vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-22 10:45:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/doc/README.LDAP
emanuele-f 4bff841289 Improve LDAP configuration warning
2018-05-18 17:19:33 +02:00

84 lines
3.2 KiB
Text
Raw Blame History

LDAP authentication can be enabled from the ntopng preferences page.
By default, authentication is set to 'Local', meaning that
local ntopng users are used instead of those found in LDAP.
To enable LDAP authentication there are two options, namely LDAP and
LDAP/Local. The latter tries LDAP authentication and, in case of
failure, it resorts to the local ntopng authentication. The former
simply tires LDAP authentication without resorting to the local ntopng
authentication upon failure.
LDAP/Local authentication may be useful, for example, to prevent
possible locked-out situations determined by connectivity issues of
the LDAP server. An administrator can configure a local ntopng
'recovery' user that will be used automatically in case the LDAP
server is not reachable.
LDAP authentication parameters are discussed below.
* LDAP Accounts Type
Allows to choose between 'Posix' and 'sAMAccount'.
* LDAP Server Address
Specifies LDAP server host IP address and port. Both LDAP and LDAPS
are handled. Examples are:
ldap://192.168.1.1:389
ldaps://192.168.1.1:636
Ports 389 and 636 are the default ports for ldap and ldaps, respectively.
* LDAP Anonymous Binding
An LDAP server, during the binding phase, can request binding
credential to the client.
If no binding credentials are requested by the server, then the field
"LDAP Anonymous Binding" has to be set to "on". Alternatively, if the
binding credentials are required, then the field must be set to "off"
and two additional fields have to be provided, namely "LDAP Bind DN"
and "LDAP Bind Authentication Password".
* LDAP Bind DN
In case "LDAP Anonymous Binding" is disabled, then this option
has to be specified and contains Bind Distinguished Names (DN).
An example is:
cn=admin,dc=example,dc=com
* LDAP Bind Authentication Password
In case "LDAP Anonymous Binding" is disabled, a binding password has
to be provided in this field.
* LDAP Search Path
The "LDAP Search Path" indicates the root of the tree among which
users and groups are searched.
An example is:
dc=example,dc=com
Assuming the field is populated with the example above, then an
hypothetical user "foo" will be searched in the subtress having root
dc=example,dc=com.
* LDAP User Group
This field specifies the group that contains users without
administrative privileges. This field has to be composed of a simple
identification string, e.g., "usersGroup". This resource will be
searched in the subtrees rooted at "LDAP Search Path". Users that
belong to this group will be able to use ntopng without
administrative privileges.
* LDAP Admin Group
The same description of "LDAP User Group" applies, with the only
difference that users belonging to this group will be able to use
ntopng with administrative privileges.
*IMPORTANT*
When using Posix accounts, the LDAP server should be configured as follows in order
to work correctly with ntopng:
- Into the LDAP user configuration, note down the "uid" parameter. You will it it below.
- Into the LDAP group configuration, you should add a new custom field "memberUid", with
the same value of the user "uid" field above.
As an example, supposing there is a group "usersGroup" and a user "ntopngUser" as uid,
a new field "memberUid" should be added to the "usersGroup" configuration with "ntopngUser" as
value.
Reference in a new issue View git blame Copy permalink