BookStack LDAP 登入

因 BUBU 公司有使用 Windows AD 服務,可以使用 LADP 方式來串連服務,這樣子日後就不用再手動去新增使用者,只要在網域控制站新增好人員名稱這樣子,就可以登入到 BookStack 服務。

設定過程


剛安裝完,預設並沒有 LDAP 服務,所以需手動新增設定如何新增設定,可以到官方文檔參考。

  • .env 設定檔最下新增以下設定檔
# General auth
AUTH_METHOD=ldap

# The LDAP host, Adding a port is optional
LDAP_SERVER=服務主機 IP or 名稱:389
# If using LDAP over SSL you should also define the protocol:
# LDAP_SERVER=ldaps://example.com:636

# The base DN from where users will be searched within
# 輸入您的網域名稱
LDAP_BASE_DN=DC=domain,DC=com

# The full DN and password of the user used to search the server
# Can both be left as false to bind anonymously
# 這裡請輸入管理者的資訊 CN=XXXX 
LDAP_DN=CN=Administrator,CN=Users,DC=domain,DC=com
LDAP_PASS=123456789

# A filter to use when searching for users
# The user-provided user-name used to replace any occurrences of '${user}'
# 這裡預設是 UID 可以修改成 mail 或者其他認證方式,例如:cn
LDAP_USER_FILTER=(&(mail=${user}))

# Set the LDAP version to use when connecting to the server
# 預設是 false 修改成 3
LDAP_VERSION=3

# Set the property to use as a unique identifier for this user.
# Stored and used to match LDAP users with existing BookStack users.
# Prefixing the value with 'BIN;' will assume the LDAP service provides the attribute value as
# binary data and BookStack will convert the value to a hexidecimal representation.
# Defaults to 'uid'.
LDAP_ID_ATTRIBUTE=uid

# Set the default 'email' attribute. Defaults to 'mail'
# 預設是 `mail` 為帳號,你也可以修改成其他方式,例如:cn
LDAP_EMAIL_ATTRIBUTE=mail

# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn

# If you need to allow untrusted LDAPS certificates, add the below and uncomment (remove the #)
# Only set this option if debugging or you're absolutely sure it's required for your setup.
#LDAP_TLS_INSECURE=true

# If you need to debug the details coming from your LDAP server, add the below and uncomment (remove the #)
# Only set this option if debugging since it will block logins and potentially show private details.
#LDAP_DUMP_USER_DETAILS=true

# 以下這一段是跟 AD 同步用
# Enable LDAP group sync, Set to 'true' to enable.
LDAP_USER_TO_GROUPS=true

# LDAP user attribute containing groups, Defaults to 'memberOf'.
LDAP_GROUP_ATTRIBUTE="memberOf"

# Remove users from roles that don't match LDAP groups.
LDAP_REMOVE_FROM_GROUPS=false
  • 在用預設的管理者帳號登入去設定外部驗證 [email protected]
    • 在 Email 位址修改成管理者郵件帳號
    • 外部身份驗證 ID 請輸入剛剛在設定檔裡面的 LDAP_DN 這一段值

bs-ldap-01.png




參考相關網頁