LDAP Docs are underdefined

[byxorna]

Seems a bunch of fields are missing from docs on the LDAP Authentication plugin. It would be useful to have them better documented, along with examples.

For example:

authentication {
  permissionsFile = "conf/permissions.yaml"

  # allow mixed authentication, so we can fallback to files if necessary when ldap is down
  type = "file,ldap"

  file {
    # format is username:<htpasswdhash>:group1,group2
    # generate with echo "$(htpasswd -B -n -b -s username password):group1,group2" >>user.conf
    userfile = "conf/users.conf"
  }

  ldap {
    # if schema is rfc2307bis, the group search filter for a user will use the value of `dn` in for the
    # `groupAttribute` attribute. Otherwise, it will use username.
    # i.e. rfc2307bis: cn=Users,dc=company,dc=com (&(name=*)(member=cn=User Name,cn=Users,dc=company,dc=com))
    schema = "rfc2307bis"
    host = "your.ldap.server.com"

    # the attribute on a User object that has the username in it
    userAttribute = "sAMAccountName"
    # the attribute on a User object that contains the uid
    userNumberAttribute = "uidNumber"
    # usersub is the additional nesting that Users live under. If usersub="cn=Users"
    # and the searchbase="dc=company,dc=com", then any authentication attempt
    # will be made with the root cn=Users,dc=company,dc=com
    usersub = "cn=Users"

    # the attribute on a Group object that holds the identifier of participating users
    # i.e. member: cn=User Name,cn=Users,dc=company,dc=com
    groupAttribute = "member"
    # the attribute on a Group object that describes the group name (used for permissions.yaml
    # granting e.g. g=MyGroupName)
    groupNameAttribute = "name"
    # groupsub is the subtree that all Group objects live underneath
    groupsub = "cn=Groups"

    # searchbase is the root of all searches
    searchbase = "dc=your,dc=company,dc=com"
    ssl = true # true means ldaps://, false means ldap://
  }
}

[ytjohn]

Thank you for this. I spent yesterday struggling with this and your comment gave me what I needed to figure out how to connect collins to AD instead of LDAP (we use ipa/ldap almost everywhere, but for a set of services, it is AD).

Since I don't see a good place to put this, I'll show how our (sanitized) AD is setup and then how we configured collins to talk to it. The biggest problem is that instead of the username, AD puts the First and Last name in the DN, which made it so that collins could not find the group membership. The other issue was that uid is definitely required, though I don't know what collins uses it for.

A user entry:

dn: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
cn: First Last
distinguishedName: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
memberOf: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
employeeNumber: 1042

A group entry:

# collins-admins, COLLINS, Groups - Software Products, Company, example.net
dn: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
cn: collins-admins
member: CN=First Last,OU=Users,OU=Company,DC=example,DC=net
distinguishedName: CN=collins-admins,OU=COLLINS,OU=Products,OU=Company,DC=example,DC=net
name: collins-admins

ldap {
host = "ad01.example.net"
anonymous = false
schema = "rfc2307bis"
searchbase = "OU=Company,DC=example,DC=net"
userAttribute = "sAMAccountName"
userNumberAttribute = "employeeNumber"
usersub = "OU=Users"

groupsub = "OU=COLLINS,OU=Products"
groupAttribute = "member"
groupNameAttribute = "name"

cacheSpecification = "expireAfterWrite=30s"
binddn = "CN=svc-ldap-collins,OU=Service_Accounts,OU=Company,DC=example,DC=net"
bindpwd = "supersecret"

}

[byxorna]

@ytjohn glad it helped. Ill punt this ticket over to someone in tumblr to get it integrated into the gh-pages. cc @defect @roymarantz

[ytjohn]

I spoke too soon actually. It is letting me login, but does not in fact, seem to be getting any groups. I assumed it was because the error went away. It would be nice to have a way to show what groups a logged in user belongs to (say a debug log option).