initial support for LDAP authentication/MSAD

1 files changed, 43 insertions, 0 deletions

diff --git a/modules/auth/ldap/README.md b/modules/auth/ldap/README.md
new file mode 100644
index 0000000000..8b508e0fe0
--- /dev/null
+++ b/modules/auth/ldap/README.md
@@ -0,0 +1,43 @@
+LDAP authentication
+===================
+
+## Goal
+
+Authenticat user against LDAP directories
+
+It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
+
+The first OK wins.
+
+If there's connection error, the server will be disabled and won't be checked again
+
+## Usage
+
+In the [security] section, set 
+>  LDAP_AUTH = true
+
+then for each LDAP source, set
+
+> [LdapSource-someuniquename]
+> name=canonicalName
+> host=hostname-or-ip
+> port=3268	# or regular LDAP port
+> # the following settings depend highly how you've configured your AD
+> basedn=dc=ACME,dc=COM
+> MSADSAFORMAT=%s@ACME.COM
+> filter=(&(objectClass=user)(sAMAccountName=%s))
+
+### Limitation
+
+Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
+
+This MSAD is a mess.
+
+The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
+
+### Todo
+* Define a timeout per server
+* Check servers marked as "Disabled" when they'll come back online
+* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
+* Check OpenLDAP server
+* SSL support ?
\ No newline at end of file