User docs for Conjur authn-ldap connector

authn-ldap-readme.md

Conjur Authn-LDAP

Download v0.2.0

A Conjur authenticator which calls out to an external LDAP service to bind.

Configuration with environment variables

Slosilo key setup

On successful authentication this service issues a bearer token using the configured Slosilo private key. One of these is required (and the first found is used):

• SLOSILO_KEY - verbatim Slosilo private key,
• SLOSILO_KEY_FILE - path to the Slosilo private key,
• authn.slosilo_keystore table in the default postgres database, encrypted with symmetric key from AUTHN_SLOSILO_KEY environment variable (this supports running directly on Conjur appliance).

LDAP setup

• LDAP_URI, for example ldap://example.com,
• LDAP_BINDDN and LDAP_BINDPW - the binding for search; anonymous if not provided,
• LDAP_BASE is the base of the tree,
• LDAP_FILTER, with %s as the placeholder for login name; defaults to '(&(objectClass=posixAccount)(uid=%s))'.

Installation directly on Conjur appliance

• SSH into the appliance.
• Get debian package from https://github.com/conjurinc/authn-ldap/releases/latest and install it with sudo dpkg -i.
• Edit /opt/conjur/etc/authn-ldap.conf to set up connection to the LDAP server.
• Run sudo start authn-ldap to initially start the service. (It will also start automatically whenever Conjur or the machine is restarted.)
• To use the authenticator, set authn service uri in the client (for example in conjur-cli CONJUR_AUTHN_URL environment variable or authn_url config file setting) to https://conjur.example.com/api/authn-ldap/, where conjur.example.com is your appliance host.