LDAP Configuration

September 3rd, 2020


LDAP Authentication is allows to prioritize authentication into Mango to use LDAP. The module allows you to configure the order in which Mango will attempt to authenticate a user. Mango will attempt all available authentication methods in order of priority and reject the user if none succeed. This module will optionally synchronize roles upon login based upon the regex matching and role behavior setting. Mango can always synchronize all matching roles from the LDAP server which is usually desired to that roles removed on an LDAP user are reflected in Mango. Any new user logging into Mango for the first time will be automatically created in Mango.

Env Properties

#LDAP Configuration
#In what order should the LDAP authentication be used, Lower values are higher priority.  Core authentication schemes are Token Auth = 2 Mango Username password = 1
#Username (DN) of the "manager" user identity (i.e. "uid=admin,ou=system") which
# will be used to authenticate to a (non-embedded) LDAP server. If omitted,
# anonymous access will be used.
#The password for the manager DN. This is required if the manager-dn is specified.
#How should passwords be decoded?  [PLAIN, BCRYPT, SCRYPT, ARGON2, SHA, PBKDF2, MD4] using anything other than PLAIN, BCRYPT and SHA will result in locked passwords
#Lock passwords so only can login via LDAP
#Comma separated list
#The LDAP filter used to search for users (optional). For example "(uid={0})". The
# substituted parameter is the user's login name.
#Search base for user searches. Defaults to "". Only used with ldap.authentication.userSearchFilter
#If your users are at a fixed location in the directory (i.e. you can work out the
# DN directly from the username without doing a directory search), you can use this
# attribute to map directly to the DN. It maps directly to the userDnPatterns
# property of AbstractLdapAuthenticator. The value is a specific pattern used to
# build the user's DN, for example "uid={0},ou=people". The key "{0}" must be present
# and will be substituted with the username. This can contain multiple search entries that will be tried in order
# separate lines(searches) by a semicolon ;
#The search base for group membership searches. Defaults to ""
#The LDAP filter to search for groups. Defaults to "(uniqueMember={0})". The
# substituted parameter is the DN of the user.
#Specifies the attribute name which contains the role name. Default is "cn"
#Attributes for mapping to Mango users
#Create any new roles for users when logging in
#For Active Directory Only
#can be empty domain used if username has no domain when authenticating
#can be empty root dn
#Control Mango Role Synchronization
#Enable new role creation for missing roles (if matches regex below)
#Regex to match which roles should be created ldap.authorization.newRoleRegex=.*
#How are roles handled?
#LDAP_ONLY=only ldap roles used and will be replaced on every login (default)
#MANGO_ONLY=all ldap roles ignored
#LDAP_ADDITIVE=Roles are imported from LDAP and the Mango user is ensured to have all roles assigned to them from LDAP. (This would imply manual intervention if an LDAP role is removed from a user)

Copyright © 2024 Radix IoT, LLC.