lmenezes / cerebro

MIT License
5.53k stars 718 forks source link

LDAP and Windows AD #392

Open marcospastor opened 5 years ago

marcospastor commented 5 years ago

I have LDAP working with Windows AD using mail as user-attr.

Recently I changed mail address in Windows user accounts and now they cannot access Cerebro using LDAP. They get a user/password error.

After doing some tests I found that Cerebro LDAP (using mail as user attribute) only works if mail and UPN attributes matches in AD. Another combination fails to authenticate.

This is the actual configuration I use: type: ldap method = "simple" user-template = "%s" user-attr = "mail"

Could it be an issue with Cerebro LDAP config?

Thanks.

trenb commented 4 years ago

Try the following:

user-attr = "userPrincipalName" user-template = "%s@domain.lan"

where @domain.lan matches the domain in your UPN. I have a full example in https://github.com/lmenezes/cerebro/issues/442 that includes AD auth plus mandatory group membership.