LDAP

Configuration

⚠️

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    implementation: 'custom'
    timeout: '5s'
    start_tls: false
    tls:
      server_name: 'ldap.example.com'
      skip_verify: false
      minimum_version: 'TLS1.2'
      maximum_version: 'TLS1.3'
      certificate_chain: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----        
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----        
    base_dn: 'DC=example,DC=com'
    additional_users_dn: 'OU=users'
    users_filter: '(&({username_attribute}={input})(objectClass=person))'
    additional_groups_dn: 'OU=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
    group_search_mode: 'filter'
    permit_referrals: false
    permit_unauthenticated_bind: false
    user: 'CN=admin,DC=example,DC=com'
    password: 'password'
    attributes:
      distinguished_name: 'distinguishedName'
      username: 'uid'
      display_name: 'displayName'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'

Options

This section describes the individual configuration options.

address

string address required

⚠️

Reference Note: This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Address reference guide.

The LDAP URL which consists of a scheme, hostname, and port. Format is [<scheme>://]<hostname>[:<port>]. The default scheme is ldapi if the path is absolute otherwise it’s ldaps, and the permitted schemes are ldap, ldaps, or ldapi (a unix domain socket).

If the scheme is ldapi it must be followed by an absolute path to an existing unix domain socket that the user/group the Authelia process is running as has the appropriate permissions to access. For example if the socket is located at /var/run/slapd.sock the address should be ldapi:///var/run/slapd.sock.

Examples:

authentication_backend:
  ldap:
    address: 'ldaps://dc1.example.com'

authentication_backend:
  ldap:
    address: 'ldap://[fd00:1111:2222:3333::1]'

implementation

string custom not required

Configures the LDAP implementation used by Authelia.

See the Implementation Guide for information.

timeout

string integer duration 5 seconds not required

⚠️

Reference Note: This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The timeout for dialing an LDAP connection.

start_tls

boolean false not required

Enables use of the LDAP StartTLS process which is not commonly used. You should only configure this if you know you need it. The initial connection will be over plain text, and Authelia will try to upgrade it with the LDAP server. LDAPS URL’s are slightly more secure.

tls

structure tls not required

⚠️

Reference Note: This configuration option uses a common structure. For more information please see both the configuration example and the Common Structure: TLS reference guide.

Controls the TLS connection validation parameters for either StartTLS or the TLS socket.

base_dn

string required

Sets the base distinguished name container for all LDAP queries. If your LDAP domain is example.com this is usually DC=example,DC=com, however you can fine tune this to be more specific for example to only include objects inside the authelia OU: OU=authelia,DC=example,DC=com. This is prefixed with the additional_users_dn for user searches and additional_groups_dn for groups searches.

additional_users_dn

string not required

Additional LDAP path to append to the base_dn when searching for users. Useful if you want to restrict exactly which OU to get users from for either security or performance reasons. For example setting it to OU=users,OU=people with a base_dn set to DC=example,DC=com will mean user searches will occur in OU=users,OU=people,DC=example,DC=com.

users_filter

string situational

Note: This option is technically required however the implementation option can implicitly set a default negating this requirement. Refer to the filter defaults for more information.

The LDAP filter to narrow down which users are valid. This is important to set correctly as to exclude disabled users. The default value is dependent on the implementation, refer to the attribute defaults for more information.

additional_groups_dn

string not required

Similar to additional_users_dn but it applies to group searches.

groups_filter

string situational

Note: This option is technically required however the implementation option can implicitly set a default negating this requirement. Refer to the filter defaults for more information.

Similar to users_filter but it applies to group searches. In order to include groups the member is not a direct member of, but is a member of another group that is a member of those (i.e. recursive groups), you may try using the following filter which is currently only tested against Microsoft Active Directory:

(&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))

group_search_mode

string filter not required

The group search mode controls how user groups are discovered. The default of filter directly uses the filter to determine the result. The memberof experimental mode does another special filtered search. See the Reference Documentation for more information.

permit_referrals

boolean false not required

Permits following referrals. This is useful if you have read-only servers in your architecture and thus require referrals to be followed when performing write operations.

permit_unauthenticated_bind

boolean false not required

WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP server and utilizing a service account.

Permits binding to the server without a password. For this option to be enabled both the password configuration option must be blank and the password_reset disable option must be true.

permit_feature_detection_failure

boolean false not required

Authelia searches for the RootDSE to discover supported controls and extensions. This option is a compatibility option which should not be enabled unless the LDAP server returns an error when searching for the RootDSE.

user

string required

The distinguished name of the user paired with the password to bind with for lookup and password change operations.

password

string required

Important Note: This can also be defined using a secret which is strongly recommended especially for containerized deployments.

The password paired with the user used to bind to the LDAP server for lookup and password change operations.

It’s strongly recommended this is a Random Alphanumeric String with 64 or more characters and the user password is changed to this value.

attributes

The following options configure The directory server attribute mappings.

distinguished_name

string situational

Note: This option is technically not required however it is required when using the group search mode memberof replacement {memberof:dn}.

The directory server attribute which contains the distinguished name, primarily used to perform filtered searches. There is a clear distinction between the actual distinguished name and a distinguished name attribute, all directories have distinguished names for objects, but not all have an attribute representing this that can be searched on.

The only known support at this time is with Active Directory.