15881: Add LDAP option to install docs.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>

diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index c9e65ca7e1c5e3dc37aa5e46f40a83552f6350f8..753ba82ba69e329b988fd0f824195c6e4aaa571c 100644 (file)
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -12,8 +12,9 @@ SPDX-License-Identifier: CC-BY-SA-3.0
 Select one of the following login mechanisms for your cluster.
 
 # If all users will authenticate with Google, "configure Google login":#google.
+# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap.
 # If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam.
-# If you need to enable multiple authentication methods, or your backend can't be configured as a PAM service on your controller node, "configure a separate single sign-on (SSO) server":#sso.
+# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso.
 
 h2(#google). Google login
 
@@ -29,6 +30,32 @@ Next, copy the values of *Client ID* and *Client secret* from the Google Develop
       GoogleClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
 </pre>
 
+h2(#ldap). LDAP
+
+With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory.
+
+Enable LDAP authentication in @config.yml@:
+
+<pre>
+    Login:
+      LDAP:
+        Enable: true
+        URL: ldap://ldap.example.com:389
+        SearchBindUser: cn=lookupuser,dc=example,dc=com
+        SearchBindPassword: xxxxxxxx
+        SearchBase: ou=Users,dc=example,dc=com
+</pre>
+
+The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory.
+
+Additional configuration settings are available:
+* @StartTLS@ is enabled by default.
+* @StripDomain@ and @AppendDomain@ modify the username entered by the user before searching for it in the directory.
+* @SearchAttribute@ (default @uid@) is the LDAP attribute used when searching for usernames.
+* @SearchFilters@ accepts LDAP filter expressions to control which users can log in.
+
+Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
+
 h2(#pam). PAM (experimental)
 
 With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index a06526fd6747c9d707ba70969092f27c40f28e66..2aa58ac31e96657a5b6b075a428c1d7453610ec9 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -577,7 +577,8 @@ Clusters:
         # Use an LDAP service to authenticate users.
         Enable: false
 
-        # Server URL, like "ldap://ldapserver.example.com:389".
+        # Server URL, like "ldap://ldapserver.example.com:389" or
+        # "ldaps://ldapserver.example.com:636".
         URL: "ldap://ldap:389"
 
         # Use StartTLS upon connecting to the server.

diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index e5ec035c67a211061b95eaf6af6218d688c08407..4677fe544430dc07b4f3f8c9373cc769d93ebb62 100644 (file)
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -583,7 +583,8 @@ Clusters:
         # Use an LDAP service to authenticate users.
         Enable: false
 
-        # Server URL, like "ldap://ldapserver.example.com:389".
+        # Server URL, like "ldap://ldapserver.example.com:389" or
+        # "ldaps://ldapserver.example.com:636".
         URL: "ldap://ldap:389"
 
         # Use StartTLS upon connecting to the server.