVICE_NAME               # [REQUIRED] Service identifier
4 
5     # Decorators
6     header_decorators: []               # [OPTIONAL] List of header decorators
7     body_decorators: []                 # [OPTIONAL] List of body decorators
8     url_decorators: []                  # [OPTIONAL] List of URL decorators
9 
10     # Configuration Options
11     max_response_size: 10485760         # [OPTIONAL] Max response size in bytes (10MB)
12     ca_cert_path: /path/to/cert.pem     # [OPTIONAL] CA certificate for TLS
13     tls_skip_verify: false              # [OPTIONAL] Skip TLS verification
14     do_not_use_rest_proxy: false        # [OPTIONAL] Bypass proxy for this client
15     use_ntlmv2: false                   # [OPTIONAL] Use NTLMv2 authentication
16 
17     # Dynamic Configuration
18     dynamic_config:                     # [OPTIONAL] Runtime configuration
19       buf_size: 1000
20       timeout_ms: 30000

Key Points:

The client name is the map key (e.g., JIRA:, SNOW:)
There is NO base_url field - the Moveworks platform passes full URLs per-request
The service field is REQUIRED
Decorators are applied to all requests made through this client

Header Decorators

Header decorators add authentication headers and static headers to all requests.

1. Plain Headers (Static Headers)

Add static key-value pairs to request headers.

Minimal Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - plain:
6           header_key: X-API-Key
7           header_value: my-static-api-key

Multiple Static Headers

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - plain:
6           header_key: X-API-Key
7           header_value: my-api-key
8       - plain:
9           header_key: X-API-Version
10           header_value: v2
11       - plain:
12           header_key: X-Client-ID
13           header_value: moveworks-bond

Use Cases:

API keys that don’t change
API version headers
Client identification headers

2. File-Based Headers

Load headers from a JSON file at runtime.

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - file:
6           file_path: /home/moveworks/agent/headers.json

JSON File Format:

1 {
2   "X-API-Key": "dynamic-api-key",
3   "X-Custom-Header": "custom-value",
4   "Authorization": "Bearer token123"
5 }

Use Cases:

Credentials stored in secure files
Headers that need rotation without config changes
Environment-specific headers

3. Basic Authentication

HTTP Basic Authentication (username:password encoded in Base64).

1 rest_configs:
2   JIRA:
3     service: JIRA
4     header_decorators:
5       - basic_auth:
6           username: jira-service-account
7           password:
8             value: your-password-here

Use Cases:

Jira Cloud with API tokens
APIs using HTTP Basic Authentication
Legacy systems

4. OAuth2 Client Credentials

OAuth2 Client Credentials Grant flow (machine-to-machine).

Minimal Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_client_credentials_auth:
6           client_id: my_client_id
7           client_secret:
8             value: my-client-secret
9           scope: read write
10           rest_call_config:
11             url:
12               value: https://oauth.example.com/token

Complete Example with All Options

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_client_credentials_auth:
6           client_id: my_client_id                       # [REQUIRED]
7           client_secret:                                # [REQUIRED]
8             value: my-client-secret
9           scope: read write admin                       # [REQUIRED by most providers]
10           rest_call_config:
11             # Token Endpoint
12             url:                                        # [REQUIRED]
13               value: https://oauth.example.com/token
14 
15             # Token Response Parsing
16             token_body_key: access_token                # [OPTIONAL] Default: "access_token"
17             token_body_pattern: "token:(.*)"            # [OPTIONAL] Regex to extract token
18 
19             # Request Configuration
20             method: POST                                # [OPTIONAL] Default: POST
21             request_body: "custom_body_template"        # [OPTIONAL] Custom request body
22 
23             # Header Configuration
24             header_key: Authorization                   # [OPTIONAL] Default: "Authorization"
25             header_template: Bearer %s                  # [OPTIONAL] Default: "Bearer %s"
26 
27             # Token Refresh
28             refresh_time_sec: 3600                      # [OPTIONAL] Default: 3600 (1 hour)
29 
30             # Additional Headers
31             auth_headers:                               # [OPTIONAL]
32               Content-Type: application/x-www-form-urlencoded
33               X-Custom-Header: value

Use Cases:

Microsoft Azure AD
Google Cloud Platform service accounts
AWS Cognito machine-to-machine
Salesforce OAuth2

Key Requirements:

client_id - Your OAuth2 client identifier
client_secret - Your OAuth2 client secret
rest_call_config.url - Token endpoint URL
scope - Required by most OAuth2 providers

5. OAuth2 Basic Auth

OAuth2 where client_id:client_secret is sent as a Basic Auth header instead of in the request body.

