Here is the LDAP portion of the options.yml -------------------------------------- ################## # LDAP options ################## #### WARNING: LDAP mode is not official supported by OBS! ldap_mode: :on #### WARNING: LDAP mode is not official supported by OBS! # LDAP Servers separated by ':'. # OVERRIDE with your company's ldap servers. Servers are picked randomly for # each connection to distribute load. ldap_servers: dc1.xyz.local # Max number of times to attempt to contact the LDAP servers ldap_max_attempts: 15 # The attribute the user memberof is stored in ldap_user_memberof_attr: memberof # Perform the group_user search with the member attribute of group entry or memberof attribute of user entry # It depends on your ldap define # The attribute the group member is stored in ldap_group_member_attr: member # If you're using ldap_authenticate=:ldap then you should ensure that # ldaps is used to transfer the credentials over SSL or use the StartTLS extension ldap_ssl: :on # Use StartTLS extension of LDAP ldap_start_tls: :off # LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS #ldap_port: # Authentication with Windows 2003 AD requires ldap_referrals: :off # OVERRIDE with your company's ldap search base for the users who will use OBS ldap_search_base: OU=Service,DC=xyz,DC=local # Sam Account Name is the login name for LDAP ldap_search_attr: sAMAccountName # The attribute the users name is stored in ldap_name_attr: cn # The attribute the users email is stored in ldap_mail_attr: mail # Credentials to use to search ldap for the username ldap_search_user: "cn=obs-svc,ou=service,dc=xyz,dc=local" ldap_search_auth: "MySecretPassword" # By default any LDAP user can be used to authenticate to the OBS # In some deployments this may be too broad and certain criteria should # be met; eg group membership # # To allow only users in a specific group uncomment this line: #ldap_user_filter: (memberof=CN=group,OU=Groups,DC=Domain Component) # # Note this is joined to the normal selection like so: # (&(#{ldap_search_attr}=#{login})#{ldap_user_filter}) # giving an ldap search of: # (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component)) # # Also note that openLDAP must be configured to use the memberOf overlay # ldap_authenticate says how the credentials are verified: # :ldap = attempt to bind to ldap as user using supplied credentials # :local = compare the credentials supplied with those in # LDAP using #{ldap_auth_attr} & #{ldap_auth_mech} # if :local is used then ldap_auth_mech can be # :md5 # :cleartext ldap_authenticate: :ldap ldap_auth_mech: :md5 # This is a string ldap_auth_attr: userPassword # Whether to search group info from ldap, it does not take effect # when LDAP_GROUP_SUPPOR is not set. # Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly ldap_group_support: :mirror # OVERRIDE with your company's ldap search base for groups ldap_group_search_base: ou=service,dc=xyz,dc=local # The attribute the group name is stored in ldap_group_title_attr: cn # The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist ldap_group_objectclass_attr: group -------------------------------------- From production.log: [2022-02-04T13:56:44.607972 #2216] INFO -- : [e4bf6a24-8b28-46d8-901f-6dfb99d9db0f] [2216:747.53] method=POST path=/session/create format=html controller=Webui::SessionController action=create status=302 duration=19.33 view=0.00 db=0.98 location=https://10.xx.xxx.xxx/session/new params={"utf8"=>"✓", "authenticity_token"=>"87xCoa2K4NzYde4_Bf55rWzQ1pkrLiBTseQzth34rWob7dbjHx__2uVBT1xFSfj47WHaVvTrmcDqgNX8r_JIQw", "username"=>"test", "password"=>"[FILTERED]", "login"=>"Log In"} host=10.xxx.xxx.xxx time=787.39 backend=0 user=