78 lines
4.9 KiB
ReStructuredText
78 lines
4.9 KiB
ReStructuredText
.. _enabling_ldap_authentication:
|
||
|
||
**************************************************
|
||
`Enabling LDAP Authentication for pgAdmin`:index:
|
||
**************************************************
|
||
|
||
To enable LDAP authentication for pgAdmin, you must configure the LDAP
|
||
settings in the *config_local.py* or *config_distro.py* file on the system where
|
||
pgAdmin is installed in Server mode. You can copy these settings from *config.py*
|
||
file and modify the values for the following parameters:
|
||
|
||
.. csv-table::
|
||
:header: "**Parameter**", "**Description**"
|
||
:class: longtable
|
||
:widths: 35, 55
|
||
|
||
"AUTHENTICATION_SOURCES","The default value for this parameter is *internal*.
|
||
To enable LDAP authentication, you must include *ldap* in the list of values
|
||
for this parameter. you can modify the value as follows:
|
||
|
||
* [‘ldap’]: pgAdmin will use only LDAP authentication.
|
||
|
||
* [‘ldap’, ‘internal’]: pgAdmin will first try to authenticate the user through
|
||
LDAP. If that authentication fails, then internal user entries of pgAdmin will be used for authentication.
|
||
|
||
* [‘internal’, ‘ldap’]: pgAdmin will first try to authenticate the user through internal user entries. If that authentication fails, then LDAP authentication will be used."
|
||
"LDAP_AUTO_CREATE_USER", "Specifies if you want to automatically create a pgAdmin
|
||
user corresponding to the LDAP user credentials. Please note that LDAP password
|
||
is not stored in the pgAdmin database."
|
||
"LDAP_CONNECTION_TIMEOUT","Specifies the connection timeout (in seconds) for LDAP
|
||
authentication."
|
||
"LDAP_SERVER_URI", "An LDAP URI is a combination of connection protocol
|
||
(ldap or ldaps), IP address/hostname and port of the directory server that you
|
||
want to connect to. For example, 'ldap://172.16.209.35:389' is a valid
|
||
LDAP_SERVER_URI where ldap is the connection protocol, 172.16.209.35 is the IP
|
||
address and 389 is the port. Port 636 is used for the ldaps communication protocol."
|
||
"LDAP_BASE_DN","Specifies the base DN from where a server will start the search
|
||
for users. For example, an LDAP search for any user will be performed by the server
|
||
starting at the base DN (dc=example,dc=com). When the base DN matches, the full
|
||
DN (cn=admin,dc=example,dc=com) is used to bind with the supplied password."
|
||
"LDAP_USERNAME_ATTRIBUTE","Specifies the LDAP attribute that contains the
|
||
usernames. For LDAP authentication, you need to enter the value of that
|
||
particular attribute as username. For example, if you set the value of
|
||
LDAP_USERNAME_ATTRIBUTE as ‘cn’ and you have defined 'cn=admin' in your LDAP server
|
||
entries, you should be able to authenticate by entering ‘admin’ in the
|
||
*Email Address / Username* field and its corresponding password in the *Password*
|
||
field."
|
||
"LDAP_SEARCH_BASE_DN","Specifies the distinguished name (DN) for the top-most user
|
||
directory that you want to search. You can use this parameter for limiting the search
|
||
request to a specific group of users. For example, if you want to search only within
|
||
the Organizational Unit named sales, you can define the value for LDAP_SEARCH_BASE_DN
|
||
parameter as following:
|
||
LDAP_SEARCH_BASE_DN = ‘ou=sales,dc=example,dc=com'
|
||
|
||
This is an optional parameter. If you do not specify any value for LDAP_SEARCH_BASE_DN,
|
||
then the value for LDAP_BASE_DN will be considered for the same."
|
||
"LDAP_SEARCH_FILTER","Defines the criteria to retrieve matching entries in an
|
||
LDAP search request. For example, LDAP_SEARCH_FILTER = '(objectclass=HR)’ setting
|
||
searches only for users having HR as their objectClass attribute."
|
||
"LDAP_SEARCH_SCOPE","Indicates the set of entries at or below the Base DN that
|
||
maybe considered as potential matches for a search request. You can specify the
|
||
scope of a search as either a *base*, *level*, or *subtree* search. A *base* search
|
||
limits the search to the base object. A *level* search is restricted to the immediate
|
||
children of a base object, but excludes the base object itself. A *subtree* search
|
||
includes all child objects as well as the base object."
|
||
"LDAP_USE_STARTTLS","Specifies if you want to use Transport Layer Security (TLS)
|
||
for secure communication between LDAP clients and LDAP servers. If you specify
|
||
the connection protocol in *LDAP_SERVER_URI* as *ldaps*, this parameter is ignored."
|
||
"LDAP_CA_CERT_FILE","Specifies the path to the trusted CA certificate file. This
|
||
parameter is applicable only if you are using *ldaps* as connection protocol and
|
||
you have set *LDAP_USE_STARTTLS* parameter to *True*."
|
||
"LDAP_CERT_FILE","Specifies the path to the server certificate file. This parameter
|
||
is applicable only if you are using *ldaps* as connection protocol and you have
|
||
set *LDAP_USE_STARTTLS* parameter to *True*."
|
||
"LDAP_KEY_FILE","Specifies the path to the server private key file. This parameter
|
||
is applicable only if you are using *ldaps* as connection protocol and you have
|
||
set *LDAP_USE_STARTTLS* parameter to *True*."
|