Minimal Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_basic_auth:
6           client_id: my_client_id
7           client_secret:
8             value: my-client-secret
9           scope: read
10           rest_call_config:
11             url:
12               value: https://oauth.example.com/token

Complete Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_basic_auth:
6           client_id: my_client_id
7           client_secret:
8             value: my-client-secret
9           scope: read write
10           rest_call_config:
11             url:
12               value: https://oauth.example.com/token
13             token_body_key: access_token
14             method: POST
15             header_key: Authorization
16             header_template: Bearer %s
17             refresh_time_sec: 3600

Difference from oauth2_client_credentials_auth:

oauth2_client_credentials_auth: Sends credentials in request body
oauth2_basic_auth: Sends credentials as Basic Auth header

Use Cases:

Atlassian APIs
APIs requiring OAuth2 with Basic Auth header

6. OAuth2 Refresh Token

OAuth2 flows with refresh tokens for long-lived access.

Minimal Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_refresh_token_auth:
6           client_id: my_client_id
7           client_secret:
8             value: my-client-secret
9           client_refresh_token:
10             value: my-refresh-token
11           scope: read offline_access
12           rest_call_config:
13             url:
14               value: https://oauth.example.com/token

Complete Example

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       - oauth2_refresh_token_auth:
6           client_id: my_client_id
7           client_secret:
8             value: my-client-secret
9           client_refresh_token:
10             value: my-long-lived-refresh-token
11           scope: read write offline_access
12           rest_call_config:
13             url:
14               value: https://oauth.example.com/token
15             token_body_key: access_token
16             method: POST
17             header_key: Authorization
18             header_template: Bearer %s
19             refresh_time_sec: 3600

Use Cases:

Long-lived user authentication
OAuth2 flows where users grant permission once
Refresh token rotation

7. Custom Auth

Custom authentication flows for non-standard token endpoints.

Minimal Example

1 rest_configs:
2   BMC_REMEDY:
3     service: BMC_REMEDY
4     header_decorators:
5       - custom_auth:
6           url:
7             value: https://api.example.com/auth

Complete Example (BMC Remedy Style)

1 rest_configs:
2   BMC_REMEDY:
3     service: BMC_REMEDY
4     header_decorators:
5       - custom_auth:
6           url:
7             value: https://remedy.company.com/api/jwt/login
8           method: POST
9           header_key: AR-JWT
10           header_template: "AR-JWT %s"
11           refresh_time_sec: 300
12           token_body_key: token
13           token_body_pattern: "\"token\":\"([^\"]+)\""
14           request_body: "username=user&password=pass"
15           auth_headers:
16             Content-Type: application/x-www-form-urlencoded

Complete Example (Cherwell Style)

1 rest_configs:
2   CHERWELL:
3     service: CHERWELL
4     header_decorators:
5       - custom_auth:
6           url:
7             value: https://cherwell.company.com/CherwellAPI/token
8           method: POST
9           header_key: Authorization
10           header_template: Bearer %s
11           refresh_time_sec: 1200
12           token_body_key: access_token
13           request_body: "grant_type=password&authMode=internal&client_id=KEY&username=USER&password=PASS"
14           auth_headers:
15             Content-Type: application/x-www-form-urlencoded

Use Cases:

BMC Remedy authentication
Cherwell authentication
Custom enterprise authentication systems
Legacy authentication mechanisms

8. Multiple Decorators Combined

You can combine multiple header decorators in a single REST config.

