Authentication with OpenLDAP

Configure through environment variables

For a configuration by environment variables, go to this page.

Here is an example of configuration with a docker-compose.yml:

version: '3'

services:
  Packmind:
    image: promyze/promyze:latest
    ports:
      - "3001:3001"
    environment:
      - MONGO_URI=mongodb://mongodb:27017/promyze
      - THEMIS_AUTH_SERVICE=open-ldap
      - THEMIS_AUTH_CONFIG_HOSTNAME=openldap.company.com
      - THEMIS_AUTH_CONFIG_PORT=389 #or 689 is secured
      - THEMIS_AUTH_CONFIG_SECURE=false
      - THEMIS_AUTH_CONFIG_ADMIN_DN=cn=admin,dc=openldap,dc=company,dc=com
      - THEMIS_AUTH_CONFIG_ADMIN_PASSWORD=password
      - THEMIS_AUTH_CONFIG_SEARCH_BASE=ou=users,dc=openldap,dc=promyze,dc=com
      #- THEMIS_AUTH_CONFIG_CA=/data/rootCA.pem if needed, but should be mapped into volumes
      #- THEMIS_AUTH_CONFIG_CERT=/data/openldaplts.pem
    volumes:
      - ./logs:/data/log
  mongodb:
    image: mongo:4.4
    volumes:
      - ./db:/data/db

Configure through the Web UI

The procedure describes below is only with an Administrator account.

Go in the Administration > Authentication part.

In that page, select OpenLDAP as way of authentication.

Then fill the fields of the form:

  • Hostname: address of the serveur on which is the OpenLDAP service.

  • Port: port on which is the OpenLDAP service.

  • Secured server: if that option is selected, ldaps will be used in place of ldap.

  • Root username: User DN used to sign in to the OpenLDAP server.

  • Root passeword: the password used to sign in to the OpenLDAP service.

  • User search root DN: The root node in OpenLDAP used to search users. Example: cn=users,dc=example,dc=com".

  • Search filter: (Optional) Used to filter users during search. Default: '(uid={{username}})' where username corresponds to the identified user.

  • OpenLDAP displayName attribute: User attribute used as the user displayName in Themis.

  • OpenLDAP mail attribute: User attribute used as the user mail in Themis.

  • Group search root DN: (optional) the root DN of the group that is allowed to sign in to Themis, if that parameter is left empty, all groups are allowed to sign in to Themis.

  • Group search filter: (optional) User to filter group members. Default: '(member={{dn}})'.

Once these information informed, click on Save. That action will disconnect you.

You have to restart Packmind so that the change would be effective.

The connection to Themis will then go through your OpenLDAP server:

If for example, an user with the jdoe login already is within Themis (identified by its login) and that that user sign in with its OpenLDAP account that has the same login (jdoe), then he will arrive directly on its existing account.

If rather, a person signs in OpenLDAP but did not have an already saved account in Themis, then a form will appear allowing him to complete its account within Themis:

Last updated