As of version 2.3.0, Beltane supports LDAP for authentication of users (but not for the superuser). The following configuration items must be set:
The server name. If the server name is prefixed with 'ldaps://', Beltane will use the ldaps protocol on port 636.
The Distinguished Name to bind to the LDAP directory, without the 'uid=...' (or 'cn=...') part.
Requirements | |
---|---|
As the login password must be transmitted from the browser to Beltane, an HTTPS connection is required. If the server name is not prefixed with 'ldaps://', Beltane will use the standard LDAP port (389) with TLS for encryption. The server needs to support STARTTLS. If the LDAP server name is prefixed with 'ldaps://', Beltane will use the ldaps protocol on port 636. The LDAP base DN must be the base DN of valid Beltane users for binding to the LDAP directory, without the 'uid=...' or 'cn=...' part. It is not sufficient to just give a search base. The base DN may include a '%s' format specifier which will be replaced by the real as specified with the username (i.e. the username needs to be user@realm then). It is possible to configure a default realm which will be used if the username is given without a realm. |
By default, each beltane user must contain in the "description" attribute the string "beltane_priv_user" (has update privileges) or "beltane_priv_guest" (has no update privileges). If the user should belong to one or more groups (see Section 6, “Defining groups for hosts and users”), then also corresponding strings "beltane_group_groupname" must be present in the "description" attribute.
The attribute that holds information about the privilege of a Beltane user. Default is "description".
The (string) value of the privilege attribute that denotes users with admin privilege. Default is "beltane_priv_admin".
The (string) value of the privilege attribute that denotes users with user privilege. Default is "beltane_priv_user".
The (string) value of the privilege attribute that denotes users with guest privilege. Default is "beltane_priv_guest".
Combining LDAP and browser-based login | |
---|---|
LDAP authentication requires the password. For browser-based login, this is only known to Beltane if mod_php is used. |