2020-02-29 00:43:59 +00:00
|
|
|
|
---
|
|
|
|
|
|
layout: default
|
|
|
|
|
|
title: LDAP
|
|
|
|
|
|
parent: Authentication backends
|
|
|
|
|
|
grand_parent: Configuration
|
|
|
|
|
|
nav_order: 2
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
# LDAP
|
|
|
|
|
|
|
|
|
|
|
|
**Authelia** supports using a LDAP server as the users database.
|
|
|
|
|
|
|
|
|
|
|
|
## Configuration
|
|
|
|
|
|
|
|
|
|
|
|
Configuration of the LDAP backend is done as follows
|
|
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
|
authentication_backend:
|
|
|
|
|
|
ldap:
|
|
|
|
|
|
# The url to the ldap server. Scheme can be ldap:// or ldaps://
|
|
|
|
|
|
url: ldap://127.0.0.1
|
|
|
|
|
|
|
|
|
|
|
|
# Skip verifying the server certificate (to allow self-signed certificate).
|
|
|
|
|
|
skip_verify: false
|
|
|
|
|
|
|
|
|
|
|
|
# The base dn for every entries
|
|
|
|
|
|
base_dn: dc=example,dc=com
|
2020-03-15 07:10:25 +00:00
|
|
|
|
|
|
|
|
|
|
# The attribute holding the username of the user (introduced to handle
|
|
|
|
|
|
# case insensitive search queries: #561).
|
|
|
|
|
|
# Microsoft Active Directory usually uses 'sAMAccountName'
|
|
|
|
|
|
# OpenLDAP usually uses 'uid'
|
|
|
|
|
|
username_attribute: uid
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
|
|
|
# An additional dn to define the scope to all users
|
|
|
|
|
|
additional_users_dn: ou=users
|
|
|
|
|
|
|
2020-03-15 07:10:25 +00:00
|
|
|
|
# This attribute is optional. The user filter used in the LDAP search queries
|
|
|
|
|
|
# is a combination of this filter and the username attribute.
|
|
|
|
|
|
# This filter is used to reduce the scope of users targeted by the LDAP search query.
|
|
|
|
|
|
# For instance, if the username attribute is set to 'uid', the computed filter is
|
|
|
|
|
|
# (&(uid=<username>)(objectClass=person))
|
|
|
|
|
|
# Recommended settings are as follows:
|
|
|
|
|
|
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
|
|
|
|
|
|
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
|
|
|
|
|
|
users_filter: (objectClass=person)
|
2020-02-29 00:43:59 +00:00
|
|
|
|
|
|
|
|
|
|
# An additional dn to define the scope of groups
|
|
|
|
|
|
additional_groups_dn: ou=groups
|
|
|
|
|
|
|
|
|
|
|
|
# The groups filter used for retrieving groups of a given user.
|
2020-03-15 07:10:25 +00:00
|
|
|
|
# {0} is a matcher replaced by username (as provided in login portal).
|
|
|
|
|
|
# {1} is a matcher replaced by username (as stored in LDAP).
|
2020-02-29 00:43:59 +00:00
|
|
|
|
# {dn} is a matcher replaced by user DN.
|
|
|
|
|
|
# 'member={dn}' by default.
|
|
|
|
|
|
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
|
|
|
|
|
|
|
|
|
|
|
# The attribute holding the name of the group
|
|
|
|
|
|
group_name_attribute: cn
|
|
|
|
|
|
|
|
|
|
|
|
# The attribute holding the mail address of the user
|
|
|
|
|
|
mail_attribute: mail
|
|
|
|
|
|
|
|
|
|
|
|
# The username and password of the admin user.
|
|
|
|
|
|
user: cn=admin,dc=example,dc=com
|
|
|
|
|
|
|
|
|
|
|
|
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
|
|
|
|
|
password: password
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
The user must have an email address in order for Authelia to perform
|
|
|
|
|
|
identity verification when password reset request is initiated or
|
|
|
|
|
|
when a second factor device is registered.
|
