diff options
| author | Chris Wilson <artlepool@gmail.com> | 2015-04-08 12:27:07 +0100 |
|---|---|---|
| committer | Chris Wilson <artlepool@gmail.com> | 2015-04-08 12:27:07 +0100 |
| commit | ecd59cabce0b40dcd6edd1e5f75aafa0a08c9c75 (patch) | |
| tree | 05314539e1c121ea0e17ba0194038850ed9530cb | |
| parent | 0b5f339f819fd1b156ad25585462b96ae9784101 (diff) | |
| download | taiga-contrib-ldap-auth-ecd59cabce0b40dcd6edd1e5f75aafa0a08c9c75.zip | |
Updated README to be in line with code changes
| -rw-r--r-- | README.md | 30 |
1 files changed, 27 insertions, 3 deletions
@@ -22,11 +22,35 @@ LDAP configuration: ```python INSTALLED_APPS += ["taiga_contrib_ldap_auth"] - LDAP_SERVER = "ldap://ldap.example.com" - LDAP_DN_FORMAT = "uid={username},cn=users,dc=example,dc=com" - LDAP_BASE_EMAIL = "@example.com" + + LDAP_SERVER = 'ldap://ldap.example.com' + LDAP_PORT = 389 + + # Full DN of the service account use to connect to LDAP server and search for login user's account entry + LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com' + LDAP_BIND_PASSWORD = 'replace_me' # eg. + # Starting point within LDAP structure to search for login user + LDAP_SEARCH_BASE = 'OU=DevTeam,DC=example,DC=net' + # LDAP property used for searching, ie. login username needs to match value in sAMAccountName property in LDAP + LDAP_SEARCH_PROPERTY = 'sAMAccountName' + + # Names of LDAP properties on user account to get email and full name + LDAP_EMAIL_PROPERTY = 'mail' + LDAP_FULL_NAME_PROPERTY = 'name' ``` +The logic of the code is such that a dedicated domain service account user performs a search on LDAP for an account that has a LDAP_SEARCH_PROPERTY value that matches the username the user typed in on the Taiga login form. +If the search is successful, then the code uses this value and the typed-in password to attempt a bind to LDAP using these credentials. +If the bind is successful, then we can say that the user is authorised to log in to Taiga. + + + +RECOMMENDATION: Note that a service account needs to be available for performing the LDAP search for the user that is logging on to Taiga. +For security reasons, the service account user should be configured to only allow reading/searching the LDAP structure. No other LDAP (or wider network) permissions should be granted for this user because you need to specify the service account password in this file. +A suitably strong password should be chosen, eg. VmLYBbvJaf2kAqcrt5HjHdG6 + + + ### Taiga Front Change in your dist/js/conf.json the loginFormType setting to "ldap": |