maddy

Fork https://github.com/foxcpp/maddy

git clone git://git.lin.moe/go/maddy.git

  1# LDAP BindDN
  2
  3maddy supports authentication via LDAP using DN binding. Passwords are verified
  4by the LDAP server.
  5
  6maddy needs to know the DN to use for binding. It can be obtained either by
  7directory search or template .
  8
  9Note that storage backends conventionally use email addresses, if you use
 10non-email identifiers as usernames then you should map them onto
 11emails on delivery by using `auth_map` (see documentation page for used storage backend).
 12
 13auth.ldap also can be a used as a table module. This way you can check
 14whether the account exists. It works only if DN template is not used.
 15
 16```
 17auth.ldap {
 18    urls ldap://maddy.test:389
 19
 20    # Specify initial bind credentials. Not required ('bind off')
 21    # if DN template is used.
 22    bind plain "cn=maddy,ou=people,dc=maddy,dc=test" "123456"
 23
 24    # Specify DN template to skip lookup.
 25    dn_template "cn={username},ou=people,dc=maddy,dc=test"
 26
 27    # Specify base_dn and filter to lookup DN.
 28    base_dn "ou=people,dc=maddy,dc=test"
 29    filter "(&(objectClass=posixAccount)(uid={username}))"
 30
 31    tls_client { ... }
 32    starttls off
 33    debug off
 34    connect_timeout 1m
 35}
 36```
 37```
 38auth.ldap ldap://maddy.test.389 {
 39    ...
 40}
 41```
 42
 43## Configuration directives
 44
 45### urls _servers..._
 46
 47**Required.**
 48
 49URLs of the directory servers to use. First available server
 50is used - no load-balancing is done.
 51
 52URLs should use `ldap://`, `ldaps://`, `ldapi://` schemes.
 53
 54---
 55
 56### bind `off` | `unauth` | `external` | `plain` _username_ _password_
 57
 58Default: `off`
 59
 60Credentials to use for initial binding. Required if DN lookup is used.
 61
 62`unauth` performs unauthenticated bind. `external` performs external binding
 63which is useful for Unix socket connections (`ldapi://`) or TLS client certificate
 64authentication (cert. is set using tls_client directive). `plain` performs a
 65simple bind using provided credentials.
 66
 67---
 68
 69### dn_template _template_
 70
 71DN template to use for binding. `{username}` is replaced with the
 72username specified by the user.
 73
 74---
 75
 76### base_dn _dn_
 77
 78Base DN to use for lookup.
 79
 80---
 81
 82### filter _str_
 83
 84DN lookup filter. `{username}` is replaced with the username specified
 85by the user.
 86
 87Example:
 88
 89```
 90(&(objectClass=posixAccount)(uid={username}))
 91```
 92
 93Example (using ActiveDirectory):
 94
 95```
 96(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName={username})(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
 97```
 98
 99Example:
100
101```
102(&(objectClass=Person)(mail={username}))
103```
104
105---
106
107### starttls _bool_
108Default: `off`
109
110Whether to upgrade connection to TLS using STARTTLS.
111
112---
113
114### tls_client { ... }
115
116Advanced TLS client configuration. See [TLS configuration / Client](/reference/tls/#client) for details.
117
118---
119
120### connect_timeout _duration_
121Default: `1m`
122
123Timeout for initial connection to the directory server.
124
125---
126
127### request_timeout _duration_
128Default: `1m`
129
130Timeout for each request (binding, lookup).