LDAP
This group authenticates users against a remote LDAP server by using simple bind.
Static and dynamic users are still supported. LDAP verifies the presented
password, then vey-proxy loads the rest of the user policy from the static
list, the dynamic source, or unmanaged_user.
The following common keys are supported:
ldap_url
required, type: LDAP URL
LDAP URL in the form <schema>://<server_name>:[<port>]/<base_dn>.
The schema must be either ldap or ldaps. The default port is 389
for ldap and 636 for ldaps.
tls_client
optional, type: openssl tls client config
TLS parameters for the local TLS client. If set to an empty map, the default configuration is used.
If the LDAP URL uses the ldap scheme and this field is set, STARTTLS is
used.
If the schema is ldaps, a default TLS client config is created
automatically even when this field is omitted.
default: not set
tls_name
optional, type: tls name
TLS server name used to verify peer certificates.
If not set, the host part of each peer will be used.
default: not set
username_attribute
optional, type: string
LDAP attribute name used for usernames.
The most common value is uid while some LDAP servers may use cn.
default: uid
unmanaged_user
optional, type: user
Configures and enables unmanaged users.
This is a template user configuration for users who authenticate successfully with LDAP but are not defined in either the static or dynamic user lists.
If not set, only static or dynamic users will be allowed.
default: not set
max_message_size
optional, type: humanize usize
Maximum message size accepted when parsing responses from the LDAP server.
default: 256
connect_timeout
optional, type: humanize duration
Timeout for establishing the TCP connection to the LDAP server.
default: 4s
response_timeout
optional, type: humanize duration
Timeout while reading responses from the LDAP server.
default: 2s
connection_pool
optional, type: connection pool
Connection-pool configuration.
default: set with default value, alias: pool
queue_channel_size
optional, type: non-zero usize
Queue channel size used when authenticating a client request against the LDAP server.
default: 64
queue_wait_timeout
optional, type: humanize duration
Timeout while authenticating a client request against the LDAP server.
default: 4s
cache_user_count
optional, type: non-zero usize
Maximum number of users stored in the thread-local LRU cache.
default: 128
cache_expire_time
optional, type: humanize duration
Expiration time for valid passwords in the thread-local LRU cache.
default: 5min
Example
name: corp-ldap
type: ldap
ldap_url: ldaps://ldap.example.net/dc=example,dc=net
username_attribute: uid
cache_user_count: 256
cache_expire_time: 10min
unmanaged_user:
name: ldap-template
explicit_sites: []