README.md 2.07 KB
Newer Older
Recteur LP's avatar
Recteur LP committed
1
pyrmin-ldapauth:0.3.7
Recteur LP's avatar
Recteur LP committed
2
=====================
3

4
Plugins to Auth against LDAP / AD servers with Remote-User header variable or bind user to ldap.
5 6 7

### Configuration File

8 9 10
#### Active Directory Example

```yaml
11 12 13 14 15
ldapauth:
 server: my_ldap_server
 port: 389
 ssl: False
 version: 3
16
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
17
 user_id: sAMAccountName
18
 user_displayname: displayName
19
 group_member_attr: memberOf
20 21 22 23 24 25 26
 user: 'CN=svc_account,DC=example,DC=com'
 password: xxx
 basedn: 'DC=example,DC=com'
 admin:
  - 'CN=My Admin Group,DC=example,DC=com'
```

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
#### OpenLDAP Example

```yaml
ldapauth:
 server: my_ldap_server
 port: 389
 ssl: False
 version: 3
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
 user_id: uid
 group_member_attr: memberUid
 user_displayname: gecos
 user: 'CN=svc_account,DC=example,DC=com'
 password: xxx
 basedn: 'DC=example,DC=com'
 admin:
  - 'CN=My Admin Group,DC=example,DC=com'
```

Recteur LP's avatar
Recteur LP committed
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
#### FreeIPA Example

```yaml
ldapauth:
 server: my_ipa_server
 port: 389
 ssl: False
 version: 3
 authorize_non_ldap_user: False # Set to True to Accept non LDAP user in the Remote-User Header
 user_id: uid
 group_member_attr: member
 user_displayname: gecos
 user: 'cn=svc_account,dc=example,dc=com'
 password: xxx
 basedn: 'cn=accounts,dc=example,dc=com'
 admin:
  - 'cn=My Admin Group,dc=example,dc=com'
```

65 66 67 68 69 70
*To anonymously bind ldap do not set user and password*


### To use the Remote-User header set up an Apache VirtualHost with mod_ldap for example

You could use any authentication module from Apache
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94

```
<VirtualHost *:80>
  <Location "/">
  AuthType Basic
  AuthName "LDAP Protected"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<server>/<basedn>?<login_attribute>?sub?<filter>"
  AuthLDAPBindDN ""
  AuthLDAPBindPassword xxxx
  Require valid-user

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1]
  RequestHeader add REMOTE_USER %{RU}e

  ProxyPreserveHost On
  ProxyPass        <pyrmin_url>
  ProxyPassReverse <pyrmin_url>

  </Location>
</VirtualHost>
```