search

georchestra / georchestra-gateway

GNU General Public License v3.0
0 stars 6 forks source link

Add support for LDAP Active Directory authentication. #20

Closed groldan closed 2 years ago

groldan commented 2 years ago

Multiple LDAP authorization services can be configured, in which case, when doing HTTP Basic auth and Form login, each enabled LDAP service will be probed for the authentication credentials in the order they appear in the configuration, and the first successful authentication will be used.

If no georchestra.security.ldap.[name].enabled is true, the log-in page won't even show the username/password form inputs, and HTTP Basic authentication won't be enabled.

At application startup, the enabled configurations are validated. The application will fail to start if there's a validation error.

Each LDAP authentication provider can be one of:

Here's a sample configuration with three LDAP services. The ldap.default.* properties are embedded and match the ones of the ldap.ldap2 sample config, so it just need to be enabled in the <datadirectory>/gateway/security.yaml file. 

georchestra:
  gateway:
    security:
      ldap:
        default:
          enabled: true
        ldap2:
          enabled: false
          extended: true
          url: ${ldapScheme}://${ldapHost}:${ldapPort}
          baseDn: ${ldapBaseDn:dc=georchestra,dc=org}
          users:
            rdn: ${ldapUsersRdn:ou=users}
            searchFilter: ${ldapUserSearchFilter:(uid={0})}
          roles:
            rdn: ${ldapRolesRdn:ou=roles}
            searchFilter: ${ldapRolesSearchFilter:(member={0})}
          orgs:
            rdn: ${ldapOrgsRdn:ou=orgs}
        activeDirSample:
          enabled: false
          url: ldap://test.activedirectory.com:389
          domain: test.georchestra.org
          baseDn: dc=georchestra,dc=org
          users.searchFilter: (&(objectClass=user)(userPrincipalName={0}))