LDAP Authentication (AD, OpenLDAP, FreeIPA)

For LDAP authentication, Munkireport uses the excellent adldap2 library. To get your authentication configured you need to the necessary settings in your.env file (or environment variables):

AUTH_AD_HOSTS (required)

One or more LDAP servers (hostname or IP addresses) separated by a comma (,)

Example:

AUTH_AD_HOSTS=192.168.0.100, 192.168.0.101, myldap.mydomain.org

AUTH_AD_BASE_DN (required)

BaseDN for your directory

Example:

AUTH_AD_BASE_DN=dc=mydomain,dc=local

AUTH_AD_SCHEMA (optional)

LDAP Schema, defaults toActiveDirectory. Other values areFreeIPA andOpenLDAP.

Example:

AUTH_AD_SCHEMA=FreeIPA

AUTH_AD_ACCOUNT_PREFIX (optional)

Prefix used in the authentication string

Example:

AUTH_AD_ACCOUNT_PREFIX="uid="

AUTH_AD_ACCOUNT_SUFFIX (optional)

Suffix used in the authentication string.

Example:

AUTH_AD_ACCOUNT_SUFFIX=",ou=users,dc=my,dc=org"

AUTH_AD_USERNAME (optional)

Bind username to do the directory lookups, only specify if the users cannot lookup groups, etc.

Example:

AUTH_AD_USERNAME=admin_account

AUTH_AD_PASSWORD (optional)

Bind password that goes withAUTH_AD_USERNAME

Example:

AUTH_AD_PASSWORD=somesecretpassword

AUTH_AD_PORT (optional)

Port that LDAP listens to, defaults to 389

Example:

AUTH_AD_PORT=3389

AUTH_AD_USE_SSL (optional)

Use SSL, defaults to FALSE

Example:

AUTH_AD_USE_SSL=TRUE

AUTH_AD_USE_TLS (optional)

Use TLS, defaults to FALSE

Example:

AUTH_AD_USE_TLS=TRUE

AUTH_AD_VERSION (optional)

LDAP version to use, either 2 or 3. Defaults to 3

Example:

AUTH_AD_VERSION=2

AUTH_AD_TIMEOUT (optional)

The timeout option allows you to configure the amount of seconds to wait until your application receives a response from your LDAP server.

The default is 5 seconds.

Example:

AUTH_AD_TIMEOUT=10

AUTH_AD_FOLLOW_REFERRALS (optional)

The follow referrals option is a boolean to tell active directory to follow a referral to another server on your network if the server queried knows the information your asking for exists, but does not yet contain a copy of it locally.

This option is defaulted to false.

Disable this option if you're experiencing search / connectivity issues.

For more information, visit: https://technet.microsoft.com/en-us/library/cc978014.aspx Example:

AUTH_AD_FOLLOW_REFERRALS=10

AUTH_AD_ALLOWED_USERS (optional)

List of users that are allowed to login via LDAP

Example:

AUTH_AD_ALLOWED_USERS=bob, frances, jane

AUTH_AD_ALLOWED_GROUPS (optional)

List of groups that are allowed to login via LDAP.

Example:

AUTH_AD_ALLOWED_GROUPS=domain_admins, helpdesk_users

AUTH_AD_RECURSIVE_GROUPSEARCH (optional)

Try to resolve nested groups when looking up groups for a user. This may slow down logins.

The default is FALSE.

Example:

AUTH_AD_RECURSIVE_GROUPSEARCH=TRUE

OpenLDAP Demo

The following configuration will use the test LDAP server from forumsys

AUTH_AD_SCHEMA="OpenLDAP"
AUTH_AD_BASE_DN="dc=example,dc=com"
AUTH_AD_ACCOUNT_PREFIX="uid="
AUTH_AD_ACCOUNT_SUFFIX=",dc=example,dc=com"
AUTH_AD_HOSTS="ldap.forumsys.com"
AUTH_AD_ALLOWED_USERS="curie, tesla"

You can login with either curie or tesla with the password password

FreeIPA Demo

AUTH_AD can be used to authenticate to a FreeIPA server. The configuration can be used to authenticate to the FreeIPA demo server as described here: https://www.freeipa.org/page/Demo

AUTH_AD_SCHEMA="FreeIPA"
AUTH_AD_BASE_DN="dc=demo1,dc=freeipa,dc=org"
AUTH_AD_ACCOUNT_PREFIX="uid="
AUTH_AD_ACCOUNT_SUFFIX=",cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org"
AUTH_AD_HOSTS="ipa.demo1.freeipa.org"
AUTH_AD_ALLOWED_GROUPS="employees"

You can login as employee or as Helpdesk, all passwords are Secret123

The user employee should be able to log in. The user helpdesk is unauthorised because it's not a member of the group employees

Troubleshooting

If you turn on debug mode DEBUG=TRUE in .env AUTH_AD will write a log in:

/storage/logs/auth.log