History

Howtos »

« Previous - Version 4/8 (diff) - Next » - Current version
Ohad Levy, 02/02/2011 02:38 pm

LDAP Authentication

Foreman natively supports LDAP authentication using one or multiple LDAP directories.

Setting up

Go to Settings -> LDAP Autentication

Click on create new and enter the following

  • Name: an arbitrary name for the directory
  • Host: the LDAP host name
  • Port: the LDAP port (default is 389)
  • TLS: check this if you want or need to use LDAPS to access the directory
  • Account: leave this field empty if your LDAP can be read anonymously, otherwise enter a user name that has read access to the LDAP or use $login (which will be replaced with the actual user credentials upon login)
  • Password: password for the account (if defined above and its not using the $login)
  • Base DN: the top level DN of your LDAP directory tree

On the fly user creation

By checking on-the-fly register, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman.
For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts.

Examples below:

Active Directory

Name              = My Directory
Host              = host.domain.org
Port              = 636
TLS               = yes
Onthefly register = yes
Account           = MyDomain\$login
Password          = <leave blank>
Base DN           = CN=users,DC=host,DC=domain,DC=org
attr login        = sAMAccountName
attr firstname    = givenName
attr lastname     = sN
mail              = mail

OpenLDAP

Name              = My Directory
Host              = host.domain.org
Port              = 389
TLS               = no
Onthefly register = yes
Account           = <leave blank> (if anonymous access is enabled)
Password          = <leave blank>
Base DN           = ou=Users,dc=domain,dc=co,dc=il
attr login        = uid
attr firstname    = givenName
attr lastname     = sn
mail              = mail

Note that LDAP attribute names are case sensitive.

Enabling LDAP

edit your config/setting.yml

:ldap: true

and restart Foreman

Troubleshooting

If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user.
For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in).

Also available in: HTML TXT