diff --git a/_posts/2019-04-15-gl-config.md b/_posts/2019-04-15-gl-config.md index 8447dbc2..c0b9caf7 100644 --- a/_posts/2019-04-15-gl-config.md +++ b/_posts/2019-04-15-gl-config.md @@ -266,8 +266,34 @@ Greenlight is able to authenticate users using an external LDAP server. To conne > `LDAP_BIND_DN` is the default account to use for user lookup. +> `LDAP_AUTH` is the preferred authentication method. (See below) + > `LDAP_PASSWORD` is the password for the account to perform user lookup. +> `LDAP_ROLE_FIELD` is the name of the attribute that contains the user role. (Optional) + +> `LDAP_FILTER` is the filter which can be used to only allow a specific subset of users to authenticate. (Optional) + +#### LDAP_AUTH + +When setting the authentication method, there are currently 3 options: +- `"simple"`: Uses the account set in `LDAP_BIND_DN` to look up users +- `"user"`: Uses the user's own credentials to search for his data, enabling authenticated login to LDAP without the need for a user with global read privileges. +- `"anonymous"`: Enables an anonymous bind to the LDAP with no password being used. + +#### LDAP_ROLE_FIELD + +Greenlight can automatically assign a matching role to a user based on their role in the LDAP Server. To do that: +- Create a role in Greenlight with the **exact** same name as the LDAP role +- Set the role permissions for the newly created role +- Repeat for all possible roles +- Set `LDAP_ROLE_FIELD` equal to the name of the attribute that stores the role +- Restart Greenlight + +Once you have signed in with that user, they will automatically be given the Greenlight role that matches their LDAP role. + +#### Example Setup + Here are some example settings using an [OpenLDAP](http://www.openldap.org/) server. ``` @@ -276,8 +302,11 @@ LDAP_PORT=389 LDAP_METHOD=plain LDAP_UID=uid LDAP_BASE=dc=example,dc=org +LDAP_AUTH=simple LDAP_BIND_DN=cn=admin,dc=example,dc=org LDAP_PASSWORD=password +LDAP_ROLE_FIELD=userRole +LDAP_FILTER=(&(attr1=value1)(attr2=value2)) ``` If your server is still running you will need to recreate the container for changes to take effect.