LDAP Authentication⚓︎
Prompt
- LDAP support enables users from LDAP and Windows AD to login to JumpServer.
1 LDAP Configuration⚓︎
- LDAP and LDAPS can be selected for configuration.
name | explain |
---|---|
LDAP address | ldap://serverurl:389 |
Binded DN | administrator@jumpserver.org |
Password | ******** |
Users' OU | ou=jumpserver,dc=jumpserver,dc=org |
Filter of User | (cn=%(user)s) |
Mapping of LADP Attribute | {"username": "cn", "name": "sn", "email": "mail"} |
Enable LDAP Authentication | ☑️ |
name | explain |
---|---|
LDAP Address | ldaps://serverurl:636 |
Binded DN | administrator@jumpserver.org |
Password | ******** |
Users' OU | ou=jumpserver,dc=jumpserver,dc=org |
Filter of User | (cn=%(user)s) |
Mapping of LADP Attribute | {"username": "cn", "name": "sn", "email": "mail"} |
Enable LDAP Authentication | ☑️ |
CA Certificate | /opt/jumpserver/core/data/certs/ldap_ca.pem |
Attention
- For some LDAP such as ldap.google.com,account password authentication needs to be enabled and Configure stunnel Agent
2 Option Description⚓︎
DN
It must be with a complete DN, and OU cannot be skipped.cn=admin,ou=aaa,dc=jumpserver,dc=org
Or usinguser@domain.com
format
User OU
User OU can only write top-level OUs only not necessarily Write sub OUou=aaa,ou=bbb,ou=ccc,dc=jumpserver,dc=org
,Can be written asou=ccc,dc=jumpserver,dc=org
User Filter
retrieves users based on rules from theUser Organizational Unit(OU)
and supports the "memberof" attribute.(uid=%(user)s)
or(sAMAccountName=%(user)s)
Mapping of LADP Attribute
Option 'username' 'name' 'email' can not be modified and deleted.{"username": "uid", "name": "sn", "email": "mail"}
或{"username": "sAMAccountName", "name": "cn", "email": "mail"}
Attention
- What kind of filtering should be used for user filters? The LDAP attribute mapping field should be consistent with it. The filter should use UID, and the LDAP attribute mapping should also use UID.
3 Parameter Description⚓︎
- LDAP partial functions be configured in jumpserver/config/config.txt
- LDAP Parameter Description:
# LDAP/AD settings
# LDAP search page count
AUTH_LDAP_SEARCH_PAGED_SIZE=1000
#
# Timed synchronization users
# Enable / Disable
AUTH_LDAP_SYNC_IS_PERIODIC=True
# Synchronization interval (in hours) (priority)
AUTH_LDAP_SYNC_INTERVAL=12
# Crontab expression
AUTH_LDAP_SYNC_CRONTAB=* 6 * * *
#
# Only users in the user list are allowed to perform LDAP Server authentication when login as an LDAP user
AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS=False
#
# If the following information appears in the log during LDAP authentication, set the parameter to 0 (For details, please refer to:https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
AUTH_LDAP_OPTIONS_OPT_REFERRALS=-1