techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
952764fcad
authelia/docs/configuration/authentication/ldap.md
Clément Michaud cc6650dbcd
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) 
* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
2020-03-15 18:10:25 +11:00

2.7 KiB
Raw Blame History

layout title parent grand_parent nav_order
default LDAP Authentication backends Configuration 2

LDAP

Authelia supports using a LDAP server as the users database.

Configuration

Configuration of the LDAP backend is done as follows

authentication_backend:
    ldap:
        # The url to the ldap server. Scheme can be ldap:// or ldaps://
        url: ldap://127.0.0.1

        # Skip verifying the server certificate (to allow self-signed certificate).
        skip_verify: false

        # The base dn for every entries
        base_dn: dc=example,dc=com

        # The attribute holding the username of the user (introduced to handle
        # case insensitive search queries: #561).
        # Microsoft Active Directory usually uses 'sAMAccountName'
        # OpenLDAP usually uses 'uid'
        username_attribute: uid
        
        # An additional dn to define the scope to all users
        additional_users_dn: ou=users
        
        # This attribute is optional. The user filter used in the LDAP search queries
        # is a combination of this filter and the username attribute.
        # This filter is used to reduce the scope of users targeted by the LDAP search query.
        # For instance, if the username attribute is set to 'uid', the computed filter is
        # (&(uid=<username>)(objectClass=person))
        # Recommended settings are as follows:
        # Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
        # OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
        users_filter: (objectClass=person)
        
        # An additional dn to define the scope of groups
        additional_groups_dn: ou=groups
        
        # The groups filter used for retrieving groups of a given user.
        # {0} is a matcher replaced by username (as provided in login portal).
        # {1} is a matcher replaced by username (as stored in LDAP).
        # {dn} is a matcher replaced by user DN.
        # 'member={dn}' by default.
        groups_filter: (&(member={dn})(objectclass=groupOfNames))
        
        # The attribute holding the name of the group
        group_name_attribute: cn
        
        # The attribute holding the mail address of the user
        mail_attribute: mail
        
        # The username and password of the admin user.
        user: cn=admin,dc=example,dc=com
        
        # This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
        password: password

The user must have an email address in order for Authelia to perform identity verification when password reset request is initiated or when a second factor device is registered.