diff --git a/docs/articles/authn-authz.md b/docs/articles/authn-authz.md index 99c8e90..129bd5c 100644 --- a/docs/articles/authn-authz.md +++ b/docs/articles/authn-authz.md @@ -116,6 +116,7 @@ zot supports integration with an LDAP-based authentication service such as Micro ... "auth": { "ldap": { + "credentialsFile": "examples/config-ldap-credentials.json", "address": "ldap.example.org", "port": 389, "startTLS": false, @@ -131,22 +132,38 @@ zot supports integration with an LDAP-based authentication service such as Micro } ``` -The following table lists the configurable attributes for LDAP -authentication. +The following table lists the configurable attributes for LDAP authentication. | Attribute | Description | |-----------------|----------------------------------------------------------------------------------| +| `credentialsFile` | The path to a file containing the bind credentials for LDAP. | | `address` | The IP address or hostname of the LDAP server. | | `port` | The port number used by the LDAP service. | | `startTLS` | Set to `true` to enable TLS communication with the LDAP server. | | `baseDN` | Starting location within the LDAP directory for performing user searches. | -| `userAttribute` | Attribute name used to obtain the username. | -| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. | -| `bindDN` | Base Distinguished Name for the LDAP search. | -| `bindPassword` | Password of the bind LDAP user. | +| `userAttribute` | Attribute name used to obtain the username. | +| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. | | `skipVerify` | Skip TLS verification. | | `subtreeSearch` | Set to `true` to expand the scope for search to include subtrees of the base DN. | + +A local file contains the bind credentials for the LDAP server, as shown in the following example. + +``` json +{ + "bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org", + "bindPassword":"ldap-searcher-password" +} +``` + +The following table lists the configurable attributes of the LDAP credentials file. + +| Attribute | Description | +|-----------------|----------------------------------------------------------------------------------| +| `bindDN` | Base Distinguished Name for the LDAP search. | +| `bindPassword` | Password of the bind LDAP user. | + + ### htpasswd Enable and configure `htpasswd` authentication in the zot diff --git a/docs/general/whats-new.md b/docs/general/whats-new.md index a8baaee..3e75ef6 100644 --- a/docs/general/whats-new.md +++ b/docs/general/whats-new.md @@ -30,6 +30,10 @@ - The validity of an image's signature can be [verified](../articles/verifying-signatures.md) by zot. Users can upload public keys or certificates to zot. +### LDAP credentials stored apart from configuration + +- The LDAP credentials are removed from zot's LDAP configuration and stored in a separate file. See zot's [LDAP documentation](../articles/authn-authz.md). + ### Storage deduplication on startup - [Deduplication](../articles/storage.md), a storage space saving feature, now runs or reverts at startup depending on whether the feature is enabled or disabled. You can trigger deduplication by enabling it and then restarting zot.