itdoxy-lab/modules/auth/ldap
Lunny Xiao 4d6de6c7b9 add login name for auth type 2014-05-11 11:56:04 +08:00
..
README.md initial support for LDAP authentication/MSAD 2014-04-23 23:07:54 +02:00
ldap.go ldap support 2014-05-03 10:48:14 +08:00
ldap_test.go add login name for auth type 2014-05-11 11:56:04 +08:00

README.md

LDAP authentication

Goal

Authenticat user against LDAP directories

It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers

The first OK wins.

If there's connection error, the server will be disabled and won't be checked again

Usage

In the [security] section, set

LDAP_AUTH = true

then for each LDAP source, set

[LdapSource-someuniquename] name=canonicalName host=hostname-or-ip port=3268 # or regular LDAP port

the following settings depend highly how you've configured your AD

basedn=dc=ACME,dc=COM MSADSAFORMAT=%s@ACME.COM filter=(&(objectClass=user)(sAMAccountName=%s))

Limitation

Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)

This MSAD is a mess.

The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration

Todo

  • Define a timeout per server
  • Check servers marked as "Disabled" when they'll come back online
  • Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
  • Check OpenLDAP server
  • SSL support ?