SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
-# "Option 1: Google login through Arvados controller":#controller
-# "Option 2: Separate single-sign-on (SSO) server (Google, LDAP, local database)":#sso
+Select one of the following login mechanisms for your cluster.
-h2(#controller). Option 1: Google login through Arvados controller
+# If all users will authenticate with Google, "configure Google login":#google.
+# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap.
+# If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam.
+# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso.
+
+h2(#google). Google login
+
+With this configuration, users will sign in with their Google accounts.
First, visit "Setting up Google auth.":google-auth.html
-Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into @Login.GoogleClientID@ and @Login.GoogleClientSecret@ of @config.yml@ :
+Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into @Login.Google.ClientID@ and @Login.Google.ClientSecret@ in @config.yml@:
+
+<pre>
+ Login:
+ Google:
+ ClientID: "0000000000000-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.apps.googleusercontent.com"
+ ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
+</pre>
+
+h2(#ldap). LDAP
+
+With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory.
+
+Enable LDAP authentication in @config.yml@:
+
+<pre>
+ Login:
+ LDAP:
+ Enable: true
+ URL: ldap://ldap.example.com:389
+ SearchBindUser: cn=lookupuser,dc=example,dc=com
+ SearchBindPassword: xxxxxxxx
+ SearchBase: ou=Users,dc=example,dc=com
+</pre>
+
+The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory.
+
+Additional configuration settings are available:
+* @StartTLS@ is enabled by default.
+* @StripDomain@ and @AppendDomain@ modify the username entered by the user before searching for it in the directory.
+* @SearchAttribute@ (default @uid@) is the LDAP attribute used when searching for usernames.
+* @SearchFilters@ accepts LDAP filter expressions to control which users can log in.
+
+Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
+
+h2(#pam). PAM (experimental)
+
+With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.
+
+Enable PAM authentication in @config.yml@:
<pre>
Login:
- GoogleClientID: ""
- GoogleClientSecret: ""
+ PAM:
+ Enable: true
</pre>
-h2(#sso). Option 2: Separate single-sign-on (SSO) server (supports Google, LDAP, local database)
+Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
+
+The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a shell account and password on the controller host itself. This can be convenient for a single-user or test cluster.
+
+PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
+
+For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
+
+h2(#sso). Separate single-sign-on (SSO) server
+
+With this configuration, Arvados passes off authentication to a separate SSO server that supports Google, LDAP, and a local password database.
-See "Install the Single Sign On (SSO) server":#install-sso.html
+See "Install the Single Sign On (SSO) server":install-sso.html
projects / arvados.git / blobdiff