26.1. ad-auth

The following documentation is for ad-auth content package at version v0.0.0.

26.1.1. params

The content package provides the following params. ad-auth/base-dn

The base DN for the queries.

e.g. “OU=Users,DC=example,DC=com” ad-auth/default-role

This parameter provides the default role for a user that matches no groups. ad-auth/deny-if-no-groups

This parameter, if true, denies access to users who authenticate but do not match any AD groups specified in the ad-auth/groups parameter. ad-auth/group-roles-map

This is a map of group names to a list of roles for that group.

All matches will be applied. ad-auth/groups

This is a list groups that will be returned by AD if the user is a member of them.

These will be used against the maps to set roles and tenants. ad-auth/user-activity-window

This parameters specifies how long a user should be idle before being removed (in seconds). The default is 259200 seconds (or 30 days). auth/password

This parameter provides the password to attempt to authenticate on an authenticate call. This should not be set on a machine or in a profile. It is passed as an argument on an authenticate call. ad-auth/ad-url

This parameter defines the url for the AD server to authenticate against.

e.g. ldap://my.server.com:389 ad-auth/additional-dns

Additional domains to authenticate against.

e.g. [ “OU=Users1,DC=example,DC=com”, “OU=Users2,DC=example,DC=com” ] ad-auth/user-activity-check

This parameters specifies how often ad-auth should check for stale users (in seconds). The default is 86400 seconds (or 1 day). auth/username

This parameter provides the username to attempt to authenticate on an authenticate call. ad-auth/ad-tls

This parameter defines the tls mode for the AD server to authenticate against.