-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4 from danielmoore/docs/readme
Added installation instructions to README. Fixes #1
- Loading branch information
Showing
1 changed file
with
147 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,147 @@ | ||
couchdb-ldap-auth | ||
================= | ||
# LDAP Authentication Handler for CouchDB | ||
|
||
## Features | ||
- Basic authentication handler | ||
- Session handler | ||
- works with CouchDB built-in `cookie_authentication_handler` | ||
- Supports users and recursive-group association | ||
|
||
## Installation | ||
|
||
First, check out the source and `cd` into it. | ||
|
||
### Prerequisites | ||
- Erlang | ||
- Rebar | ||
|
||
### Build from Source | ||
|
||
``` | ||
rebar clean compile | ||
``` | ||
|
||
### Run Tests | ||
|
||
``` | ||
rebar test | ||
``` | ||
|
||
### Install binaries and config | ||
|
||
``` | ||
# Create module folder | ||
mkdir /usr/local/lib/couchdb/erlang/lib/ldap-auth | ||
# Copy binaries | ||
cp -R ebin /usr/local/lib/couchdb/erlang/lib/ldap-auth/ | ||
# Copy/overwrite the default config | ||
cp -f priv/default.d/* /usr/local/etc/couchdb/default.d/ | ||
# Copy (but don't overwrite!) the custom config | ||
cp -n priv/local.d/* /usr/local/etc/couchdb/local.d/ | ||
``` | ||
|
||
## Configuration | ||
|
||
### Authentication Handlers | ||
|
||
The defaults included in `ldap_auth.ini` provide a basic, out-of-the-box | ||
configuration for sessions, cookies, basic authentication, and system admin | ||
role assignment based on LDAP. | ||
|
||
If you have a custom configuration of CouchDB, you may need to edit it. | ||
|
||
Keep in mind that the first handler to authenticate a credential "wins." | ||
Specifically, this means that if you keep the built-in | ||
`{couch_httpd_auth, default_authentication_handler}`, CouchDB will continue | ||
to inspect the `_users` database for credentials and use the ini files | ||
for system admins. | ||
|
||
#### Basic Auth | ||
|
||
To allow requests with the users' names and passwords encoded in the URL, | ||
simply include ` {ldap_auth, handle_basic_auth_req}` in the | ||
`authentication_handlers`: | ||
|
||
[httpd] | ||
authentication_handlers = {ldap_auth, handle_basic_auth_req} | ||
|
||
#### Sessions and Cookies | ||
|
||
In order for session management and cookies to work, you need a few options set. | ||
|
||
The first binds the `/_session` REST endpoint to the LDAP session manager. | ||
|
||
```ini | ||
[httpd_global_handlers] | ||
_session = {ldap_auth, handle_session_req} | ||
``` | ||
|
||
The session manager will authenticate the POST payload credentials and provide | ||
a cookie token. | ||
|
||
In order to use the cookie token, the CouchDB built-in cookie handler must be | ||
included in the list of authentication handlers: | ||
|
||
[httpd] | ||
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler} | ||
|
||
Each time `handle_session_req` is called, the `_users` database is updated | ||
with the user's roles. If the user document does not exist beforehand, a new one | ||
is created; the user's password is not stored. | ||
|
||
#### System Admin Delegation | ||
|
||
If you'd like to use LDAP to also control the list of system administrators, | ||
rather than the CouchDB built-in list in .ini files, you can add | ||
`{ldap_auth, handle_admin_role}` to the end of the `authentication_handlers` | ||
list. | ||
|
||
### Options | ||
|
||
#### UseSSL | ||
|
||
Set to `true` to use SSL to bind to the LDAP server. Default: `false` | ||
|
||
#### LdapServer | ||
|
||
The LDAP server to use for searches and authentication. | ||
|
||
#### BaseDN | ||
|
||
The distinguished name to constrain the scope of which users may authenticate. | ||
This may be as broad (the entire domain) or narrow (an OU or even a group) as | ||
needed. | ||
|
||
#### SearchUserDN and SearchUserPassword | ||
|
||
In order to authenticate users by an arbitrary attribute (like username) instead | ||
of a distinguished name, a service user must be available with permission to | ||
query LDAP (no other permissions are needed). Some LDAP servers provide anonymous | ||
querying, but this is not recommended by LDAP vendors. | ||
|
||
The SearchUserDN and SearchUserPassword should be set to the credentials of the | ||
desired service user. If anonymous queries are allowed and preferred, the DN | ||
must be set to the anon DN, but the password may remain blank. | ||
|
||
#### UserDNMapAttr | ||
|
||
The attribute to use as the login name for CouchDB. On Active Directory, you | ||
might use: | ||
|
||
- `sAMAccountName`, e.g. jsmith | ||
- `userPrincipalName`, e.g. jsmith@example.com<br/> | ||
NOTE: if you use userPrincipalName, be sure to URL-encode the username when using basic auth.<br/> | ||
e.g. `http://jsmith%40example.com:password@example.com:5984` | ||
|
||
Any attribute could be used, though. | ||
|
||
#### GroupDNMapAttr | ||
|
||
The same as UserDNMapAttr, but for groups. Most LDAP software has a `name` | ||
attribute on group objects. | ||
|
||
#### SystemAdminRoleName | ||
|
||
If you're using system admin delegation, this is the name of the role that will | ||
be promoted to `_admin`, aka the system admin. |