| 81 | |
| 82 | If you are able, start with SSL & TLS disabled, until you have things working, |
| 83 | then enable the security pieces one at a time to help eliminate issues as you |
| 84 | are getting started. |
| 85 | |
| 86 | How LDAP Authentication works |
| 87 | ============================= |
| 88 | |
| 89 | When the LDAP plugin is enabled and all other authentication plugins are |
| 90 | disabled, attempting to Register or Login will result in the LDAP login form |
| 91 | being presented to the end user. |
| 92 | |
| 93 | The end user will enter their LDAP credentials. A lookup is made against the |
| 94 | local users table in the GNU Mediagoblin database. If a user with the specified |
| 95 | username already exists, then the user will be authenticated against the |
| 96 | directory. |
| 97 | |
| 98 | If a user with the specified username does not already exist in the GNU |
| 99 | Mediagoblin database, then the LDAP authenitcation will be performed. If the |
| 100 | user does not have permissions in LDAP to authenticate to GNU Mediagoblin, |
| 101 | they will be presented with a login error. |
| 102 | |
| 103 | If they are allowed to authenticate, and ``EMAIL_SEARCH_FIELD`` is not |
| 104 | specified, the user will be prompted to enter their email address. Upon |
| 105 | submission, they will be successfully registered and authenticated. |
| 106 | |
| 107 | If they are allowed to authenticate and ``EMAIL_SEARCH_FIELD`` is specified, |
| 108 | an email address lookup will be performed against the directory. The user will |
| 109 | be prompted to confirm or change their email address. Upon submission, they |
| 110 | will be successfully registered and authenticated. |
| 111 | |
| 112 | |
| 113 | LDAP Configuration Options |
| 114 | ========================== |
| 115 | |
| 116 | LDAP_SERVER_URI |
| 117 | --------------- |
| 118 | |
| 119 | This required option is to specify the DNS name or IP address of the LDAP |
| 120 | server to which your GNU Mediagoblin instance will attempt to bind. In the |
| 121 | examples, the ports are specified but they are not required. |
| 122 | |
| 123 | For plain LDAP, the default port is 387. |
| 124 | For LDAPS, the default port is 636. |
| 125 | |
| 126 | If your instance is using a non-standard port, the port should be indicated. |
| 127 | |
| 128 | LDAP_USER_DN_TEMPLATE |
| 129 | --------------------- |
| 130 | |
| 131 | This is the required template to use when LDAP searches for a user. It is |
| 132 | imperative that the value have ``{username}`` in it somewhere, as the string is |
| 133 | interpolated with the username at the time of login. |
| 134 | |
| 135 | The value of this will vary depending up the LDAP schema in the domain. It is |
| 136 | possible to use either a full path |
| 137 | ( ``cn={username},ou=users,dc=testathon,dc=net`` ) or a UPN |
| 138 | ( ``{username}@testathon.net`` ). Some Active Directory users have reported |
| 139 | that the second form of the LDAP_USER_DN_TEMPLATE works better. |
| 140 | |
| 141 | LDAP_SEARCH_BASE |
| 142 | ---------------- |
| 143 | |
| 144 | This is required and represents the root of the domain where GNU Mediagoblin |
| 145 | will search for users' email addresses. If your users should all exist under |
| 146 | a certain OU, then it is possible to restrict the scope of the search by |
| 147 | specifying an OU, as in the example. If users are scattered across all of the |
| 148 | domain, the it is also possible to specify just the domain itself: |
| 149 | ``LDAP_SEARCH_BASE = 'dc=testathon,dc=net'`` |
| 150 | |
| 151 | EMAIL_SEARCH_FIELD |
| 152 | ------------------ |
| 153 | |
| 154 | If this optional field is specified in the LDAP configuration, then GNU |
| 155 | Mediagoblin will lookup the user's email address in LDAP as soon as the user |
| 156 | authenticates, and the field named in the configuration will used as the search |
| 157 | field. |
| 158 | |
| 159 | If this field is not specified, the user will be asked to input |
| 160 | their email address when registering. |
| 161 | |
| 162 | The default value is None. |
| 163 | |
| 164 | UID_SEARCH_FIELD |
| 165 | ---------------- |
| 166 | |
| 167 | This optional value is used to specify the name of the field that holds the UID. |
| 168 | For example, imagine that your username in LDAP is ``media.goblin``. For most |
| 169 | LDAP the search string will need to be ``uid = media.goblin``. In this case, |
| 170 | the value of UID_SEARCH_FIELD should be set to ``uid``. |
| 171 | |
| 172 | However, Active Directory uses a different field for this, and the value should |
| 173 | be adjusted to be ``sAMAccountName``. |
| 174 | |
| 175 | The default value is ``'uid'``. |
| 176 | |
| 177 | LDAP_IS_ACTIVE_DIRECTORY |
| 178 | --------------------- |
| 179 | |
| 180 | This optional value is used to specify if you are using Active Directory. If that is the |
| 181 | case, this value should be set to ``'true'``, otherwise it should be left at |
| 182 | ``'false'`` |
| 183 | |
| 184 | The default value is ``'false'``. |
| 185 | |
| 186 | LDAP_START_TLS |
| 187 | -------------- |
| 188 | |
| 189 | This optional value will enable TLS for LDAP communications. If your LDAP |
| 190 | server has a TLS certificate that your GNU Mediagoblin will trust, then enable |
| 191 | this by setting the value to ``'true'``. |
| 192 | |
| 193 | The default value is ``'false'``. |
| 194 | |
| 195 | LDAP_FILTER |
| 196 | ----------- |
| 197 | This optional value will be used to restrict the LDAP authentication to users |
| 198 | who match the filter criteria. This string is built using LDAP filtering syntax. |
| 199 | |
| 200 | For example, to restrict authentication to members of the MediaGoblinGroup |
| 201 | container that is located in the Groups OU, a filter such as this could be used: |
| 202 | |
| 203 | ``LDAP_FILTER = '(&(objectClass=person)(memberOf=cn=MediaGoblinGroup,ou=Groups,dc=testathon,dc=net))'`` |
| 204 | |
| 205 | Any user who is not a member of the MediaGoblinGroup container will be denied authentication. |
| 206 | |
| 207 | The default value of this filter is ``(objectClass=person)`` |