pgadmin4/docs/en_US/enabling_ldap_authentication.rst
2020-04-27 20:28:39 +05:30

73 lines
4.7 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _enabling_ldap_authentication:
**************************************************
`Enabling LDAP Authentication for pgAdmin`:index:
**************************************************
To enable LDAP authentication for pgAdmin, you must configure the LDAP
settings in the *config_local.py* or *config_distro.py* file on the system where
pgAdmin is installed in Server mode. You can copy these settings from *config.py*
file and modify the values for the following parameters:
.. csv-table::
:header: "**Parameter**", "**Description**"
:class: longtable
:widths: 35, 55
"AUTHENTICATION_SOURCES","The default value for this parameter is *internal*.
To enable LDAP authentication, you must include *ldap* in the list of values
for this parameter. you can modify the value as follows:
* [ldap]: pgAdmin will use only LDAP authentication.
* [ldap, internal]: pgAdmin will first try to authenticate the user through
LDAP. If that authentication fails, then internal user entries of pgAdmin will be used for authentication.
* [internal, ldap]: pgAdmin will first try to authenticate the user through internal user entries. If that authentication fails, then LDAP authentication will be used."
"LDAP_AUTO_CREATE_USER", "Specifies if you want to automatically create a pgAdmin
user corresponding to the LDAP user credentials. Please note that LDAP password
is not stored in the pgAdmin database."
"LDAP_CONNECTION_TIMEOUT","Specifies the connection timeout (in seconds) for LDAP
authentication."
"LDAP_SERVER_URI", "An LDAP URI is a combination of connection protocol
(ldap or ldaps), IP address/hostname and port of the directory server that you
want to connect to. For example, 'ldap://172.16.209.35:389' is a valid
LDAP_SERVER_URI where ldap is the connection protocol, 172.16.209.35 is the IP
address and 389 is the port. Port 636 is used for the ldaps communication protocol."
"LDAP_BASE_DN","Specifies the base DN from where a server will start the search
for users. For example, an LDAP search for any user will be performed by the server
starting at the base DN (dc=example,dc=com). When the base DN matches, the full
DN (cn=admin,dc=example,dc=com) is used to bind with the supplied password."
"LDAP_USERNAME_ATTRIBUTE","Specifies the LDAP attribute that contains the
usernames. For LDAP authentication, you need to enter the value of that
particular attribute as username. For example, if you set the value of
LDAP_USERNAME_ATTRIBUTE as cn and you have defined 'cn=admin' in your LDAP server
entries, you should be able to authenticate by entering admin in the 
*Email Address / Username* field and its corresponding password in the *Password* 
field."
"LDAP_SEARCH_BASE_DN","Specifies an element of the search request that works in
conjunction with the LDAP search scope to define the subtree of entries that
should be considered when processing the search request. You can use this parameter
for limiting the search request to a specific group of users."
"LDAP_SEARCH_FILTER","Defines the criteria to retrieve matching entries in an
LDAP search request. For example, LDAP_SEARCH_FILTER = '(objectclass=HR) setting
searches only for users having HR as their objectClass attribute."
"LDAP_SEARCH_SCOPE","Indicates the set of entries at or below the Base DN that
maybe considered as potential matches for a search request. You can specify the
scope of a search as either a *base*, *level*, or *subtree* search. A *base* search
limits the search to the base object. A *level* search is restricted to the immediate
children of a base object, but excludes the base object itself. A *subtree* search
includes all child objects as well as the base object."
"LDAP_USE_STARTTLS","Specifies if you want to use Transport Layer Security (TLS)
for secure communication between LDAP clients and LDAP servers. If you specify
the connection protocol in *LDAP_SERVER_URI* as *ldaps*, this parameter is ignored."
"LDAP_CA_CERT_FILE","Specifies the path to the trusted CA certificate file. This
parameter is applicable only if you are using *ldaps* as connection protocol and
you have set *LDAP_USE_STARTTLS* parameter to *True*."
"LDAP_CERT_FILE","Specifies the path to the server certificate file. This parameter
is applicable only if you are using *ldaps* as connection protocol and you have
set *LDAP_USE_STARTTLS* parameter to *True*."
"LDAP_KEY_FILE","Specifies the path to the server private key file. This parameter
is applicable only if you are using *ldaps* as connection protocol and you have
set *LDAP_USE_STARTTLS* parameter to *True*."