Open darellwu opened 4 years ago
Hi @darellwu,
You can change the attribute by which the users log in in login
->attr
variable of PHPLDAPADMIN_LDAP_HOSTS. For example command below will use the uid
attribute to login instead of DN
docker run --env PHPLDAPADMIN_LDAP_HOSTS="#PYTHON2BASH:[{'ldap.example.org': [{'server': [{'tls': True}]},{'login': [{'attr': 'uid'}]}]}]" --detach osixia/phpldapadmin:0.9.0
You can check the phpLDAPAdmin documentation on Server definitions for additional options that can be added/changed.
I for the life of my cannot get this to work, this is the relative docker-compose chunk with sensitive info redacted, Ive only been able to login with the DN of any user.
ldapadmin:
container_name: $STACK-admin
image: osixia/phpldapadmin
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
VIRTUAL_PORT: 80
VIRTUAL_HOST: $PHPLDAPADMIN.$LDAP.$DOMAIN
LETSENCRYPT_HOST: $PHPLDAPADMIN.$LDAP.$DOMAIN
PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap.example.com': [{'server': [{'tls': True}]},{'login': [{'attr': 'uid'}]}]}]"
PHPLDAPADMIN_HTTPS: "false"
networks:
- ext_net
- int_net
I still cannot figure this out, if someone would be able to point me in the right direction here is the complete compose file, Please note I have tried both:
tls: True port: 636
tls: False port: 389
I have also tried wrapping PYTHON2BASH in single quotes and '#PYTHON2BASH:[{"openldap": etc etc}]'
And trying it the way suggested above with wrapped in double quotes "PYTHON2BASH:[{'openldap': etc etc}]"
I can however login with DN of any user ie:
This is my ldap dn layout
cn=admin,dc=ldap,dc=example,dc=com
uid=user,ou=people,dc=ldap,dc=example,dc=com
version: '3.8'
services:
openldap:
container_name: $STACK-ldap
image: osixia/openldap:1.4.0
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
hostname: $LDAP_DOMAIN
domainname: $DOMAIN
tty: true
stdin_open: true
ports:
- 389:389
- 636:636
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: $LDAP_ORGANISATION_NAME
LDAP_DOMAIN: $LDAP_DOMAIN.$DOMAIN
LDAP_ADMIN_PASSWORD: $LDAP_ADMIN_PASSWORD
LDAP_CONFIG_PASSWORD: $LDAP_CONFIG_PASSWORD
LDAP_READONLY_USER: "true"
LDAP_READONLY_USER_USERNAME: "bind"
LDAP_READONLY_USER_PASSWORD: $LDAP_READONLY_USER_PASSWORD
LDAP_RFC2307BIS_SCHEMA: "true"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
volumes:
- $APPDATA/$STACK/openldap/config:/etc/ldap/slapd.d
- $APPDATA/$STACK/openldap/data:/var/lib/ldap
networks:
- int_net
phpldapadmin:
container_name: $STACK-admin
image: osixia/phpldapadmin:latest
restart: always
labels:
# - "traefik.enable=false"
# - "traefik.http.routers.$STACK-phpldapadmin.rule=Host(`$LDAP_ADMIN_DOMAIN.$DOMAIN`)"
# - "traefik.http.routers.$STACK-phpldapadmin.entrypoints=websecure"
# - "traefik.http.routers.$STACK-phpldapadmin.tls.certresolver=mytlschallenge"
# - "traefik.http.services.$STACK-phpldapadmin.loadbalancer.server.port=443"
- "com.centurylinklabs.watchtower.enable=true"
environment:
VIRTUAL_PORT: 443
VIRTUAL_HOST: $LDAP_ADMIN_DOMAIN.$LDAP_DOMAIN.$DOMAIN
VIRTUAL_PROTO: https
LETSENCRYPT_HOST: $LDAP_ADMIN_DOMAIN.$LDAP_DOMAIN.$DOMAIN
PHPLDAPADMIN_LDAP_HOSTS: '#PYTHON2BASH:[{"openldap": [{"server": [{"tls": false},{"port": 389}]},{"login": [{"attr": "uid"}]}]}]'
PHPLDAPADMIN_HTTPS: "true"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
networks:
- int_net
- ext_net
networks:
int_net:
external:
name: internal_network
ext_net:
external:
name: external_network
any luck?? I have the same problem, need to login using email.
First create this user on the operating system(for example:adduser shell command),
then I think it is ok.
At 2020-12-10 19:47:44, "windyhen" notifications@github.com wrote:
any luck?? I have the same problem, need to login using email.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi, for the people like me who search a full answer:
When this value (login:attr) is not dn, PLA will perform an anonymous bind to the LDAP server to find the DN, whose value is found by this attribute id (and the attribute value the user provided on the login form). http://phpldapadmin.sourceforge.net/wiki/index.php/Server:login:attr
So if you are not allowing anonymous to query user, as it is by default in osixia/docker-openldap, it will not work. You need to define a bind_id and a bind_pass that will be used to search the value. Think to add fallback_dn, or you will be unable to login as a cn=admin
Here a full server config that was working for me:
phpldapadmin:
image: osixia/phpldapadmin:stable
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap.example.org': [{'server': [{'port': 0}]}, {'login': [{'bind_id': 'cn=admin,dc=example,dc=org'}, {'bind_pass': 'ADMIN_PASS'}, {'attr': 'uid'}, {'fallback_dn': True}]}]}]"
PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "ca_server.pem"
PHPLDAPADMIN_HTTPS: "false" # behind a reverse proxy
volumes:
- ./ca_server.pem:/container/service/ldap-client/assets/certs/ca_server.pem
The default configuration is to log in with dn,for example: cn=admin,dc=example,dc=com.
but i want to login with uid or email. How can I configure it?
3q.