5. Using LDAP for login

As of version 2.3.0, Beltane supports LDAP for authentication of users (but not for the superuser). The following configuration items must be set:

LDAP Server

The server name. If the server name is prefixed with 'ldaps://', Beltane will use the ldaps protocol on port 636.

LDAP Base DN

The Distinguished Name to bind to the LDAP directory, without the 'uid=...' part.

NoteRequirements
 

As the login password must be transmitted from the browser to Beltane, an HTTPS connection is required.

If the server name is not prefixed with 'ldaps://', Beltane will use the standard LDAP port (389) with TLS for encryption.

If the LDAP server name is prefixed with 'ldaps://', Beltane will use the ldaps protocol on port 636.

The LDAP base DN must be the base DN of valid Beltane users for binding to the LDAP directory, without the 'uid=...' part. It is not sufficient to just give a search base.

Each beltane user must contain in the "description" attribute the string "beltane_priv_user" (has update privileges) or "beltane_priv_guest" (has no update privileges). If the user should belong to one or more groups (see Section 6), then also corresponding strings "beltane_group_groupname" must be present in the "description" attribute.

NoteCombining LDAP and browser-based login
 

LDAP authentication requires the password. For browser-based login, this is only known to Beltane if mod_php is used.