Flaschengeist/flaschengeist
Flaschengeist
/
flaschengeist
7
0
Fork 0
Code Issues 20 Pull Requests Packages Projects Releases 2 Wiki Activity
Page: plugins_auth_ldap
Pages
Anleitung [ger] Balance Configuration Development/Backend Development/Frontend Development Events Home Navigation Pricelist old User plugins_auth_ldap
7 plugins_auth_ldap
ferfissimo edited this page 2021-07-29 12:34:34 +00:00
Table of Contents

auth_ldap Plugin

This plugin provides authentification over LDAP.

Configuration

A basic configuration entry inside the flaschengeist.toml looks like this:

[auth_ldap]
enabled = true
host = "localhost"
port = 389
base_dn = "cn=example,cn=com"
root_dn = "cn=Manager,cn=example,cn=com"
root_secret = "superS3cret"
  • base_dn defines the starting point an LDAP server uses when searching for users
  • root_dn is the DN of you manager account used for creating new entries
  • root_secret secret of the manager account

Set up password hash

The default password hash algorithm used by common LDAP applications and OpenLDAP when using RFC3062 extensions is {SSHA}, this is salted sha1, it better than md5 and of cause plain text, but it is not considered secure anymore.

You can the the hashing algorithm by setting

password_hash = "SSHA1"

Available hashes are:

  • SSHA - OpenLDAP default (salted sha1)
  • PBKDF2 - More secure and supported since OpenLDAP 2.4.40 (PBKDF2 with SHA512)
  • Argon2 - Most secure algorithm of those three, supported since 2.4.50

PBKDF2 is only supported as a contrib module, so you might have to install the openldap2-contrib package on your LDAP server and configure slapd.conf like this: moduleload pw-pbkdf2.la

Argon2 was, like PBKDF2, provided as a contrib module until OpenLDAP 2.5.0. Starting with 2.5.0 it is a core module, but still needs to be configured like moduleload argon2.la. You also need to install Flaschengeist with argon support pip3 install --user ".[ldap,argon]"

Set up SSL (LDAP over SSL)

Regardless it is called SSL we will use TLS as SSL is deprecated.

There two ways of securing LDAP: LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS). STARTTLS works by establishing an unsecured channel and securing it afterwards, this method is not supported!

We support LDAPS, so your ldap server has to work in LDAPS mode and should be configured to support at least TLSv1.1, please note TLSv1.1 is deprecated and considered unsecure, so consider using at least TLSv1.2 and better TLS1.3. A simple LDAPS config for flaschengeist looks like this:

# Enable LDAPS
use_ssl = true
# Default port for LDAPS
port = 636

If you use selfsigned certificates you can also specify your CA by setting

ca_cert = "/etc/ssl/my-ca.crt"

Set object classes for new entries

The default object class is inetOrgPerson, but you can override it using

[auth_ldap]
# ...
object_classes = [
  "inetOrgPerson",
  "posixAccount"
]

Set attributes for new entries

By default Flaschengeist only sets attributes used by itself, but you specify other attributes as well. Default:

  • sn
  • givenName
  • uid
  • userPassword
  • mail
  • display_name

To specify other attributes add this to you configuration:

[auth_ldap]
# ...
  [auth_ldap.user_attributes]
  # e.g. setting a primary group for new users
  gidNumber = 1001
  homeDirectory = "/home/{userid}"
  loginShell = "/bin/bash"
  uidNumber = 1000

A special attribute is uidNumber, specifying a number x does mean to use an incrementing generator starting at x (or highest uidNumber in active directory).

And as you can see you can use placeholders, valid ones:

  • userid
  • display_name
  • firstname
  • lastname
  • mail

Set DN for new entries

You can specify a DN template if your user schema requires it, the default one is:

uid={userid},{base_dn}

To specify a different template use:

dn_template = "cn={user.firstname} {user.lastname},ou=user,{base_dn}"

Other various configuration options

Other optional configuration values include:

  • search_dn, where to search for users, default ou=people,{base_dn}
  • group_dn, where to search for groups, default ou=group,{base_dn}