LDAP authorization

Enabling LDAP authorization

First, you should enable LDAP authorization function in your application development project:

• set up dependency to the cartridge-auth-extension module that is available in the Enterprise Edition’s package.
• update the configuration in the application initialization file.

1. In your development project, find a .rockspec file and specify the following dependency:

   dependencies = {
       'cartridge-auth-extension'
   }
   

2. In an initialization Lua file of your project, specify the cartridge-auth-extension cluster role in the Cartridge configuration. The role enables storing authorized users and validating the LDAP configuration.

   cartridge.cfg({
       roles = {
          'cartridge-auth-extension',
       },
       auth_backend_name = 'cartridge-auth-extension',
   })
   

3. Deploy and start your application. For details, refer to Руководство для разработчика.

Configuring LDAP authorization

After starting your application, you need to configure LDAP authorization. It can be done via the GUI administrative console.

1. In a web browser, open the GUI administrative console of your application.
2. If you have the application instances already configured, proceed to the next step. Otherwise, refer to Развертывание кластера on how to configure the cluster.
3. In the GUI administrative console, navigate to the Code tab. Create the following YAML configuration files and specify the necessary parameters. Below is the example of configuration and the description of parameters.

• auth_extension.yml

  method: local+ldap
  

• ldap.yml

  - domain: 'test.glauth.com'
    organizational_units: ['all_staff']
    hosts:
      - localhost:3893
    use_tls: false
    use_active_directory: false
    search_timeout: 2
    roles:
      - role: 'admin'
        domain_groups:
          - 'cn=superusers,ou=groups,dc=glauth,dc=com'
          - 'cn=users,ou=groups,dc=glauth,dc=com'
    options:
      LDAP_OPT_DEBUG_LEVEL: 10
  

• auth.yml

  enabled: true
  

Configuration parameters:

• method – authorization mode. Possible values:

  • local – only local users can be authorized in the application. «Local» refers to users created in the application.
  • ldap – only LDAP users can be authorized.
  • local+ldap – both local and LDAP users can be authorized.

• domain – domain name that is used in the domain login ID (user_name@domain).

• organizational_units – names of the organizational units or user groups.

• hosts – LDAP server addresses.

• use_tls – boolean flag that defines TLS usage. Defaults to false.

• use_active_directory – boolean flag that defines usage of the Active Directory. Defaults to false. If set to true, use the login ID in the email format (user_name@domain). The ID should be equal to the userPrincipalName Active Directory attribute value because the latter is used in the Active Directory filter.

• search_timeout – LDAP server response timeout. Defaults to 2 seconds.

• roles – user roles assigned to a user depending on the LDAP groups the user belongs to:

  • role – user role;
  • domain_groups – LDAP groups where cn – common name; ou – organization unit name; dc – domain component.

• options – the OpenLDAP library options. Supported options:

  • LDAP_OPT_X_TLS_REQUIRE_CERT
  • LDAP_OPT_PROTOCOL_VERSION
  • LDAP_OPT_DEBUG_LEVEL
  • LDAP_OPT_X_TLS_CACERTFILE
  • LDAP_OPT_X_TLS_CACERTDIR.

  For description of the options, refer to the OpenLDAP documentation.

• enabled – boolean flag. If set to true, enables mandatory authentication mode in the application web interface.