From bbb132e983f9ec5c7d50cf0ab709ec041af1f844 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Thu, 7 May 2020 11:07:48 -0400 Subject: [PATCH] 15881: Add LDAP option to install docs. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- doc/install/setup-login.html.textile.liquid | 29 ++++++++++++++++++++- lib/config/config.default.yml | 3 ++- lib/config/generated_config.go | 3 ++- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid index c9e65ca7e1..753ba82ba6 100644 --- a/doc/install/setup-login.html.textile.liquid +++ b/doc/install/setup-login.html.textile.liquid @@ -12,8 +12,9 @@ SPDX-License-Identifier: CC-BY-SA-3.0 Select one of the following login mechanisms for your cluster. # If all users will authenticate with Google, "configure Google login":#google. +# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap. # If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam. -# If you need to enable multiple authentication methods, or your backend can't be configured as a PAM service on your controller node, "configure a separate single sign-on (SSO) server":#sso. +# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso. h2(#google). Google login @@ -29,6 +30,32 @@ Next, copy the values of *Client ID* and *Client secret* from the Google Develop GoogleClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz" +h2(#ldap). LDAP + +With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory. + +Enable LDAP authentication in @config.yml@: + +
+    Login:
+      LDAP:
+        Enable: true
+        URL: ldap://ldap.example.com:389
+        SearchBindUser: cn=lookupuser,dc=example,dc=com
+        SearchBindPassword: xxxxxxxx
+        SearchBase: ou=Users,dc=example,dc=com
+
+ +The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory. + +Additional configuration settings are available: +* @StartTLS@ is enabled by default. +* @StripDomain@ and @AppendDomain@ modify the username entered by the user before searching for it in the directory. +* @SearchAttribute@ (default @uid@) is the LDAP attribute used when searching for usernames. +* @SearchFilters@ accepts LDAP filter expressions to control which users can log in. + +Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options. + h2(#pam). PAM (experimental) With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host. diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index a06526fd67..2aa58ac31e 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -577,7 +577,8 @@ Clusters: # Use an LDAP service to authenticate users. Enable: false - # Server URL, like "ldap://ldapserver.example.com:389". + # Server URL, like "ldap://ldapserver.example.com:389" or + # "ldaps://ldapserver.example.com:636". URL: "ldap://ldap:389" # Use StartTLS upon connecting to the server. diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index e5ec035c67..4677fe5444 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -583,7 +583,8 @@ Clusters: # Use an LDAP service to authenticate users. Enable: false - # Server URL, like "ldap://ldapserver.example.com:389". + # Server URL, like "ldap://ldapserver.example.com:389" or + # "ldaps://ldapserver.example.com:636". URL: "ldap://ldap:389" # Use StartTLS upon connecting to the server. -- 2.30.2