[DOCS] Improve documentation about users unique identifier. (#871)
Following discussion in #865.pull/869/head^2
parent
4deebe2a64
commit
c5e614c86b
|
@ -90,6 +90,12 @@ authentication_backend:
|
||||||
# insensitive search queries.
|
# insensitive search queries.
|
||||||
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
||||||
# usually uses 'uid'
|
# usually uses 'uid'
|
||||||
|
# Beware that this attribute holds the unique identifiers for the users binding the user and the configuration
|
||||||
|
# stored in database. Therefore only single value attributes are allowed and the value
|
||||||
|
# must never be changed once attributed to a user otherwise it would break the configuration
|
||||||
|
# for that user. Technically, non-unique attributes like 'mail' can also be used but we don't recommend using
|
||||||
|
# them, we instead advise to use the attributes mentioned above (sAMAccountName and uid) to follow
|
||||||
|
# https://www.ietf.org/rfc/rfc2307.txt.
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
|
|
||||||
# An additional dn to define the scope to all users
|
# An additional dn to define the scope to all users
|
||||||
|
@ -126,7 +132,8 @@ authentication_backend:
|
||||||
# The attribute holding the name of the group
|
# The attribute holding the name of the group
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
|
|
||||||
# The attribute holding the mail address of the user
|
# The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the first
|
||||||
|
# one returned by the LDAP server is used.
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
|
|
||||||
# The username and password of the admin user.
|
# The username and password of the admin user.
|
||||||
|
|
|
@ -32,6 +32,12 @@ authentication_backend:
|
||||||
# insensitive search queries.
|
# insensitive search queries.
|
||||||
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
||||||
# usually uses 'uid'
|
# usually uses 'uid'
|
||||||
|
# Beware that this attribute holds the unique identifiers for the users binding the user and the configuration
|
||||||
|
# stored in database. Therefore only single value attributes are allowed and the value
|
||||||
|
# must never be changed once attributed to a user otherwise it would break the configuration
|
||||||
|
# for that user. Technically, non-unique attributes like 'mail' can also be used but we don't recommend using
|
||||||
|
# them, we instead advise to use the attributes mentioned above (sAMAccountName and uid) to follow
|
||||||
|
# https://www.ietf.org/rfc/rfc2307.txt.
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
|
|
||||||
# An additional dn to define the scope to all users
|
# An additional dn to define the scope to all users
|
||||||
|
@ -71,7 +77,8 @@ authentication_backend:
|
||||||
# The attribute holding the mail address of the user
|
# The attribute holding the mail address of the user
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
|
|
||||||
# The username and password of the admin user.
|
# The username and password of the admin user. If multiple email addresses are defined for a user, only the first
|
||||||
|
# one returned by the LDAP server is used.
|
||||||
user: cn=admin,dc=example,dc=com
|
user: cn=admin,dc=example,dc=com
|
||||||
|
|
||||||
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
||||||
|
@ -81,3 +88,14 @@ authentication_backend:
|
||||||
The user must have an email address in order for Authelia to perform
|
The user must have an email address in order for Authelia to perform
|
||||||
identity verification when password reset request is initiated or
|
identity verification when password reset request is initiated or
|
||||||
when a second factor device is registered.
|
when a second factor device is registered.
|
||||||
|
|
||||||
|
## Important notes
|
||||||
|
|
||||||
|
Users must be uniquely identified by an attribute, this attribute must obviously contain a single value and
|
||||||
|
be guaranteed by the administrator to be unique. If multiple users have the same value, Authelia will simply
|
||||||
|
fail authenticating the user and display an error message in the logs.
|
||||||
|
|
||||||
|
In order to avoid such problems, we highly recommended you follow https://www.ietf.org/rfc/rfc2307.txt by using
|
||||||
|
`sAMAccountName` for Microsoft Active Directory and `uid` for other implementations as the attribute holding the
|
||||||
|
unique identifier for your users.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue