LDAP Authentication¶
Foreman natively supports LDAP authentication using one or multiple LDAP directories.
Enabling LDAP¶
Enable LDAP and User/Group settings menus
Edit your config/setting.yml
:login: true
and restart Foreman
Setting up¶
Go to More -> LDAP Authentication
Click on New Ldap Source and enter the following
- Name: an arbitrary name for the directory
- Host: the LDAP host name
- Port: the LDAP port (default is 389)
- LDAPS: check this if you want or need to use LDAPS to access the directory
- Account: leave this field empty if your LDAP can be read anonymously, otherwise enter a user name that has read access to the LDAP or use $login (which will be replaced with the actual user credentials upon login)
- Account Password: password for the account (if defined above and its not using the $login)
- baseDN: the top level DN of your LDAP directory tree
On the fly user creation¶
By checking On-the-fly user creation, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman.
For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts.
Examples¶
Active Directory¶
Name = My Directory Host = host.domain.org Port = 636 TLS = yes Onthefly register = yes Account = MyDomain\$login Password = <leave blank> Base DN = CN=users,DC=host,DC=domain,DC=org attr login = sAMAccountName attr firstname = givenName attr lastname = sN mail = mail
OpenLDAP¶
Name = My Directory Host = host.domain.org Port = 389 TLS = no Onthefly register = yes Account = <leave blank> (if anonymous access is enabled) Password = <leave blank> Base DN = ou=Users,dc=domain,dc=co,dc=il attr login = uid attr firstname = givenName attr lastname = sn mail = mail
Note that LDAP attribute names are case sensitive.
Troubleshooting¶
If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user.
For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in).
