LDAP Authentication
Version 7 (Matt Warren, 01/05/2012 10:01 am)
| 1 | 1 | h1. LDAP Authentication |
|
|---|---|---|---|
| 2 | 1 | ||
| 3 | 1 | Foreman natively supports LDAP authentication using one or multiple LDAP directories. |
|
| 4 | 1 | ||
| 5 | 7 | Matt Warren | |
| 6 | 7 | Matt Warren | h2. Enabling LDAP |
| 7 | 7 | Matt Warren | |
| 8 | 7 | Matt Warren | Enable LDAP and User/Group settings menus |
| 9 | 7 | Matt Warren | |
| 10 | 7 | Matt Warren | Edit your config/setting.yml |
| 11 | 7 | Matt Warren | <pre> |
| 12 | 7 | Matt Warren | :login: true |
| 13 | 7 | Matt Warren | </pre> |
| 14 | 7 | Matt Warren | |
| 15 | 7 | Matt Warren | and restart Foreman |
| 16 | 7 | Matt Warren | |
| 17 | 1 | h2. Setting up |
|
| 18 | 1 | ||
| 19 | 7 | Matt Warren | Go to More -> LDAP Authentication |
| 20 | 1 | ||
| 21 | 7 | Matt Warren | Click on New Ldap Source and enter the following |
| 22 | 1 | ||
| 23 | 1 | * *Name*: an arbitrary name for the directory |
|
| 24 | 1 | * *Host*: the LDAP host name |
|
| 25 | 1 | * *Port*: the LDAP port (default is 389) |
|
| 26 | 7 | Matt Warren | * *LDAPS*: check this if you want or need to use LDAPS to access the directory |
| 27 | 1 | * *Account*: leave this field empty if your LDAP can be read anonymously, otherwise enter a user name that has read access to the LDAP or use $login (which will be replaced with the actual user credentials upon login) |
|
| 28 | 7 | Matt Warren | * *Account Password*: password for the account (if defined above and its not using the $login) |
| 29 | 7 | Matt Warren | * *baseDN*: the top level DN of your LDAP directory tree |
| 30 | 1 | ||
| 31 | 7 | Matt Warren | h3. On the fly user creation |
| 32 | 1 | ||
| 33 | 7 | Matt Warren | By checking *On-the-fly user creation*, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman. |
| 34 | 1 | For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts. |
|
| 35 | 1 | ||
| 36 | 7 | Matt Warren | h2. Examples |
| 37 | 1 | ||
| 38 | 1 | h3. Active Directory |
|
| 39 | 1 | ||
| 40 | 2 | Ohad Levy | <pre> |
| 41 | 2 | Ohad Levy | Name = My Directory |
| 42 | 2 | Ohad Levy | Host = host.domain.org |
| 43 | 2 | Ohad Levy | Port = 636 |
| 44 | 1 | TLS = yes |
|
| 45 | 2 | Ohad Levy | Onthefly register = yes |
| 46 | 2 | Ohad Levy | Account = MyDomain\$login |
| 47 | 2 | Ohad Levy | Password = <leave blank> |
| 48 | 2 | Ohad Levy | Base DN = CN=users,DC=host,DC=domain,DC=org |
| 49 | 2 | Ohad Levy | attr login = sAMAccountName |
| 50 | 2 | Ohad Levy | attr firstname = givenName |
| 51 | 2 | Ohad Levy | attr lastname = sN |
| 52 | 1 | mail = mail |
|
| 53 | 1 | </pre> |
|
| 54 | 2 | Ohad Levy | |
| 55 | 2 | Ohad Levy | h3. OpenLDAP |
| 56 | 2 | Ohad Levy | |
| 57 | 2 | Ohad Levy | <pre> |
| 58 | 2 | Ohad Levy | Name = My Directory |
| 59 | 2 | Ohad Levy | Host = host.domain.org |
| 60 | 1 | Port = 389 |
|
| 61 | 1 | TLS = no |
|
| 62 | 1 | Onthefly register = yes |
|
| 63 | 1 | Account = <leave blank> (if anonymous access is enabled) |
|
| 64 | 1 | Password = <leave blank> |
|
| 65 | 1 | Base DN = ou=Users,dc=domain,dc=co,dc=il |
|
| 66 | 1 | attr login = uid |
|
| 67 | 1 | attr firstname = givenName |
|
| 68 | 1 | attr lastname = sn |
|
| 69 | 6 | Ohad Levy | mail = mail |
| 70 | 1 | </pre> |
|
| 71 | 1 | ||
| 72 | 1 | Note that LDAP attribute names are *case sensitive*. |
|
| 73 | 4 | Ohad Levy | |
| 74 | 1 | ||
| 75 | 1 | h2. Troubleshooting |
|
| 76 | 1 | ||
| 77 | 1 | If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user. |
|
| 78 | 5 | Ohad Levy | For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in). |
| 79 | 5 | Ohad Levy | |
| 80 | 1 | h2. [[Roles and permissions]] |
