This page in other versions: Latest (4.22) | 4.21

This document in other formats: PDF | ePub | Tarball

Navigation

Enabling LDAP Authentication for pgAdmin

To enable LDAP authentication for pgAdmin, you must configure the LDAP settings in the config_local.py or config_distro.py file on the system where pgAdmin is installed in Server mode. You can copy these settings from config.py file and modify the values for the following parameters:

Parameter

Description

AUTHENTICATION_SOURCES

The default value for this parameter is internal. To enable LDAP authentication, you must include ldap in the list of values for this parameter. you can modify the value as follows:

  • [‘ldap’]: pgAdmin will use only LDAP authentication.

  • [‘ldap’, ‘internal’]: pgAdmin will first try to authenticate the user through LDAP. If that authentication fails, then internal user entries of pgAdmin will be used for authentication.

  • [‘internal’, ‘ldap’]: pgAdmin will first try to authenticate the user through internal user entries. If that authentication fails, then LDAP authentication will be used.

LDAP_AUTO_CREATE_USER

Specifies if you want to automatically create a pgAdmin user corresponding to the LDAP user credentials. Please note that LDAP password is not stored in the pgAdmin database.

LDAP_CONNECTION_TIMEOUT

Specifies the connection timeout (in seconds) for LDAP authentication.

LDAP_SERVER_URI

An LDAP URI is a combination of connection protocol (ldap or ldaps), IP address/hostname and port of the directory server that you want to connect to. For example, ‘ldap://172.16.209.35:389’ is a valid LDAP_SERVER_URI where ldap is the connection protocol, 172.16.209.35 is the IP address and 389 is the port. Port 636 is used for the ldaps communication protocol.

LDAP_BASE_DN

Specifies the base DN from where a server will start the search for users. For example, an LDAP search for any user will be performed by the server starting at the base DN (dc=example,dc=com). When the base DN matches, the full DN (cn=admin,dc=example,dc=com) is used to bind with the supplied password.

LDAP_USERNAME_ATTRIBUTE

Specifies the LDAP attribute that contains the usernames. For LDAP authentication, you need to enter the value of that particular attribute as username. For example, if you set the value of LDAP_USERNAME_ATTRIBUTE as ‘cn’ and you have defined ‘cn=admin’ in your LDAP server entries, you should be able to authenticate by entering ‘admin’ in the Email Address / Username field and its corresponding password in the Password field.

LDAP_SEARCH_BASE_DN

Specifies an element of the search request that works in conjunction with the LDAP search scope to define the subtree of entries that should be considered when processing the search request. You can use this parameter for limiting the search request to a specific group of users.

LDAP_SEARCH_FILTER

Defines the criteria to retrieve matching entries in an LDAP search request. For example, LDAP_SEARCH_FILTER = ‘(objectclass=HR)’ setting searches only for users having HR as their objectClass attribute.

LDAP_SEARCH_SCOPE

Indicates the set of entries at or below the Base DN that maybe considered as potential matches for a search request. You can specify the scope of a search as either a base, level, or subtree search. A base search limits the search to the base object. A level search is restricted to the immediate children of a base object, but excludes the base object itself. A subtree search includes all child objects as well as the base object.

LDAP_USE_STARTTLS

Specifies if you want to use Transport Layer Security (TLS) for secure communication between LDAP clients and LDAP servers. If you specify the connection protocol in LDAP_SERVER_URI as ldaps, this parameter is ignored.

LDAP_CA_CERT_FILE

Specifies the path to the trusted CA certificate file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True.

LDAP_CERT_FILE

Specifies the path to the server certificate file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True.

LDAP_KEY_FILE

Specifies the path to the server private key file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True.