LDAP authorization
This chapter describes how to manage the access roles for LDAP users authorizing in your Cartridge application.
Setting up this feature is twofold:
- enabling the feature for your application
- specifying configuration parameters.
Note
For information on setting up the authorization of external users in your application, refer to Implementing LDAP authorization in the web interface.
First, you should enable LDAP authorization function in your application development project:
- set up dependency to the
cartridge-auth-extension
module that is available in the Enterprise Edition’s package. - update the configuration in the application initialization file.
Note
If you don’t have a development project yet, refer to Developer’s guide on how to create it.
In your development project, find a
.rockspec
file and specify the following dependency:dependencies = { 'cartridge-auth-extension' }
In an initialization Lua file of your project, specify the
cartridge-auth-extension
cluster role in the Cartridge configuration. The role enables storing authorized users and validating the LDAP configuration.cartridge.cfg({ roles = { 'cartridge-auth-extension', }, auth_backend_name = 'cartridge-auth-extension', })
Deploy and start your application. For details, refer to Developer’s guide.
After starting your application, you need to configure LDAP authorization. It can be done via the GUI administrative console.
- In a web browser, open the GUI administrative console of your application.
- If you have the application instances already configured, proceed to the next step. Otherwise, refer to Deploying the cluster on how to configure the cluster.
- In the GUI administrative console, navigate to the Code tab. Create the following YAML configuration files and specify the necessary parameters. Below is the example of configuration and the description of parameters.
Note
If you set the authorization mode as local
in the auth_extension.yml
file, you don’t need to define LDAP configuration parameters in the ldap.yml
file.
auth_extension.yml
method: local+ldap
ldap.yml
- domain: 'test.glauth.com' organizational_units: ['all_staff'] hosts: - localhost:3893 use_tls: false use_active_directory: false search_timeout: 2 roles: - role: 'admin' domain_groups: - 'cn=superusers,ou=groups,dc=glauth,dc=com' - 'cn=users,ou=groups,dc=glauth,dc=com' options: LDAP_OPT_DEBUG_LEVEL: 10
auth.yml
enabled: true
Configuration parameters:
method
– authorization mode. Possible values:local
– only local users can be authorized in the application. “Local” refers to users created in the application.ldap
– only LDAP users can be authorized.local+ldap
– both local and LDAP users can be authorized.
domain
– domain name that is used in the domain login ID (user_name@domain
).organizational_units
– names of the organizational units or user groups.hosts
– LDAP server addresses.use_tls
– boolean flag that defines TLS usage. Defaults tofalse
.use_active_directory
– boolean flag that defines usage of the Active Directory. Defaults tofalse
. If set totrue
, use the login ID in the email format (user_name@domain
). The ID should be equal to theuserPrincipalName
Active Directory attribute value because the latter is used in the Active Directory filter.search_timeout
– LDAP server response timeout. Defaults to 2 seconds.roles
– user roles assigned to a user depending on the LDAP groups the user belongs to:role
– user role;domain_groups
– LDAP groups wherecn
– common name;ou
– organization unit name;dc
– domain component.
options
– the OpenLDAP library options. Supported options:- LDAP_OPT_X_TLS_REQUIRE_CERT
- LDAP_OPT_PROTOCOL_VERSION
- LDAP_OPT_DEBUG_LEVEL
- LDAP_OPT_X_TLS_CACERTFILE
- LDAP_OPT_X_TLS_CACERTDIR.
For description of the options, refer to the OpenLDAP documentation.
enabled
– boolean flag. If set totrue
, enables mandatory authentication mode in the application web interface.