Configure LDAP Authentication

Ravada can use LDAP as the authencation engine.

Configuration

The configuration file is /etc/ravada.conf. The format is YML, make sure you edit this file with spaces, no tabs.

Add a section ldap like this:

ldap:
  server: 192.168.1.44
  port: 389 # or 636 for secure connections
  secure: 0 # defaults to 1 if port is 636
  base: dc=domain,dc=com
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword

The _secure_ setting is optional. It defaults to 0 for port 389 (ldap) and to 1 for port 636 ( ldaps ). It can be enabled so secure connections can be forced for other ports.

The LDAP admin user can be a low level account with minimal privileges.

Another optional setting can be used to force the authentication method. By default Ravada tries first to bind to the LDAP as the user. If that fails then it tries to match the encrypted password. You can force the method with:

auth: all # defaults to all, can be all, bind, match

Notice matching authentication may be a security risk so bind is recommended.

Example: All users

All the users in the LDAP can have access to ravada:

ldap:
  server: 192.168.1.44
  port: 636
  base: dc=domain,dc=com
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword

Example: Group of users

Allow only a group of users to access ravada:

ldap:
  server: 192.168.1.44
  port: 636
  base: ou=users,ou=groupname,dc=upc,dc=edu
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword

Advanced Options

There are other options you can add to ldap:

  • field: searches users using this field

  • ravada_posix_group : allows only this group to access ravada

  • sslversion : force the connection to LDAP with this SSL version: choose one of sslv2, sslv3, sslv23, tlsv1

  • filter: filter attributes for the LDAP search

Example: Field

Add a new parameter field to search users with. In this example we search users with the cn attribute.

ldap:
  server: 192.168.1.44
  port: 636
  base: ou=users,ou=groupname,dc=upc,dc=edu
  field: cn
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword

Example: Posix Group

If you have all your users under a main OU (e.g. ou=users, dc=domain, dc=com), you can use Posix Groups (https://ldapwiki.com/wiki/PosixGroup) to create a list of users that can access to your Ravada instance, using their memberUid attribute. This allows you grant or remove access to ravada to some users without modify your LDAP structure.

ldap:
  server: 192.168.1.44
  port: 636
  base: ou=users,ou=groupname,dc=upc,dc=edu
  ravada_posix_group: cn=ravada,ou=groups,dc=domain,dc=com
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword

In the example, cn=ravada,ou=groups,dc=domain,dc=com is a Posix Group in your LDAP server. It should contain the memberUid’s of the users allowed to access to Ravada:

dn: cn=ravada,ou=groups,dc=domain,dc=com
  objectclass: posixGroup
  memberUid: user1
  memberUid: user2
  memberUid: user3

Example: Attribute Filter

In this example, only the users that have pass a filter can login:

ldap:
  server: 192.168.1.44
  port: 636
  base: dc=domain,dc=com
  filter: campus=North
  admin_user:
      dn: cn=admin.user,dc=domain,dc=com
      password: secretpassword