From 2e5a6bd93ea1e1938a5e6902f8f27d15be0406e1 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Fri, 3 Jan 2025 15:14:46 +0100 Subject: [PATCH] Updated LDAP authentication (markdown) --- LDAP-authentication.md | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/LDAP-authentication.md b/LDAP-authentication.md index de9935d..26d599f 100644 --- a/LDAP-authentication.md +++ b/LDAP-authentication.md @@ -1,17 +1,29 @@ # Enable LDAP Authentication -The first step to enable LDAP authentication is the installation of the corresponding python module. Even if the `python-ldap` module is supported, we recommend the use of `python-ldap3` as the further development is only based on this module. +The first step to enable LDAP authentication is the installation of the corresponding Python module. Even if the `python-ldap` module is supported, we recommend the use of `python-ldap3` as the further development will only be based on this module. ## Configure LDAP Authentication -After installing the python ldap module you have to enable and configure it in the [auth] section of the configuration file of Radicale. Please note that anonymous bind is not supported. That means you have to provide a LDAP account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented. +After installing the Python LDAP module you have to enable and configure it in the `[auth]` section Radicale's configuration file. + +Please note that anonymous bind is not supported. That means you have to provide a LDAP account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented. Following parameter are available. No default values are provided that means you have to set all parameters: -* `type = ldap` -* `ldap_uri` The URI to the LDAP-server. ldap|ldaps://hostname|ip[:port] +* `type = ldap` Use LDAP authentication. +* `ldap_uri` The URI to the LDAP server in the format `{ldap|ldaps}://{hostname|ip}[:port]` or `ldapi://[path]`. * `ldap_base` The base DN from where the users must be searched for. -* `ldap_reader_dn` The DN of the LDAP account with read rights to the subtree from ldap_base -* `ldap_secret` The password of the ldap_reader_dn -* `ldap_filter` The ldap filter to find the DN of the login user. This filter must contain a python format string with placeholder(s) for the login: (&(objectClass=person)(cn={0})) +* `ldap_reader_dn` The DN of the LDAP account with read rights to the subtree from `ldap_base`. +* `ldap_secret` The password of the `ldap_reader_dn` +* `ldap_secret_file` Path of the file containing the password of the `ldap_reader_dn`. + + Either this parameter or `ldap_secret` must be provided. + +* `ldap_filter` The LDAP filter to find the DN of the login user. + + This filter must contain a python format string with placeholder(s) for the login: `(&(objectClass=person)(cn={0}))` + +* `ldap_user_attribute` LDAP attribute whose value shall be used as the user name after successful authentication. + + Default is unset, in which case the login name is used as the username ## Using LDAP group membership of users There is an additional parameter `ldap_load_groups`. Settings this to `True` the `memberOf` LDAP-attributes of the user will be evaluated and can be used for the handling of access rights management and to the access the group calendars.