techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
95f6c1a893
authelia/docs/configuration/authentication/ldap.md
Clément Michaud cc6650dbcd
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) 
* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
2020-03-15 18:10:25 +11:00

73 lines
2.7 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: default
title: LDAP
parent: Authentication backends
grand_parent: Configuration
nav_order: 2
---
# LDAP
**Authelia** supports using a LDAP server as the users database.
## Configuration
Configuration of the LDAP backend is done as follows
```yaml
authentication_backend:
ldap:
# The url to the ldap server. Scheme can be ldap:// or ldaps://
url: ldap://127.0.0.1
# Skip verifying the server certificate (to allow self-signed certificate).
skip_verify: false
# The base dn for every entries
base_dn: dc=example,dc=com
# The attribute holding the username of the user (introduced to handle
# case insensitive search queries: #561).
# Microsoft Active Directory usually uses 'sAMAccountName'
# OpenLDAP usually uses 'uid'
username_attribute: uid
# An additional dn to define the scope to all users
additional_users_dn: ou=users
# This attribute is optional. The user filter used in the LDAP search queries
# is a combination of this filter and the username attribute.
# This filter is used to reduce the scope of users targeted by the LDAP search query.
# For instance, if the username attribute is set to 'uid', the computed filter is
# (&(uid=<username>)(objectClass=person))
# Recommended settings are as follows:
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
users_filter: (objectClass=person)
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username (as provided in login portal).
# {1} is a matcher replaced by username (as stored in LDAP).
# {dn} is a matcher replaced by user DN.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
password: password
```
The user must have an email address in order for Authelia to perform
identity verification when password reset request is initiated or
when a second factor device is registered.
Reference in New Issue View Git Blame Copy Permalink