OAuth2 + Static Headers

1 rest_configs:
2   MY_API:
3     service: MY_API
4     header_decorators:
5       # OAuth2 authentication
6       - oauth2_client_credentials_auth:
7           client_id: my_client_id
8           client_secret:
9             value: my-secret
10           scope: read write
11           rest_call_config:
12             url:
13               value: https://oauth.example.com/token
14 
15       # Static API version
16       - plain:
17           header_key: X-API-Version
18           header_value: v2
19 
20       # Static client identifier
21       - plain:
22           header_key: X-Client-ID
23           header_value: moveworks-bond

Basic Auth + Static Headers

1 rest_configs:
2   LEGACY_API:
3     service: LEGACY_API
4     header_decorators:
5       - basic_auth:
6           username: api_user
7           password:
8             value: password123
9 
10       - plain:
11           header_key: Content-Type
12           header_value: application/json

Body Decorators

Body decorators merge key-value pairs into the request body.

1. Plain Body (Static Values)

1 rest_configs:
2   MY_API:
3     service: MY_API
4     body_decorators:
5       - plain:
6           body_key: source
7           body_value: moveworks
8       - plain:
9           body_key: environment
10           body_value: production

2. File-Based Body

Load body values from a JSON file at runtime.

1 rest_configs:
2   MY_API:
3     service: MY_API
4     body_decorators:
5       - file:
6           file_path: /home/moveworks/agent/body-params.json

JSON File Format:

1 {
2   "source": "moveworks",
3   "environment": "production",
4   "version": "2.0"
5 }

URL Decorators

URL decorators add query parameters to request URLs.

1. Plain Query Parameter

Add static query parameters to all requests.

1 rest_configs:
2   MY_API:
3     service: MY_API
4     url_decorators:
5       - plain_query_parameter:
6           query_key: api_version
7           query_value:
8             value: v2

2. Oracle WebCenter Auth

Special authentication for Oracle WebCenter.

1 rest_configs:
2   ORACLE_WEBCENTER:
3     service: ORACLE_WEBCENTER
4     url_decorators:
5       - oracle_web_centre_auth:
6           username: oracle_user
7           password:
8             value: oracle-password
9           query_parameter:
10             query_key: auth_token
11             query_template: "%s"
12             rest_call_config:
13               url:
14                 value: https://oracle.company.com/auth

REST Field Reference

REST Config Top Level

Field	Required	Default	Description
`service`	✅ Yes	-	Service identifier (min length 1)
`header_decorators`	❌ No	`[]`	List of header decorators
`body_decorators`	❌ No	`[]`	List of body decorators
`url_decorators`	❌ No	`[]`	List of URL decorators
`max_response_size`	❌ No	10MB	Maximum response size in bytes
`ca_cert_path`	❌ No	-	CA certificate path for TLS
`tls_skip_verify`	❌ No	`false`	Skip TLS verification
`do_not_use_rest_proxy`	❌ No	`false`	Bypass proxy for local requests
`use_ntlmv2`	❌ No	`false`	Use NTLMv2 authentication
`dynamic_config.buf_size`	❌ No	-	Buffer size
`dynamic_config.timeout_ms`	❌ No	-	Timeout in milliseconds

Important: There is NO base_url field. The Moveworks platform passes full URLs per-request.

OAuth2 RestAuthCallConfig

Field	Required	Default	Description
`url`	✅ Yes	-	Token endpoint URL (encrypted)
`method`	❌ No	`POST`	HTTP method for token request
`header_key`	❌ No	`Authorization`	Header name for token
`header_template`	❌ No	`Bearer %s`	Template for header value
`refresh_time_sec`	❌ No	`3600`	Token refresh interval (seconds)
`token_body_key`	❌ No	`access_token`	JSON key to extract token
`token_body_pattern`	❌ No	-	Regex pattern to extract token
`request_body`	❌ No	-	Custom request body template
`auth_headers`	❌ No	`{Content-Type: application/x-www-form-urlencoded}`	Headers for token request

OAuth2 Client Credentials / Basic Auth / Refresh Token

Field	Required	Default	Description
`client_id`	✅ Yes	-	OAuth2 client identifier
`client_secret`	✅ Yes	-	OAuth2 client secret (encrypted)
`client_refresh_token`	✅ Yes (refresh only)	-	OAuth2 refresh token (encrypted)
`scope`	❌ No	-	Space-separated OAuth2 scopes
`rest_call_config`	✅ Yes	-	Token endpoint configuration

Complete Agent Configuration Examples

Example 1: LDAPS Only

Basic LDAP over SSL configuration:

