oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity

Updated LDAP authentication (markdown)

Peter Marschall 2025-01-03 15:14:46 +01:00
parent b0d14b1d17
commit 2e5a6bd93e
1 changed files with 19 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

26
LDAP-authentication.md

@ -1,17 +1,29 @@
# Enable LDAP Authentication
The first step to enable LDAP authentication is the installation of the corresponding python module. Even if the `python-ldap` module is supported, we recommend the use of `python-ldap3` as the further development is only based on this module.
The first step to enable LDAP authentication is the installation of the corresponding Python module. Even if the `python-ldap` module is supported, we recommend the use of `python-ldap3` as the further development will only be based on this module.
## Configure LDAP Authentication
After installing the python ldap module you have to enable and configure it in the [auth] section of the configuration file of Radicale. Please note that anonymous bind is not supported. That means you have to provide a LDAP account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented.
After installing the Python LDAP module you have to enable and configure it in the `[auth]` section Radicale's configuration file.
Please note that anonymous bind is not supported. That means you have to provide a LDAP account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented.
Following parameter are available. No default values are provided that means you have to set all parameters:
* `type = ldap`
* `ldap_uri` The URI to the LDAP-server. ldap|ldaps://hostname|ip[:port]
* `type = ldap` Use LDAP authentication.
* `ldap_uri` The URI to the LDAP server in the format `{ldap|ldaps}://{hostname|ip}[:port]` or `ldapi://[path]`.
* `ldap_base` The base DN from where the users must be searched for.
* `ldap_reader_dn` The DN of the LDAP account with read rights to the subtree from ldap_base
* `ldap_secret` The password of the ldap_reader_dn
* `ldap_filter` The ldap filter to find the DN of the login user. This filter must contain a python format string with placeholder(s) for the login: (&(objectClass=person)(cn={0}))
* `ldap_reader_dn` The DN of the LDAP account with read rights to the subtree from `ldap_base`.
* `ldap_secret` The password of the `ldap_reader_dn`
* `ldap_secret_file` Path of the file containing the password of the `ldap_reader_dn`.
Either this parameter or `ldap_secret` must be provided.
* `ldap_filter` The LDAP filter to find the DN of the login user.
This filter must contain a python format string with placeholder(s) for the login: `(&(objectClass=person)(cn={0}))`
* `ldap_user_attribute` LDAP attribute whose value shall be used as the user name after successful authentication.
Default is unset, in which case the login name is used as the username
## Using LDAP group membership of users
There is an additional parameter `ldap_load_groups`. Settings this to `True` the `memberOf` LDAP-attributes of the user will be evaluated and can be used for the handling of access rights management and to the access the group calendars.