Skip to content

Commit

Permalink
docs: Updated LDAP Documentation (#1988)
Browse files Browse the repository at this point in the history 
* Updated LDAP Documentation

* fixed a typo

---------

Co-authored-by: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
  • Loading branch information
@a-gerhard @dpgaspar
a-gerhard and dpgaspar authored Feb 23, 2023
1 parent c5e453e commit 0132aad
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 3 deletions.
13 changes: 10 additions & 3 deletions docs/config.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ Use config.py to configure the following parameters. By default it will use SQLL
| | AUTH_TYPE = 2 | |
| | | |
| | AUTH_LDAP_SERVER = "ldap://ldapserver.new" | |
| | | |
| | For using LDAP over TLS, set the protocol | |
| | scheme to "ldaps" and set | |
| | "AUTH_LDAP_USE_TLS = False" | |
+----------------------------------------+--------------------------------------------+-----------+
| AUTH_LDAP_USE_TLS | Require the use of STARTTLS | |
+----------------------------------------+--------------------------------------------+-----------+
| AUTH_LDAP_BIND_USER | Define the DN for the user that will be | No |
| | used for the initial LDAP BIND. | |
Expand All @@ -72,10 +78,11 @@ Use config.py to configure the following parameters. By default it will use SQLL
| | (Bool) | |
+----------------------------------------+--------------------------------------------+-----------+
| AUTH_LDAP_TLS_CACERTDIR | CA Certificate directory to check peer | No |
| | certificate | |
| | certificate. Certificate files must be | |
| | PEM-encoded | |
+----------------------------------------+--------------------------------------------+-----------+
| AUTH_LDAP_TLS_CACERTFILE | CA Certificate file to check peer | No |
| | certificate | |
| | certificate. File must be PEM-encoded | |
+----------------------------------------+--------------------------------------------+-----------+
| AUTH_LDAP_TLS_CERTFILE | Certificate file for client auth | No |
| | use with AUTH_LDAP_TLS_KEYFILE | |
Expand Down Expand Up @@ -344,4 +351,4 @@ causes users 1 and 2 to be registered with role ``Admin`` and rest with the role
JMESPath expression allow more groups to be evaluated:
``email == 'user1@domain.com' && 'Admin' || (email == 'user2@domain.com' && 'Op' || 'Viewer')``

For more example, see `specification <https://jmespath.org/specification.html>`_.
For more example, see `specification <https://jmespath.org/specification.html>`_.
15 changes: 15 additions & 0 deletions docs/security.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,21 @@ You can give FlaskAppBuilder roles based on LDAP roles (note, this requires AUTH
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800

TLS
~~~

For STARTTLS, configure an `ldap://` server and set `AUTH_LDAP_USE_TLS` to `True`::

AUTH_LDAP_SERVER = "ldap://ldap.example.com"
AUTH_LDAP_USE_TLS = True

For LDAP over TLS (ldaps), configure the server with the `ldaps://` scheme and set `AUTH_LDAP_USE_TLS` to `False`::

AUTH_LDAP_SERVER = "ldaps://ldap.example.com"
AUTH_LDAP_USE_TLS = False

Additional LDAP/TLS Options, including CA certificate settings and client authentication, can be found in the :doc:`config`.

Authentication: OAuth
---------------------

Expand Down

0 comments on commit 0132aad

Please sign in to comment.