LDAP Support¶
LDAP doesn’t work yet, this is provisional documentation
Swindon has experimental support of LDAP authorization.
Configuration of LDAP consists of three parts:
- Configuring LDAP destination. This is where addresses and size of connection pool are configured.
- Actual LDAP search and bind requests are configured in
authorizers
section with!Ldap
authorizer. - And the last but least thing is to add authorizer configured at step #2 to actually handle parts of the site.
LDAP Destination¶
Currently destination has minimum configuration:
ldap-destinations:
local-ldap:
addresses:
- localhost:8398
Options:
-
addresses
¶ A list of addresses to connect to. Currently you must specify also a port, but we consider using
SRV
records in the future.Each address may be resolved to a multiple IPs and each API participate in round-robin on it’s own (not the whole hostname).
LDAP Authorizer¶
Next thing is to configure an authorizer. The authorizer is a thing that picks specific rules for accessing the website.
Here is an example of authorizer configuration:
authorizers:
ldap: !Ldap
destination: local-ldap
search-base: dc=users,dc=example,dc=org
login-attribute: uid
password-attibute: userPassword
login-header: X-User-Uid
additional-queries:
X-User-Groups:
search-base: cn=Group,dc=uaprom,dc=org
fetch-attribute: dn
filter: "member=${dn}"
dn-attribute-strip-base: cn=Group,dc=uaprom,dc=org
Options:
-
destination
¶ Destination LDAP connection pool name (see LDAP Destinations)
-
search-base
¶ Base DN for searching for user
-
login-attribute
¶ The attribute that will be matched against when user is logging in.
-
password-attribute
¶ The password attribute name for authentication.
-
login-header
¶ A header where valid login will be passed when proxying request to a HTTP destination (when authentication succeeds).
-
additional-queries
¶ Each of this query will be executed for already logged in user and result of the query will be passed as the header value to the a HTTP destination.