README.md 2.12 KB
Newer Older
Recteur LP's avatar
Recteur LP committed
1
pyrmin-ldapauth:0.3.8
Recteur LP's avatar
Recteur LP committed
2
=====================
3

Recteur LP's avatar
Recteur LP committed
4
Plugins to Auth against LDAP / AD servers with Remote-User header variable or bind user to ldap.
5
6
7

### Configuration File

Recteur LP's avatar
Recteur LP committed
8
9
10
#### Active Directory Example

```yaml
11
12
13
14
15
ldapauth:
 server: my_ldap_server
 port: 389
 ssl: False
 version: 3
16
 gravatar: False
Recteur LP's avatar
Recteur LP committed
17
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
18
 user_id: sAMAccountName
Recteur LP's avatar
Recteur LP committed
19
 user_displayname: displayName
Recteur LP's avatar
Recteur LP committed
20
 group_member_attr: memberOf
21
22
23
24
25
26
27
 user: 'CN=svc_account,DC=example,DC=com'
 password: xxx
 basedn: 'DC=example,DC=com'
 admin:
  - 'CN=My Admin Group,DC=example,DC=com'
```

Recteur LP's avatar
Recteur LP committed
28
29
30
31
32
33
34
35
#### OpenLDAP Example

```yaml
ldapauth:
 server: my_ldap_server
 port: 389
 ssl: False
 version: 3
36
 gravatar: False
Recteur LP's avatar
Recteur LP committed
37
38
39
40
41
42
43
44
45
46
47
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
 user_id: uid
 group_member_attr: memberUid
 user_displayname: gecos
 user: 'CN=svc_account,DC=example,DC=com'
 password: xxx
 basedn: 'DC=example,DC=com'
 admin:
  - 'CN=My Admin Group,DC=example,DC=com'
```

Recteur LP's avatar
Recteur LP committed
48
49
50
51
52
53
54
55
#### FreeIPA Example

```yaml
ldapauth:
 server: my_ipa_server
 port: 389
 ssl: False
 version: 3
56
 gravatar: False
Recteur LP's avatar
Recteur LP committed
57
58
59
60
61
62
63
64
65
66
67
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
 user_id: uid
 group_member_attr: member
 user_displayname: gecos
 user: 'cn=svc_account,dc=example,dc=com'
 password: xxx
 basedn: 'cn=accounts,dc=example,dc=com'
 admin:
  - 'cn=My Admin Group,dc=example,dc=com'
```

Recteur LP's avatar
Recteur LP committed
68
69
70
71
72
73
*To anonymously bind ldap do not set user and password*


### To use the Remote-User header set up an Apache VirtualHost with mod_ldap for example

You could use any authentication module from Apache
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

```
<VirtualHost *:80>
  <Location "/">
  AuthType Basic
  AuthName "LDAP Protected"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<server>/<basedn>?<login_attribute>?sub?<filter>"
  AuthLDAPBindDN ""
  AuthLDAPBindPassword xxxx
  Require valid-user

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1]
  RequestHeader add REMOTE_USER %{RU}e

  ProxyPreserveHost On
  ProxyPass        <pyrmin_url>
  ProxyPassReverse <pyrmin_url>

  </Location>
</VirtualHost>
```