Foreman natively supports LDAP authentication using one or multiple LDAP directories.
Go to Settings -> LDAP Autentication
Click on create new and enter the following
- Name: an arbitrary name for the directory
- Host: the LDAP host name
- Port: the LDAP port (default is 389)
- TLS: check this if you want or need to use LDAPS to access the directory
- Account: leave this field empty if your LDAP can be read anonymously, otherwise enter a user name that has read access to the LDAP or use $login (which will be replaced with the actual user credentials upon login)
- Password: password for the account (if defined above and its not using the $login)
- Base DN: the top level DN of your LDAP directory tree
On the fly user creation¶
By checking on-the-fly register, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman.
For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts.
Name = My Directory Host = host.domain.org Port = 636 TLS = yes Onthefly register = yes Account = MyDomain\$login Password = <leave blank> Base DN = CN=users,DC=host,DC=domain,DC=org attr login = sAMAccountName attr firstname = givenName attr lastname = sN mail = mail
Name = My Directory Host = host.domain.org Port = 389 TLS = no Onthefly register = yes Account = <leave blank> (if anonymous access is enabled) Password = <leave blank> Base DN = ou=Users,dc=domain,dc=co,dc=il attr login = uid attr firstname = givenName attr lastname = sn mail = mail
Note that LDAP attribute names are case sensitive.
edit your config/setting.yml
and restart Foreman
If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user.
For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in).