1 bond_version: 2.10.3
2 moveworks_config:
3   access_key: moveworks
4   auth_url: https://agents.moveworks.com/api/v1/auth
5   config_url: https://agents.moveworks.com/api/v1/config
6   moveworks_access_secret:
7     value: your-access-secret-here
8 
9 ldap_config:
10   host: ldap.company.com
11   port: 636
12   service_user: COMPANY\svc_moveworks
13   ldap_service_password:
14     value: your-ldap-password
15   use_ssl: true
16   path_to_cert: /home/moveworks/agent/certs/cert.pem

Example 2: LDAPS + Jira (Basic Auth)

LDAP with a single REST client using Basic Authentication:

1 bond_version: 2.10.3
2 moveworks_config:
3   access_key: moveworks
4   auth_url: https://agents.moveworks.com/api/v1/auth
5   config_url: https://agents.moveworks.com/api/v1/config
6   moveworks_access_secret:
7     value: your-access-secret
8 
9 ldap_config:
10   host: ldap.company.com
11   port: 636
12   service_user: COMPANY\svc_moveworks
13   ldap_service_password:
14     value: your-ldap-password
15   use_ssl: true
16   path_to_cert: /home/moveworks/agent/certs/cert.pem
17 
18 rest_configs:
19   JIRA:
20     service: JIRA
21     header_decorators:
22       - basic_auth:
23           username: jira-service-account
24           password:
25             value: your-jira-password

Example 3: LDAP Forest with Multiple Domains

Configuration for LDAP environments with multiple domains:

1 bond_version: 2.10.3
2 moveworks_config:
3   access_key: moveworks
4   auth_url: https://agents.moveworks.com/api/v1/auth
5   config_url: https://agents.moveworks.com/api/v1/config
6   moveworks_access_secret:
7     value: your-access-secret
8 
9 ldap_forest_config:
10   primary.company.com:
11     domain: primary.company.com
12     host: dc-primary.company.com
13     port: 636
14     service_user: PRIMARY\svc_moveworks
15     ldap_service_password:
16       value: your-password-primary
17     use_ssl: true
18     path_to_cert: /home/moveworks/agent/certs/primary-cert.pem
19 
20   subsidiary.company.com:
21     domain: subsidiary.company.com
22     host: dc-subsidiary.company.com
23     port: 636
24     service_user: SUBSIDIARY\svc_moveworks
25     ldap_service_password:
26       value: your-password-subsidiary
27     use_ssl: true
28     path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem
29 
30 rest_configs:
31   JIRA:
32     service: JIRA
33     header_decorators:
34       - basic_auth:
35           username: jira-user
36           password:
37             value: your-jira-password

Example 4: Azure Key Vault + OAuth2

Using Azure Key Vault for secrets management with OAuth2:

1 bond_version: 2.10.3
2 moveworks_config:
3   access_key: moveworks
4   auth_url: https://agents.moveworks.com/api/v1/auth
5   config_url: https://agents.moveworks.com/api/v1/config
6   moveworks_access_secret:
7     azure_entry:
8       secret_name: moveworks-access-secret
9       vault: my-vault
10 
11 secrets_provider_config:
12   azure:
13     default_vault: my-vault
14 
15 ldap_config:
16   host: ldap.company.com
17   port: 636
18   service_user: COMPANY\svc_moveworks
19   ldap_service_password:
20     azure_entry:
21       secret_name: ldap-service-password
22       refresh_time_sec: 60
23   use_ssl: true
24   path_to_cert: /home/moveworks/agent/certs/cert.pem
25 
26 rest_configs:
27   SERVICENOW:
28     service: SERVICENOW
29     header_decorators:
30       - oauth2_client_credentials_auth:
31           client_id: snow_client_id
32           client_secret:
33             azure_entry:
34               secret_name: snow-oauth-secret
35               refresh_time_sec: 60
36           scope: read write
37           rest_call_config:
38             url:
39               azure_entry:
40                 secret_name: snow-token-url
41                 refresh_time_sec: 60

Example 5: Multiple REST Clients with Mixed Auth

LDAP with multiple REST clients using different authentication methods:

