Configure LDAP

LDAP is a protocol for providing directory services. It acts as a central authority for user login information. Funkwhale supports LDAP through the Django LDAP authentication module.

Important

LDAP users can’t change their password in the app.

Dependencies

LDAP support requires extra dependencies. We include these in our requirements files to make it easier to set up. If you aren’t using LDAP, you can safely remove these.

OS dependencies
  • libldap2-dev

  • libsasl2-dev

Python dependencies
  • python-ldap

  • python-django-auth-ldap

Environment variables

You can configure LDAP authentication using environment variables in your .env file.

Basic features

LDAP_ENABLED: Boolean

Set this to True to enable LDAP support

LDAP_SERVER_URI: URI = ldap://my.host:389

The LDAP URI of your authentication server.

LDAP_BIND_DN: String = cn=admin,dc=domain,dc=com

LDAP user DN to bind on so you can perform searches.

LDAP_BIND_PASSWORD: String = bindpassword

LDAP user password for bind DN.

LDAP_SEARCH_FILTER: String = (|(cn={0})(mail={0}))

The LDAP user filter, using {0} as the username placeholder. Uses standard LDAP search syntax.

LDAP_START_TLS: Boolean = False

Set to True to enable LDAP StartTLS support.

LDAP_ROOT_DN: String = dc=domain,dc=com

The LDAP search root DN. Supports several entries in a comma-delimited list.

LDAP_USER_ATTR_MAP: String = first_name:givenName, last_name:sn, username:cn, email:mail

A mapping of Django user attributes to LDAP values.

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER: Boolean = False

Controls whether to use direct binding.

Group features

LDAP provides extra features for working with groups. Group configuration is an advanced feature. Most users don’t need to configure these settings.

See also

Django’s LDAP documentation for groups.

LDAP_GROUP_DN: String = ou=groups,dc=domain,dc=com

The LDAP group search root DN. This needs to be set to True to enable group features.

LDAP_GROUP_FILTER: String = objectClass=groupOfNames

The LDAP group filter.

LDAP_REQUIRE_GROUP: String = cn=enabled,ou=groups,dc=domain,dc=com

The group that users need to be a member of to authenticate.

LDAP_DENY_GROUP: String = cn=disabled,ou=groups,dc=domain,dc=com

A group whose members can’t authenticate.