From 7c51a848df7d45d649abd309450535ba04f571d2 Mon Sep 17 00:00:00 2001 From: mbshields Date: Tue, 21 Nov 2023 15:24:52 -0800 Subject: [PATCH] docs: LDAP separate credentials file (#136) * docs: LDAP separate credentials file Signed-off-by: mbshields * docs: LDAP - comments Signed-off-by: mbshields * docs: LDAP - added upgrade warning Signed-off-by: mbshields --------- Signed-off-by: mbshields --- docs/articles/authn-authz.md | 29 +++++++++++++++++++++++------ docs/general/whats-new.md | 6 ++++++ 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/docs/articles/authn-authz.md b/docs/articles/authn-authz.md index 99c8e90..3cc5f91 100644 --- a/docs/articles/authn-authz.md +++ b/docs/articles/authn-authz.md @@ -116,6 +116,7 @@ zot supports integration with an LDAP-based authentication service such as Micro ... "auth": { "ldap": { + "credentialsFile": "examples/config-ldap-credentials.json", "address": "ldap.example.org", "port": 389, "startTLS": false, @@ -131,22 +132,38 @@ zot supports integration with an LDAP-based authentication service such as Micro } ``` -The following table lists the configurable attributes for LDAP -authentication. +The following table lists the configurable attributes for LDAP authentication. | Attribute | Description | |-----------------|----------------------------------------------------------------------------------| +| `credentialsFile` | The path to a file containing the bind credentials for LDAP. | | `address` | The IP address or hostname of the LDAP server. | | `port` | The port number used by the LDAP service. | | `startTLS` | Set to `true` to enable TLS communication with the LDAP server. | | `baseDN` | Starting location within the LDAP directory for performing user searches. | -| `userAttribute` | Attribute name used to obtain the username. | -| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. | -| `bindDN` | Base Distinguished Name for the LDAP search. | -| `bindPassword` | Password of the bind LDAP user. | +| `userAttribute` | Attribute name used to obtain the username. | +| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. | | `skipVerify` | Skip TLS verification. | | `subtreeSearch` | Set to `true` to expand the scope for search to include subtrees of the base DN. | + +To allow for separation of configuration and credentials, the credentials for the LDAP server are specified in a separate file, as shown in the following example. + +``` json +{ + "bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org", + "bindPassword":"ldap-searcher-password" +} +``` + +The following table lists the configurable attributes of the LDAP credentials file. + +| Attribute | Description | +|-----------------|----------------------------------------------------------------------------------| +| `bindDN` | Base Distinguished Name for the LDAP search. | +| `bindPassword` | Password of the bind LDAP user. | + + ### htpasswd Enable and configure `htpasswd` authentication in the zot diff --git a/docs/general/whats-new.md b/docs/general/whats-new.md index a8baaee..d228b4b 100644 --- a/docs/general/whats-new.md +++ b/docs/general/whats-new.md @@ -30,6 +30,12 @@ - The validity of an image's signature can be [verified](../articles/verifying-signatures.md) by zot. Users can upload public keys or certificates to zot. +### LDAP credentials stored separately from configuration + +- The LDAP credentials are removed from zot's LDAP configuration and stored in a separate file. See zot's [LDAP documentation](../articles/authn-authz.md). + + :warning: This LDAP configuration change is incompatible with previous zot releases. When upgrading, you must reconfigure your LDAP credentials if you use LDAP. + ### Storage deduplication on startup - [Deduplication](../articles/storage.md), a storage space saving feature, now runs or reverts at startup depending on whether the feature is enabled or disabled. You can trigger deduplication by enabling it and then restarting zot.