LDAP Support

LDAP doesn’t work yet, this is provisional documentation

Swindon has experimental support of LDAP authorization.

Configuration of LDAP consists of three parts:

  1. Configuring LDAP destination. This is where addresses and size of connection pool are configured.
  2. Actual LDAP search and bind requests are configured in authorizers section with !Ldap authorizer.
  3. And the last but least thing is to add authorizer configured at step #2 to actually handle parts of the site.

LDAP Destination

Currently destination has minimum configuration:

ldap-destinations:
  local-ldap:
    addresses:
    - localhost:8398

Options:

addresses

A list of addresses to connect to. Currently you must specify also a port, but we consider using SRV records in the future.

Each address may be resolved to a multiple IPs and each API participate in round-robin on it’s own (not the whole hostname).

LDAP Authorizer

Next thing is to configure an authorizer. The authorizer is a thing that picks specific rules for accessing the website.

Here is an example of authorizer configuration:

authorizers:
  ldap: !Ldap
    destination: local-ldap
    search-base: dc=users,dc=example,dc=org
    login-attribute: uid
    password-attibute: userPassword
    login-header: X-User-Uid
    additional-queries:
      X-User-Groups:
        search-base: cn=Group,dc=uaprom,dc=org
        fetch-attribute: dn
        filter: "member=${dn}"
        dn-attribute-strip-base: cn=Group,dc=uaprom,dc=org

Options:

destination

Destination LDAP connection pool name (see LDAP Destinations)

search-base

Base DN for searching for user

login-attribute

The attribute that will be matched against when user is logging in.

password-attribute

The password attribute name for authentication.

login-header

A header where valid login will be passed when proxying request to a HTTP destination (when authentication succeeds).

additional-queries

Each of this query will be executed for already logged in user and result of the query will be passed as the header value to the a HTTP destination.