authelia/docs/content/en/integration/ldap/introduction.md

171 lines
6.5 KiB
Markdown
Raw Permalink Normal View History

---
title: "LDAP"
description: "An introduction into integrating Authelia with LDAP."
lead: "An introduction into integrating Authelia with LDAP."
2022-06-28 05:27:14 +00:00
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
integration:
parent: "ldap"
weight: 710
toc: true
---
2022-09-25 19:19:11 +00:00
## UNDER CONSTRUCTION
2022-09-25 19:19:11 +00:00
This section is still a work in progress.
2022-09-25 18:50:54 +00:00
## Configuration
### OpenLDAP
2022-09-25 19:19:11 +00:00
**Tested:**
* Version: [v2.5.13](https://www.openldap.org/software/release/announce_lts.html)
* Container `bitnami/openldap:2.5.13-debian-11-r7`
Create within OpenLDAP, either via CLI or with a GUI management application like
[phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) or [LDAP Admin](http://www.ldapadmin.org/)
a basic user with a complex password.
*Make note of its CN.* You can also create a group to use within Authelia if you would like granular control of who can
login, and reference it within the filters below.
2022-09-25 18:50:54 +00:00
### Authelia
2022-09-25 19:19:11 +00:00
In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port.
2022-09-25 18:50:54 +00:00
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
* server_name `ldap01.example.com` - servers name
2022-11-04 02:42:28 +00:00
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
2022-09-25 18:50:54 +00:00
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
```yaml
ldap:
address: 'ldap://OpenLDAP:1389'
2022-09-25 18:50:54 +00:00
implementation: custom
timeout: 5s
start_tls: false
tls:
server_name: ldap01.example.com
skip_verify: true
minimum_version: TLS1.2
2022-11-04 02:42:28 +00:00
base_dn: DC=example,DC=com
additional_users_dn: OU=users
2022-09-25 18:50:54 +00:00
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
2022-11-04 02:42:28 +00:00
additional_groups_dn: OU=groups
groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
user: UID=authelia,OU=service accounts,DC=example,DC=com
2022-09-25 18:50:54 +00:00
password: "SUPER_COMPLEX_PASSWORD"
attributes:
distinguished_name: 'distinguishedName'
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
2022-09-25 18:50:54 +00:00
```
2022-09-25 19:19:11 +00:00
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
2022-09-25 18:50:54 +00:00
### FreeIPA
2022-09-25 19:19:11 +00:00
**Tested:**
* Version: [v4.9.9](https://www.freeipa.org/page/Releases/4.9.9)
* Container: `freeipa/freeipa-server:fedora-36-4.9.9`
Create within FreeIPA, either via CLI or within its GUI management application `https://server_ip` a basic user with a
complex password.
*Make note of its CN.* You can also create a group to use within Authelia if you would like granular control of who can
login, and reference it within the filters below.
2022-09-25 18:50:54 +00:00
### Authelia
2022-09-25 19:19:11 +00:00
In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
2022-09-25 18:50:54 +00:00
* server_name `ldap01.example.com` - servers name
2022-11-04 02:42:28 +00:00
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
2022-09-25 18:50:54 +00:00
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
```yaml
ldap:
address: 'ldaps://ldap.example.com'
2022-09-25 18:50:54 +00:00
implementation: custom
timeout: 5s
start_tls: false
tls:
server_name: ldap.example.com
skip_verify: true
minimum_version: TLS1.2
2022-11-04 02:42:28 +00:00
base_dn: dc=example,DC=com
additional_users_dn: CN=users,CN=accounts
2022-09-25 18:50:54 +00:00
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
2022-11-04 02:42:28 +00:00
additional_groups_dn: OU=groups
groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
2022-09-25 18:50:54 +00:00
password: "SUPER_COMPLEX_PASSWORD"
attributes:
distinguished_name: 'distinguishedName'
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
2022-09-25 18:50:54 +00:00
```
2022-09-25 19:19:11 +00:00
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
2022-09-25 18:50:54 +00:00
### lldap
2022-09-25 19:19:11 +00:00
**Tested:**
* Version: [v0.4.0](https://github.com/nitnelave/lldap/releases/tag/v0.4.07)
2022-09-25 18:50:54 +00:00
Create within lldap, a basic user with a complex password, and add to the group "lldap_password_manager"
2022-09-25 19:19:11 +00:00
You can also create a group to use within Authelia if you would like granular control of who can login, and reference it
within the filters below.
2022-09-25 18:50:54 +00:00
### Authelia
2022-09-25 19:19:11 +00:00
In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port.
2022-09-25 18:50:54 +00:00
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
2022-11-04 02:42:28 +00:00
* base_dn `DC=example,DC=com` - common name of domain root.
2022-09-25 18:50:54 +00:00
* user `authelia` - username for Authelia service account.
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
```yaml
ldap:
address: 'ldap://lldap:3890'
2022-09-25 18:50:54 +00:00
implementation: custom
timeout: 5s
start_tls: false
2022-11-04 02:42:28 +00:00
base_dn: dc=example,DC=com
additional_users_dn: OU=people
2022-09-25 18:50:54 +00:00
# To allow sign in both with username and email, one can use a filter like
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
users_filter: (&({username_attribute}={input})(objectClass=person))
2022-11-04 02:42:28 +00:00
additional_groups_dn: OU=groups
2022-09-25 18:50:54 +00:00
groups_filter: (member={dn})
# The username and password of the admin or service user.
2022-11-04 02:42:28 +00:00
user: UID=authelia,OU=people,DC=example,DC=com
2022-09-25 18:50:54 +00:00
password: "SUPER_COMPLEX_PASSWORD"
attributes:
distinguished_name: 'distinguishedName'
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
2022-09-25 18:50:54 +00:00
```
2022-09-25 19:19:11 +00:00
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
2022-09-25 18:50:54 +00:00
## See Also
2022-09-25 19:19:11 +00:00
2022-09-25 18:50:54 +00:00
[Authelia]: https://www.authelia.com
[Bitnami OpenLDAP]: https://hub.docker.com/r/bitnami/openldap/
[FreeIPA]: https://www.freeipa.org/page/Main_Page
[lldap]: https://github.com/nitnelave/lldap