[DOCS] Improve documentation about users unique identifier. (#871)

Following discussion in #865.
pull/869/head^2
Clément Michaud 2020-04-16 01:46:51 +02:00 committed by GitHub
parent 4deebe2a64
commit c5e614c86b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 3 deletions

View File

@ -90,6 +90,12 @@ authentication_backend:
# insensitive search queries. # insensitive search queries.
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP # For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
# usually uses 'uid' # usually uses 'uid'
# Beware that this attribute holds the unique identifiers for the users binding the user and the configuration
# stored in database. Therefore only single value attributes are allowed and the value
# must never be changed once attributed to a user otherwise it would break the configuration
# for that user. Technically, non-unique attributes like 'mail' can also be used but we don't recommend using
# them, we instead advise to use the attributes mentioned above (sAMAccountName and uid) to follow
# https://www.ietf.org/rfc/rfc2307.txt.
username_attribute: uid username_attribute: uid
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
@ -126,7 +132,8 @@ authentication_backend:
# The attribute holding the name of the group # The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
# The attribute holding the mail address of the user # The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the first
# one returned by the LDAP server is used.
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user. # The username and password of the admin user.

View File

@ -32,6 +32,12 @@ authentication_backend:
# insensitive search queries. # insensitive search queries.
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP # For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
# usually uses 'uid' # usually uses 'uid'
# Beware that this attribute holds the unique identifiers for the users binding the user and the configuration
# stored in database. Therefore only single value attributes are allowed and the value
# must never be changed once attributed to a user otherwise it would break the configuration
# for that user. Technically, non-unique attributes like 'mail' can also be used but we don't recommend using
# them, we instead advise to use the attributes mentioned above (sAMAccountName and uid) to follow
# https://www.ietf.org/rfc/rfc2307.txt.
username_attribute: uid username_attribute: uid
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
@ -71,7 +77,8 @@ authentication_backend:
# The attribute holding the mail address of the user # The attribute holding the mail address of the user
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user. # The username and password of the admin user. If multiple email addresses are defined for a user, only the first
# one returned by the LDAP server is used.
user: cn=admin,dc=example,dc=com user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD # This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
@ -80,4 +87,15 @@ authentication_backend:
The user must have an email address in order for Authelia to perform The user must have an email address in order for Authelia to perform
identity verification when password reset request is initiated or identity verification when password reset request is initiated or
when a second factor device is registered. when a second factor device is registered.
## Important notes
Users must be uniquely identified by an attribute, this attribute must obviously contain a single value and
be guaranteed by the administrator to be unique. If multiple users have the same value, Authelia will simply
fail authenticating the user and display an error message in the logs.
In order to avoid such problems, we highly recommended you follow https://www.ietf.org/rfc/rfc2307.txt by using
`sAMAccountName` for Microsoft Active Directory and `uid` for other implementations as the attribute holding the
unique identifier for your users.