using lldap
This commit is contained in:
root
@@ -63,6 +63,10 @@ if [[ -f "/mnt/secrets/authelia.env" ]]; then
|
||||
[[ -n "${AUTHELIA_ADMIN_PASSWORD:-}" ]] && ADMIN_PASS="$AUTHELIA_ADMIN_PASSWORD"
|
||||
[[ -n "${MAIL_ADMIN_EMAIL:-}" ]] && ADMIN_EMAIL="$MAIL_ADMIN_EMAIL"
|
||||
[[ -n "${MAIL_ADMIN_PASSWORD:-}" ]] && MAIL_PASS="$MAIL_ADMIN_PASSWORD"
|
||||
[[ -n "${LLDAP_URL:-}" ]] && LLDAP_URL="$LLDAP_URL"
|
||||
[[ -n "${LLDAP_BASE_DN:-}" ]] && LLDAP_BASE_DN="$LLDAP_BASE_DN"
|
||||
[[ -n "${LLDAP_BIND_USER:-}" ]] && LLDAP_BIND_USER="$LLDAP_BIND_USER"
|
||||
[[ -n "${LLDAP_BIND_PASSWORD:-}" ]] && LLDAP_BIND_PASSWORD="$LLDAP_BIND_PASSWORD"
|
||||
fi
|
||||
|
||||
if [[ -z "$ADMIN_PASS" ]]; then read -sp "Enter Admin Password: " ADMIN_PASS; echo; fi
|
||||
@@ -118,8 +122,24 @@ identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: "$JWT_SECRET"
|
||||
authentication_backend:
|
||||
file:
|
||||
path: $USERS_FILE
|
||||
ldap:
|
||||
implementation: custom
|
||||
address: $LLDAP_URL
|
||||
timeout: 5s
|
||||
start_tls: false
|
||||
base_dn: $LLDAP_BASE_DN
|
||||
additional_users_dn: ou=people
|
||||
additional_groups_dn: ou=groups
|
||||
user: $LLDAP_BIND_USER
|
||||
password: "$LLDAP_BIND_PASSWORD"
|
||||
attributes:
|
||||
username: uid
|
||||
display_name: displayName
|
||||
group_name: cn
|
||||
mail: mail
|
||||
member_of: memberOf
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfUniqueNames))
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
@@ -137,7 +157,6 @@ session:
|
||||
redis:
|
||||
host: 192.168.0.120
|
||||
port: 6379
|
||||
# Password line REMOVED. Handled by start_authelia.sh via AUTHELIA_SESSION_REDIS_PASSWORD
|
||||
database_index: 1
|
||||
storage:
|
||||
encryption_key: "$STORAGE_KEY"
|
||||
@@ -217,44 +236,6 @@ $OIDC_KEY_CONTENT
|
||||
token_endpoint_auth_method: client_secret_post
|
||||
EOF
|
||||
|
||||
# --- 5. GENERATE USERS ---
|
||||
echo "👥 Generating Users..."
|
||||
ADMIN_HASH=$($AUTHELIA_BIN crypto hash generate argon2 --password "$ADMIN_PASS" | grep -o '\$argon2id\$.*')
|
||||
|
||||
cat <<EOF > "$USERS_FILE"
|
||||
users:
|
||||
admin:
|
||||
displayname: "Admin User"
|
||||
password: "$ADMIN_HASH"
|
||||
email: "$ADMIN_EMAIL"
|
||||
groups:
|
||||
- admins
|
||||
EOF
|
||||
|
||||
if [[ -n "${USERS_JSON:-}" ]]; then
|
||||
if command -v jq &> /dev/null; then
|
||||
echo " -> Adding JSON users..."
|
||||
echo "$USERS_JSON" | jq -c '.[]' | while read -r user; do
|
||||
u_name=$(echo "$user" | jq -r '.username')
|
||||
u_pass=$(echo "$user" | jq -r '.password')
|
||||
u_full=$(echo "$user" | jq -r '.name')
|
||||
u_email=$(echo "$user" | jq -r '.email')
|
||||
[[ -z "$u_name" ]] && continue
|
||||
u_hash=$($AUTHELIA_BIN crypto hash generate argon2 --password "$u_pass" | grep -o '\$argon2id\$.*')
|
||||
|
||||
cat <<EOF >> "$USERS_FILE"
|
||||
$u_name:
|
||||
displayname: "$u_full"
|
||||
password: "$u_hash"
|
||||
email: "$u_email"
|
||||
groups:
|
||||
- users
|
||||
- family
|
||||
EOF
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
# --- 6. PERMISSIONS & VALIDATION ---
|
||||
echo "🔧 Fixing Permissions..."
|
||||
if ! id "$SERVICE_USER" &>/dev/null; then
|
||||
|
||||
Reference in New Issue
Block a user