Before You Begin
WARNING: In order to avoid conflicts from adding LDAP authentication, you must change any pre-existing local accounts that will have the same login name or email addresses of any LDAP accounts.
Use the options detailed below to configure LogZilla's LDAP integration.
The LDAP configuration is stored in the file
This file will be created for you automatically as you do the
LogZilla LDAP Initialization described below.
If you are using certificates, LDAP certs should be placed in
LogZilla LDAP Initialization
To configure LogZilla's LDAP support, from a command line (as
logzilla ldap init command.
Then there will be multiple configuration parameters requested. In order, those are:
This is the host name or ip of your LDAP server, preceded by
This is the LDAP object from which to start searches for users. For example,
there may be an organizational unit named
users, for which the response
then could be
groups, for which the response then could be
This is the password corresponding to the user account just entered.
* LDAP field used as LZ username [uid]: * LDAP field used as LZ first-name [givenName]: title * LDAP field used as LZ last-name [sn]: * LDAP field used as LZ email [mail]:
LogZilla LDAP Configuration Options
In addition to the parameters set during the initialization process
described above, there are multiple LDAP interface properties that
can be set in the LogZilla LDAP configuration file
/etc/logzilla/ldap/config.yaml). This file is in YAML
ldapThis is the section indicator for LDAP basic settings.
server_url: LDAP server url
user_search_dn: Domain for user search (as described in Initialization)
require_group_dn: The distinguished name of a group; authentication will fail for any user that does not belong to this group.
group_search_dn: Domain for groups search (as described in Initialization)
group_search_dn_filter: An LDAP expression providing a filter for groups search. Example:
(objectClass=posixGroup). More information can be found here.
group_object_class: LDAP ObjectClass for group. Will usually be
posix-group, though in special circumstances it may be
group_names: the group LDAP dn(s) which will be imported (comma separated, ignored if group_names_exclude is set).
group_names_exclude: The group LDAP dn(s) which will be ignored during group search (comma separated, if set then group_names filter is ignored).
bind_dn: User bind dn that will be used to authenticate for permission for search.
bind_password: User bind password for the user account used for authentication for search.
False) Disable referrals. Setting it to
Trueshould help in case of problems with Active Directory.
ldap_fields: This is the section indicator for LDAP attribute mapping.
username: LDAP field used as LogZilla username.
first_name: LDAP field used as LogZilla first-name.
last_name: LDAP field used as LogZilla last-name.
ldap_tls_options: The section indicator for TLS options.
False) Enable TLS encryption over the standard LDAP port.
tls_require_cert: Validation strategy for server cert. Must be one of:
tls_ca_certfile: Name of PEM file with CA certs.
tls_keyfile: Name of PEM encoded cert file for client cert authentication.
tls_certfile: Name of PEM encoded key file for client cert authentication.
To test whether or not LDAP is working, do:
When the test runs successfully, you must load and enable new settings:
After ensuring connectivity, log in to the UI using your LDAP credentials.
Users should be instructed to use only their LDAP username and not the full domain username.
Correct Login Name: