diff --git a/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx b/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx index 1213de444..d642b82d6 100644 --- a/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx +++ b/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx @@ -67,6 +67,81 @@ The built-in SSO modules (used with the `saml-entra-id`, `saml-okta`, `oidc-entra-id`, and `oidc-okta` auth schemes) are further configured using **environment variables**. See their respective sections below for more details. +> **Note:** Unlike the SSO modules, which can be configured entirely via +**environment variables**, the LDAP module requires a configuration file +(`/etc/memgraph/auth/ldap.yaml`). This means that in simple deployments (e.g., +Docker) configuration is less flexible and cannot yet be passed purely via +environment variables. + +### Docker deployment note + +When deploying Memgraph with **any external authentication module** (for +example, LDAP, SAML, OIDC, or a custom auth module), you must ensure that all +required **roles exist in the database before enabling authentication**. + +External modules return one or more roles for each authenticated user, and +Memgraph matches these roles to existing roles defined in the database. If a +role does not exist at startup, affected users will not be able to log in. + +In containerized environments such as **Docker**, this initialization step can +be automated using the `--init-file` flag, which runs a Cypher script before the +database starts. This approach avoids having to manually stop and restart +containers to create roles later. + +A recommended workflow: + + +{

Create a local directory for your Docker setup

} + +``` +my_auth_init/ +├── Dockerfile +└── roles.cypherl +``` + +{

Define roles in `roles.cypherl`

} + +```cypher +CREATE ROLE superuser; +GRANT ALL PRIVILEGES TO superuser; +CREATE ROLE moderator; +``` + +{

Create the Dockerfile

} + +```dockerfile +FROM memgraph/memgraph:latest + +USER root +COPY roles.cypherl /usr/lib/memgraph/roles.cypherl +USER memgraph +``` + +{

Build the Docker image

} + +``` +docker build -t memgraph-auth . +``` + +{

Run Memgraph with authentication enabled and the init file executed on startup

} + +``` +docker run -it -p 7687:7687 -p 7444:7444 \ + memgraph-auth \ + --init-file=/usr/lib/memgraph/roles.cypherl \ + --auth-module-mappings=basic:/usr/lib/memgraph/auth_module/ldap.py +``` + +> Replace the module mapping with your chosen authentication scheme, e.g. +> oidc-okta, saml-entra-id, etc. + + + + +This approach ensures that all roles are created before the external +authentication module is activated, allowing users to log in seamlessly across +all supported authentication methods. + ## Auth module architecture ### Communication protocol @@ -611,13 +686,13 @@ Python 3 libraries installed: The module configuration file is located at: ``` -/etc/memgraph/auth_module/ldap.yaml +/etc/memgraph/auth/ldap.yaml ``` An example configuration file with all settings documented is provided at: ``` -/etc/memgraph/auth_module/ldap.example.yaml +/etc/memgraph/auth/ldap.example.yaml ``` For quick setup, you can copy the example configuration file into the module @@ -628,7 +703,7 @@ configuration file. To enable LDAP authentication and authorization, start Memgraph with: ``` ---auth-module-mappings=basic +--auth-module-mappings=basic:/usr/lib/memgraph/auth_module/ldap.py ``` You can also combine this with other configuration flags listed in @@ -758,7 +833,7 @@ To enable LDAP integration specify the following flag: ``` Also, add the following LDAP module configuration to -`/etc/memgraph/auth_module/ldap.yaml`: +`/etc/memgraph/auth/ldap.yaml`: ```yaml server: