LogoLogo
HomeDiscordYouTubeDisclaimer
  • Authelia (Archived)
    • v4.33.0+ Upgrade
  • Configuration Files
    • Authelia Config File
    • Authelia Portal
    • Protected Endpoint
    • Users Database
    • AD Config
  • 🎯DO I NEED AN UPDATE?
    • Update Me!
  • ❗DISCLAIMER
    • Read Our Disclaimer
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Configuration Files

AD Config

If you are using Active Directory, use this in your configuration YML

ldap:
    ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
    ## Acceptable options are as follows:
    ## - 'activedirectory' - For Microsoft Active Directory.
    ## - 'custom' - For custom specifications of attributes and filters.
    ## This currently defaults to 'custom' to maintain existing behaviour.
    ##
    ## Depending on the option here certain other values in this section have a default value, notably all of the
    ## attribute mappings have a default value that this config overrides, you can read more about these default values
    ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
    implementation: activedirectory

    ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
    ## Scheme can be ldap or ldaps in the format (port optional).
    url: ldap://192.168.10.20:389

    ## Use StartTLS with the LDAP connection.
    start_tls: false

    tls:
      ## Server Name for certificate validation (in case it's not set correctly in the URL).
      # server_name: ldap.example.com

      ## Skip verifying the server certificate (to allow a self-signed certificate).
      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
      skip_verify: true

      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
      minimum_version: TLS1.2

    ## The distinguished name of the container searched for objects in the directory information tree.
    ## See also: additional_users_dn, additional_groups_dn.
    base_dn: DC=example,DC=com

    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
    ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
    ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
    ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
    ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
    ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
    ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
    ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
    username_attribute: sAMAccountName

    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
    #additional_users_dn: OU=Users

    ## The users filter used in search queries to find the user profile based on input filled in login form.
    ## Various placeholders are available in the user filter:
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## Recommended settings are as follows:
    ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
    ## - OpenLDAP:
    ##   - (&({username_attribute}={input})(objectClass=person))
    ##   - (&({username_attribute}={input})(objectClass=inetOrgPerson))
    ##
    ## To allow sign in both with username and email, one can use a filter like
    ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))

    ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
    ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
    #additional_groups_dn: OU=Groups

    ## The groups filter used in search queries to find the groups of the user.
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
    ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
    ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## If your groups use the `groupOfUniqueNames` structure use this instead:
    ##    (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
    groups_filter: (&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))

    ## The attribute holding the name of the group.
    group_name_attribute: cn

    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
    ## first one returned by the LDAP server is used.
    mail_attribute: mail

    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
    display_name_attribute: displayname

    ## The username and password of the admin user.
    user: CN=Administrator,CN=Users,DC=example,DC=com
    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
    password: P@ssw0rd12345!!
PreviousUsers Database

Last updated 3 years ago

Was this helpful?