[ARVADOS] updated: 1.3.0-2543-gbbb132e98

Git user git at public.arvados.org
Thu May 7 15:12:22 UTC 2020 

Summary of changes:
 doc/install/setup-login.html.textile.liquid | 29 ++++++++++++++++++++++++++++-
 lib/config/config.default.yml               |  3 ++-
 lib/config/generated_config.go              |  3 ++-
 3 files changed, 32 insertions(+), 3 deletions(-)

       via  bbb132e983f9ec5c7d50cf0ab709ec041af1f844 (commit)
      from  5763409818cd2ab68c0f59b6a97d0c3df090907f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit bbb132e983f9ec5c7d50cf0ab709ec041af1f844
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Thu May 7 11:07:48 2020 -0400

    15881: Add LDAP option to install docs.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index c9e65ca7e..753ba82ba 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -12,8 +12,9 @@ SPDX-License-Identifier: CC-BY-SA-3.0
 Select one of the following login mechanisms for your cluster.
 
 # If all users will authenticate with Google, "configure Google login":#google.
+# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap.
 # If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam.
-# If you need to enable multiple authentication methods, or your backend can't be configured as a PAM service on your controller node, "configure a separate single sign-on (SSO) server":#sso.
+# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso.
 
 h2(#google). Google login
 
@@ -29,6 +30,32 @@ Next, copy the values of *Client ID* and *Client secret* from the Google Develop
       GoogleClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
 </pre>
 
+h2(#ldap). LDAP
+
+With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory.
+
+Enable LDAP authentication in @config.yml@:
+
+<pre>
+    Login:
+      LDAP:
+        Enable: true
+        URL: ldap://ldap.example.com:389
+        SearchBindUser: cn=lookupuser,dc=example,dc=com
+        SearchBindPassword: xxxxxxxx
+        SearchBase: ou=Users,dc=example,dc=com
+</pre>
+
+The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory.
+
+Additional configuration settings are available:
+* @StartTLS@ is enabled by default.
+* @StripDomain@ and @AppendDomain@ modify the username entered by the user before searching for it in the directory.
+* @SearchAttribute@ (default @uid@) is the LDAP attribute used when searching for usernames.
+* @SearchFilters@ accepts LDAP filter expressions to control which users can log in.
+
+Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
+
 h2(#pam). PAM (experimental)
 
 With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index a06526fd6..2aa58ac31 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -577,7 +577,8 @@ Clusters:
         # Use an LDAP service to authenticate users.
         Enable: false
 
-        # Server URL, like "ldap://ldapserver.example.com:389".
+        # Server URL, like "ldap://ldapserver.example.com:389" or
+        # "ldaps://ldapserver.example.com:636".
         URL: "ldap://ldap:389"
 
         # Use StartTLS upon connecting to the server.
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index e5ec035c6..4677fe544 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -583,7 +583,8 @@ Clusters:
         # Use an LDAP service to authenticate users.
         Enable: false
 
-        # Server URL, like "ldap://ldapserver.example.com:389".
+        # Server URL, like "ldap://ldapserver.example.com:389" or
+        # "ldaps://ldapserver.example.com:636".
         URL: "ldap://ldap:389"
 
         # Use StartTLS upon connecting to the server.

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list