LDAP Authentication
Version 1 (Ohad Levy, 10/16/2009 04:48 pm)
| 1 | 1 | h1. LDAP Authentication |
|
|---|---|---|---|
| 2 | 1 | ||
| 3 | 1 | Foreman natively supports LDAP authentication using one or multiple LDAP directories. |
|
| 4 | 1 | ||
| 5 | 1 | h2. Setting up |
|
| 6 | 1 | ||
| 7 | 1 | Go to Settings -> LDAP Autentication |
|
| 8 | 1 | ||
| 9 | 1 | Click on create new and enter the following |
|
| 10 | 1 | ||
| 11 | 1 | * *Name*: an arbitrary name for the directory |
|
| 12 | 1 | * *Host*: the LDAP host name |
|
| 13 | 1 | * *Port*: the LDAP port (default is 389) |
|
| 14 | 1 | * *TLS*: check this if you want or need to use LDAPS to access the directory |
|
| 15 | 1 | * *Account*: leave this field empty if your LDAP can be read anonymously, otherwise enter a usernamethat has read access to the LDAP or use $login (which will be replaced with the actual user credentials upon login |
|
| 16 | 1 | * *Password*: password for the account (if defined above and its not using the $login) |
|
| 17 | 1 | * *Base DN*: the top level DN of your LDAP directory tree |
|
| 18 | 1 | ||
| 19 | 1 | h2. On the fly user creation |
|
| 20 | 1 | ||
| 21 | 1 | By checking *on-the-fly register*, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman. |
|
| 22 | 1 | For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts. |
|
| 23 | 1 | ||
| 24 | 1 | Examples below: |
|
| 25 | 1 | ||
| 26 | 1 | h3. Active Directory |
|
| 27 | 1 | ||
| 28 | 1 | <pre> |
|
| 29 | 1 | Name = My Directory |
|
| 30 | 1 | Host = host.domain.org |
|
| 31 | 1 | Port = 636 |
|
| 32 | 1 | TLS = yes |
|
| 33 | 1 | Onthefly register = yes |
|
| 34 | 1 | Account = MyDomain\$login |
|
| 35 | 1 | Password = <leave blank> |
|
| 36 | 1 | Base DN = CN=users,DC=host,DC=domain,DC=org |
|
| 37 | 1 | attr login = sAMAccountName |
|
| 38 | 1 | attr firstname = givenName |
|
| 39 | 1 | attr lastname = sN |
|
| 40 | 1 | mail = mail |
|
| 41 | 1 | </pre> |
|
| 42 | 1 | ||
| 43 | 1 | h3. OpenLDAP |
|
| 44 | 1 | ||
| 45 | 1 | <pre> |
|
| 46 | 1 | Name = My Directory |
|
| 47 | 1 | Host = host.domain.org |
|
| 48 | 1 | Port = 389 |
|
| 49 | 1 | TLS = no |
|
| 50 | 1 | Onthefly register = yes |
|
| 51 | 1 | Account = <leave blank> |
|
| 52 | 1 | Password = <leave blank> |
|
| 53 | 1 | Base DN = ou=Users,dc=domain,dc=co,dc=il |
|
| 54 | 1 | attr login = uid |
|
| 55 | 1 | attr firstname = givenName |
|
| 56 | 1 | attr lastname = sn |
|
| 57 | 1 | mail = mail |
|
| 58 | 1 | </pre> |
|
| 59 | 1 | ||
| 60 | 1 | ||
| 61 | 1 | Note that LDAP attribute names are *case sensitive*. |
|
| 62 | 1 | ||
| 63 | 1 | h2. Enabling LDAP |
|
| 64 | 1 | ||
| 65 | 1 | edit your config/setting.yml |
|
| 66 | 1 | <pre> |
|
| 67 | 1 | :ldap: true |
|
| 68 | 1 | </pre> |
|
| 69 | 1 | ||
| 70 | 1 | and restart Foreman |
|
| 71 | 1 | h2. Troubleshooting |
|
| 72 | 1 | ||
| 73 | 1 | If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user. |
|
| 74 | 1 | For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in). |
