LDAP authorization | Enterprise


Check out the new release policy
LDAP authorization

LDAP authorization

This chapter describes how to manage the access roles for LDAP users authorizing in your Cartridge application.

Setting up this feature is twofold:


For information on setting up the authorization of external users in your application, refer to Implementing LDAP authorization in the web interface.

Enabling LDAP authorization

First, you should enable LDAP authorization function in your application development project:

  • set up dependency to the cartridge-auth-extension module that is available in the Tarantool Enterprise package.
  • update the configuration in the application initialization file.


If you don’t have a development project yet, refer to Developer’s guide on how to create it.

  1. In your development project, find a .rockspec file and specify the following dependency:

    dependencies = {
  2. In an initialization Lua file of your project, specify the cartridge-auth-extension cluster role in the Cartridge configuration. The role enables storing authorized users and validating the LDAP configuration.

        roles = {
        auth_backend_name = 'cartridge-auth-extension',
  3. Deploy and start your application. For details, refer to Developer’s guide.

Configuring LDAP authorization

After starting your application, you need to configure LDAP authorization. It can be done via the GUI administrative console.

  1. In a web browser, open the GUI administrative console of your application.
  2. If you have the application instances already configured, proceed to the next step. Otherwise, refer to Deploying the cluster on how to configure the cluster.
  3. In the GUI administrative console, navigate to the Code tab. Create the following YAML configuration files and specify the necessary parameters. Below is the example of configuration and the description of parameters.


If you set the authorization mode as local in the auth_extension.yml file, you don’t need to define LDAP configuration parameters in the ldap.yml file.

  • auth_extension.yml

    method: local+ldap
  • ldap.yml

    - domain: 'test.glauth.com'
      organizational_units: ['all_staff']
        - localhost:3893
      use_tls: false
      use_active_directory: false
      search_timeout: 2
        - role: 'admin'
            - 'cn=superusers,ou=groups,dc=glauth,dc=com'
            - 'cn=users,ou=groups,dc=glauth,dc=com'
  • auth.yml

    enabled: true

Configuration parameters:

  • method—authorization mode. Possible values:

    • local—only local users can be authorized in the application. “Local” refers to users created in the application.
    • ldap—only LDAP users can be authorized.
    • local+ldap—both local and LDAP users can be authorized.
  • domain—domain name that is used in the domain login ID (user_name@domain).

  • organizational_units—names of the organizational units or user groups.

  • hosts—LDAP server addresses.

  • use_tls—boolean flag that defines TLS usage. Defaults to false.

  • use_active_directory—boolean flag that defines usage of the Active Directory. Defaults to false. If set to true, use the login ID in the email format (user_name@domain). The ID should be equal to the userPrincipalName Active Directory attribute value because the latter is used in the Active Directory filter.

  • search_timeout—LDAP server response timeout. Defaults to 2 seconds.

  • roles—user roles assigned to a user depending on the LDAP groups the user belongs to:

    • role—user role;
    • domain_groups—LDAP groups where cn—common name; ou—organization unit name; dc—domain component.
  • options—the OpenLDAP library options. Supported options:


    For description of the options, refer to the :ref:`OpenLDAP documentation <https://www.openldap.org/software/man.cgi?query=ldap_get_option&apropos=0&sektion=0&manpath=OpenLDAP+2.6-Release`__.

  • enabled—boolean flag. If set to true, enables mandatory authentication mode in the application web interface.