refactor: ldap filter (#4329)
parent
500410fac3
commit
e97a848600
|
@ -97,12 +97,12 @@ authentication_backend:
|
||||||
DO NOT USE==
|
DO NOT USE==
|
||||||
-----END RSA PRIVATE KEY-----
|
-----END RSA PRIVATE KEY-----
|
||||||
base_dn: DC=example,DC=com
|
base_dn: DC=example,DC=com
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: OU=users
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
display_name_attribute: displayName
|
display_name_attribute: displayName
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: OU=groups
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
permit_referrals: false
|
permit_referrals: false
|
||||||
|
|
|
@ -37,8 +37,8 @@ In your Authelia configuration you will need to enter and update the following v
|
||||||
* url `ldap://OpenLDAP:1389` - servers dns name & port.
|
* url `ldap://OpenLDAP:1389` - servers dns name & port.
|
||||||
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
|
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
|
||||||
* server_name `ldap01.example.com` - servers name
|
* server_name `ldap01.example.com` - servers name
|
||||||
* base_dn `dc=example,dc=com` - common name of domain root.
|
* base_dn `DC=example,DC=com` - common name of domain root.
|
||||||
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
|
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
|
||||||
* user `authelia` - username for Authelia service account
|
* user `authelia` - username for Authelia service account
|
||||||
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
|
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
|
||||||
|
|
||||||
|
@ -52,16 +52,16 @@ In your Authelia configuration you will need to enter and update the following v
|
||||||
server_name: ldap01.example.com
|
server_name: ldap01.example.com
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
minimum_version: TLS1.2
|
minimum_version: TLS1.2
|
||||||
base_dn: dc=example,dc=com
|
base_dn: DC=example,DC=com
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: OU=users
|
||||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
display_name_attribute: displayName
|
display_name_attribute: displayName
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: OU=groups
|
||||||
groups_filter: (&(member=uid={input},ou=users,dc=example,dc=com)(objectclass=groupofnames))
|
groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
user: uid=authelia,ou=service accounts,dc=example,dc=com
|
user: UID=authelia,OU=service accounts,DC=example,DC=com
|
||||||
password: "SUPER_COMPLEX_PASSWORD"
|
password: "SUPER_COMPLEX_PASSWORD"
|
||||||
```
|
```
|
||||||
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
||||||
|
@ -84,8 +84,8 @@ login, and reference it within the filters below.
|
||||||
In your Authelia configuration you will need to enter and update the following variables -
|
In your Authelia configuration you will need to enter and update the following variables -
|
||||||
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
|
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
|
||||||
* server_name `ldap01.example.com` - servers name
|
* server_name `ldap01.example.com` - servers name
|
||||||
* base_dn `dc=example,dc=com` - common name of domain root.
|
* base_dn `DC=example,DC=com` - common name of domain root.
|
||||||
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
|
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
|
||||||
* user `authelia` - username for Authelia service account
|
* user `authelia` - username for Authelia service account
|
||||||
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
|
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
|
||||||
|
|
||||||
|
@ -99,16 +99,16 @@ In your Authelia configuration you will need to enter and update the following v
|
||||||
server_name: ldap.example.com
|
server_name: ldap.example.com
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
minimum_version: TLS1.2
|
minimum_version: TLS1.2
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,DC=com
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
additional_users_dn: cn=users,cn=accounts
|
additional_users_dn: CN=users,CN=accounts
|
||||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: OU=groups
|
||||||
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=example,dc=com)(objectclass=groupofnames))
|
groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
display_name_attribute: displayName
|
display_name_attribute: displayName
|
||||||
user: uid=authelia,cn=users,cn=accounts,dc=example,dc=com
|
user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
|
||||||
password: "SUPER_COMPLEX_PASSWORD"
|
password: "SUPER_COMPLEX_PASSWORD"
|
||||||
```
|
```
|
||||||
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
||||||
|
@ -128,7 +128,7 @@ within the filters below.
|
||||||
In your Authelia configuration you will need to enter and update the following variables -
|
In your Authelia configuration you will need to enter and update the following variables -
|
||||||
* url `ldap://OpenLDAP:1389` - servers dns name & port.
|
* url `ldap://OpenLDAP:1389` - servers dns name & port.
|
||||||
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
|
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
|
||||||
* base_dn `dc=example,dc=com` - common name of domain root.
|
* base_dn `DC=example,DC=com` - common name of domain root.
|
||||||
* user `authelia` - username for Authelia service account.
|
* user `authelia` - username for Authelia service account.
|
||||||
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
|
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
|
||||||
|
|
||||||
|
@ -138,19 +138,19 @@ ldap:
|
||||||
url: ldap://lldap:3890
|
url: ldap://lldap:3890
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
start_tls: false
|
start_tls: false
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,DC=com
|
||||||
username_attribute: uid
|
username_attribute: uid
|
||||||
additional_users_dn: ou=people
|
additional_users_dn: OU=people
|
||||||
# To allow sign in both with username and email, one can use a filter like
|
# To allow sign in both with username and email, one can use a filter like
|
||||||
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: OU=groups
|
||||||
groups_filter: (member={dn})
|
groups_filter: (member={dn})
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
display_name_attribute: displayName
|
display_name_attribute: displayName
|
||||||
# The username and password of the admin or service user.
|
# The username and password of the admin or service user.
|
||||||
user: uid=authelia,ou=people,dc=example,dc=com
|
user: UID=authelia,OU=people,DC=example,DC=com
|
||||||
password: "SUPER_COMPLEX_PASSWORD"
|
password: "SUPER_COMPLEX_PASSWORD"
|
||||||
```
|
```
|
||||||
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
|
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
|
||||||
|
|
|
@ -95,10 +95,17 @@ be appreciated). The userAccountControl filter checks that the account is not di
|
||||||
value is not 0 which means the password requires changing at the next login.
|
value is not 0 which means the password requires changing at the next login.
|
||||||
|
|
||||||
| Implementation | Users Filter | Groups Filter |
|
| Implementation | Users Filter | Groups Filter |
|
||||||
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------:|
|
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------:|
|
||||||
| custom | N/A | N/A |
|
| custom | N/A | N/A |
|
||||||
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(objectCategory=group)) |
|
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(sAMAccountType=268435456)) |
|
||||||
|
|
||||||
*__Note:__* The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as
|
##### Microsoft Active Directory sAMAccountType
|
||||||
`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this
|
|
||||||
and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx).
|
| Account Type Value | Description | Equivalent Filter |
|
||||||
|
|:------------------:|:--------------------------:|:----------------------------------------------:|
|
||||||
|
| 268435456 | Normal Group Objects | N/A |
|
||||||
|
| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` |
|
||||||
|
|
||||||
|
*__References:__*
|
||||||
|
- Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe).
|
||||||
|
- LDAP Syntax Filters: [Microsoft TechNet Wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
|
||||||
|
|
|
@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
|
||||||
UsernameAttribute: "sAMAccountName",
|
UsernameAttribute: "sAMAccountName",
|
||||||
MailAttribute: "mail",
|
MailAttribute: "mail",
|
||||||
DisplayNameAttribute: "displayName",
|
DisplayNameAttribute: "displayName",
|
||||||
GroupsFilter: "(&(member={dn})(objectClass=group))",
|
GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))",
|
||||||
GroupNameAttribute: "cn",
|
GroupNameAttribute: "cn",
|
||||||
Timeout: time.Second * 5,
|
Timeout: time.Second * 5,
|
||||||
TLS: &TLSConfig{
|
TLS: &TLSConfig{
|
||||||
|
|
Loading…
Reference in New Issue