# FreeIPA for LDAP Authentication
# Preamble
The EE server and client support the LDAP protocol that allows you to configure an external LDAP service for authentication.
This guide here will explain how to configure Psono server to use a FreeIPA LDAP. We assume that Psono server can firewall / network wise access the LDAP Server / port.
In addition we assume that your webclient is running on https://example.com, the server is reachable with
https://example.com/server
(e.g. https://example.com/server/info/
shows you some nice json output).
TIP
This feature is only available in the Enterprise Edition.
# Server (settings.yaml)
During the installation of the server you have created a settings.yaml that needs to be adjusted now.
Standard configuration
First lets configure the standard configuration part that is the same for all LDAP connections
LDAP : [ { 'LDAP_URL': 'YOUR_LDAP_URL', 'LDAP_DOMAIN': 'LDAP_DOMAIN', 'LDAP_BIND_DN': 'YOUR_LDAP_BIND_DN', 'LDAP_BIND_PASS': 'YOUR_LDAP_BIND_PASS', 'LDAP_SEARCH_USER_DN': 'YOUR_LDAP_SEARCH_USER_DN', 'LDAP_SEARCH_GROUP_DN': 'YOUR_LDAP_SEARCH_GROUP_DN', ... }, ]
- Replace
YOUR_LDAP_URL
with the URL to your LDAP. e.g. ldaps://192.168.0.1:636 - Replace
YOUR_LDAP_DOMAIN
with your LDAP's domain. e.g. example.com - Replace
YOUR_LDAP_BIND_DN
with the DN of a user in your LDAP that can browse the directory. e.g. CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com - Replace
YOUR_LDAP_BIND_PASS
with the password fo the user specified with the LDAP_BIND_DN - Replace
YOUR_LDAP_SEARCH_USER_DN
with the root DN underneath legit user objects would reside. - Replace
YOUR_LDAP_SEARCH_GROUP_DN
with the root DN underneath legit group objects would reside.
- Replace
Adjust the setting.yml as shown below
The specific part for FreeIPA looks like this.
LDAP : [ { ... 'LDAP_ATTR_GUID': 'ipaUniqueID', 'LDAP_OBJECT_CLASS_USER': 'posixaccount', 'LDAP_OBJECT_CLASS_GROUP': 'posixgroup', 'LDAP_ATTR_USERNAME': 'uid', 'LDAP_ATTR_EMAIL': 'mail', 'LDAP_ATTR_GROUPS': 'memberOf', 'LDAP_MEMBER_OF_OVERLAY': True, 'LDAP_MEMBER_ATTRIBUTE': 'uid', 'LDAP_ATTR_MEMBERS': 'cn', ... }, ]
Test your integration
To test the settings you can use the
testldap
command like shown belowdocker run --rm \ -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \ -ti psono/psono-combo-enterprise:latest python3 ./psono/manage.py testldap username@something.com thePassWord
TIP
Once you have a working configuration don't forget to restart the server.
# Client (config.json)
Now you have to configure your client, so your users can use this configured IDP.
Edit config.json
Update your config.json similar to the one shown below.
{ "backend_servers": [{ "autoapprove_plain_password": true, ... }], "authentication_methods": ["LDAP"], ... }
The variable
authentication_methods
restricts the allowed login methods. In the example above only LDAP will be allowed. Theautoapprove_plain_password
flag will hide a warning dialog for the user, informing him about the plaintext master password transfer.