1 bond_version: 2.10.3
2 moveworks_config:
3   access_key: moveworks
4   auth_url: https://agents.moveworks.com/api/v1/auth
5   config_url: https://agents.moveworks.com/api/v1/config
6   moveworks_access_secret:
7     value: your-access-secret
8 
9 ldap_config:
10   host: ldap.company.com
11   port: 636
12   service_user: COMPANY\svc_moveworks
13   ldap_service_password:
14     value: your-ldap-password
15   use_ssl: true
16   path_to_cert: /home/moveworks/agent/certs/cert.pem
17 
18 rest_configs:
19   JIRA:
20     service: JIRA
21     header_decorators:
22       - basic_auth:
23           username: jira-service
24           password:
25             value: jira-password
26 
27   SERVICENOW:
28     service: SERVICENOW
29     header_decorators:
30       - oauth2_client_credentials_auth:
31           client_id: snow_client
32           client_secret:
33             value: snow-secret
34           scope: read write
35           rest_call_config:
36             url:
37               value: https://instance.service-now.com/oauth_token.do
38 
39   SALESFORCE:
40     service: SALESFORCE
41     header_decorators:
42       - oauth2_client_credentials_auth:
43           client_id: sfdc_client
44           client_secret:
45             value: sfdc-secret
46           scope: api
47           rest_call_config:
48             url:
49               value: https://login.salesforce.com/services/oauth2/token
50       - plain:
51           header_key: X-API-Version
52           header_value: "v58.0"

Example 6: All Features Combined

Comprehensive example showing all configuration options:

1 bond_version: 2.10.3
2 
3 moveworks_config:
4   access_key: moveworks
5   auth_url: https://agents.moveworks.com/api/v1/auth
6   config_url: https://agents.moveworks.com/api/v1/config
7   moveworks_access_secret:
8     azure_entry:
9       secret_name: moveworks-secret
10   path_to_cert: /home/moveworks/agent/certs/moveworks-cert.pem
11   proxy_url: http://proxy.company.com:8080
12 
13 secrets_provider_config:
14   azure:
15     default_vault: my-vault
16 
17 ldap_forest_config:
18   primary.company.com:
19     domain: primary.company.com
20     host: dc-primary.company.com
21     port: 636
22     service_user: PRIMARY\svc_moveworks
23     ldap_service_password:
24       azure_entry:
25         secret_name: ldap-primary-password
26     use_ssl: true
27     path_to_cert: /home/moveworks/agent/certs/ldap-primary.pem
28 
29   subsidiary.partner.com:
30     domain: subsidiary.partner.com
31     host: dc-subsidiary.partner.com
32     port: 389
33     service_user: SUBSIDIARY\svc_moveworks
34     ldap_service_password:
35       azure_entry:
36         secret_name: ldap-subsidiary-password
37     use_start_tls: true
38     path_to_cert: /home/moveworks/agent/certs/ldap-subsidiary.pem
39 
40 rest_configs:
41   SERVICENOW:
42     service: SERVICENOW
43     max_response_size: 104857600
44     header_decorators:
45       - oauth2_client_credentials_auth:
46           client_id: snow_client
47           client_secret:
48             azure_entry:
49               secret_name: snow-client-secret
50           scope: read write
51           rest_call_config:
52             url:
53               azure_entry:
54                 secret_name: snow-token-url
55             token_body_key: access_token
56             refresh_time_sec: 3600
57       - plain:
58           header_key: X-Client-ID
59           header_value: moveworks-bond
60 
61     body_decorators:
62       - plain:
63           body_key: source
64           body_value: moveworks
65 
66     url_decorators:
67       - plain_query_parameter:
68           query_key: sysparm_display_value
69           query_value:
70             value: "true"
71 
72   JIRA:
73     service: JIRA
74     header_decorators:
75       - basic_auth:
76           username: jira-service
77           password:
78             azure_entry:
79               secret_name: jira-password
80 
81   BMC_REMEDY:
82     service: BMC_REMEDY
83     header_decorators:
84       - custom_auth:
85           url:
86             value: https://remedy.company.com/api/jwt/login
87           method: POST
88           header_key: AR-JWT
89           header_template: "AR-JWT %s"
90           refresh_time_sec: 300
91           request_body: "username=remedyuser&password=remedypass"
92           auth_headers:
93             Content-Type: application/x-www-form-urlencoded

