hedgedoc/docs/guides/auth/ldap-AD.md
Sheogorath 3122e351cd
Add documentation for an LDAP setup against Active Directory
Since our documentation on our LDAP configs is quite small, I add this
example for LDAP in an Active Directory environment.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-26 19:13:07 +02:00

1.7 KiB

AD LDAP auth

To setup your CodiMD instance with Active Directory you need the following configs:

CMD_LDAP_URL=ldap://internal.example.com
CMD_LDAP_BINDDN=cn=binduser,cn=Users,dc=internal,dc=example,dc=com
CMD_LDAP_BINDCREDENTIALS=<super secret password>
CMD_LDAP_SEARCHBASE=dc=internal,dc=example,dc=com
CMD_LDAP_SEARCHFILTER=(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}})))
CMD_LDAP_USERIDFIELD=sAMAccountName
CMD_LDAP_PROVIDERNAME=Example Inc AD

CMD_LDAP_BINDDN is either the distinguishedName or the userPrincipalName. This can cause "username/password is invalid" when either this value or the password from CMD_LDAP_BINDCREDENTIALS are incorrect.

CMD_LDAP_SEARCHFILTER matches on all users and uses either the email address or the sAMAccountName (usually the login name you also use to login to Windows).

Only using sAMAccountName looks like this: (&(objectcategory=person)(objectclass=user)(sAMAccountName={{username}}))

CMD_LDAP_USERIDFIELD says we want to use sAMAccountName as unique identifier for the account itself.

CMD_LDAP_PROVIDERNAME just the name written above the username and password field on the login page.

Same in json:

"ldap": {
    "url": "ldap://internal.example.com",
    "bindDn": "cn=binduser,cn=Users,dc=internal,dc=example,dc=com",
    "bindCredentials": "<super secret password>",
    "searchBase": "dc=internal,dc=example,dc=com",
    "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(sAMAccountName={{username}})(mail={{username}})))",
    "useridField": "sAMAccountName",
},

More details and example: https://www.npmjs.com/package/passport-ldapauth