Common Patterns

Pattern 1: Simple API Key

1 rest_configs:
2   SIMPLE_API:
3     service: SIMPLE_API
4     header_decorators:
5       - plain:
6           header_key: X-API-Key
7           header_value: my-api-key

Pattern 2: OAuth2 with API Version

1 rest_configs:
2   MODERN_API:
3     service: MODERN_API
4     header_decorators:
5       - oauth2_client_credentials_auth:
6           client_id: client123
7           client_secret:
8             value: secret123
9           scope: read write
10           rest_call_config:
11             url:
12               value: https://oauth.example.com/token
13       - plain:
14           header_key: X-API-Version
15           header_value: v2

Pattern 3: Basic Auth with Content Type

1 rest_configs:
2   LEGACY_API:
3     service: LEGACY_API
4     header_decorators:
5       - basic_auth:
6           username: api_user
7           password:
8             value: password123
9       - plain:
10           header_key: Content-Type
11           header_value: application/json

Pattern 4: LDAP Forest with StartTLS

1 ldap_forest_config:
2   domain1.company.com:
3     domain: domain1.company.com
4     host: dc1.company.com
5     port: 389
6     service_user: DOMAIN1\svc_moveworks
7     ldap_service_password:
8       value: password1
9     use_start_tls: true
10     path_to_cert: /home/moveworks/agent/certs/cert.pem

Troubleshooting

LDAP Issues

Connection Timeout

Symptoms: Agent can’t connect to LDAP server

Check:

Verify host and port are correct
Check firewall rules allow traffic from agent
Verify certificate path if using SSL/TLS
Test connection: ldapsearch -H ldaps://host:636 -x

Authentication Failed

Symptoms: “Invalid credentials” or “Bind failed”

Check:

Verify service_user format (DOMAIN\username or username@domain.com)
Confirm password is correct
Check if service account is locked or expired
Verify service account has LDAP read permissions

TLS/SSL Errors

Symptoms: “Certificate verification failed”

Check:

Verify path_to_cert points to correct CA certificate
Check certificate hasn’t expired
Ensure certificate chain is complete
Try tls_skip_verify: true temporarily (not recommended for production)

REST Issues

Token Not Being Applied

Check:

Is token_body_key correct? (default is “access_token”)
Does token endpoint return JSON with expected key?
Is header_template correct? (default is “Bearer %s”)
Is token endpoint URL accessible from agent?

Auth Failing

Check:

Are credentials encrypted correctly?
Is client_id correct?
Are scope values correct and space-separated?
Is token endpoint URL correct?
Check agent logs for auth request/response details

Headers Not Appearing

Check:

Is decorator in header_decorators list?
Are required fields present?
For file-based headers, does file exist with correct permissions?
Are static headers properly formatted?

Missing Required `service` Field

Symptoms: Configuration validation errors

Fix: Add service field to all REST configs:

1 rest_configs:
2   MY_CLIENT:
3     service: MY_SERVICE  # Add this
4     header_decorators: []

Azure Key Vault Issues

Secret Not Found

Check:

Verify secret_name is correct
Check vault name (or default_vault in secrets_provider_config)
Verify agent has access to Key Vault (managed identity or service principal)
Check Azure RBAC permissions

Secret Not Refreshing

Check:

Verify refresh_time_sec is set if needed
Check agent logs for refresh errors
Verify Key Vault network rules allow agent access

General Debugging

Enable Debug Logging

Add to moveworks_config.dynamic_config:

1 moveworks_config:
2   dynamic_config:
3     # Add this for debugging (in dynamic_config via API)

Or set via Bond dynamic config API.

Check Agent Logs

$ # View agent logs
$ tail -f /var/log/moveworks/bond-agent.log
$ 
$ # Search for errors
$ grep ERROR /var/log/moveworks/bond-agent.log

Test Connectivity

$ # Test LDAP
$ ldapsearch -H ldaps://ldap.company.com:636 -x -D "DOMAIN\user" -W
$ 
$ # Test REST endpoint
$ curl -v https://api.example.com/endpoint
$ 
$ # Test with Bond proxy
$ curl -v --proxy http://proxy:8080 https://api.example.com/endpoint

Table of Contents

Core Configuration