Enabling LDAP Authentication for pgAdmin - pgAdmin 4 4.30 documentation
To enable LDAP authentication for pgAdmin, you must configure the LDAP settings in the config_local.py or config_system.py file (see the config.py documentation) on the system where pgAdmin is installed in Server mode. You can copy these settings from config.py file and modify the values for the following parameters:
There are 3 ways to configure LDAP:
- Bind as pgAdmin user
- Anonymous bind
- Dedicated user bind
Parameter | Description |
---|---|
AUTHENTICATION_SOURCES |
The default value for this parameter is internal . To enable LDAP authentication, you must include ldap in the list of values for this parameter. you can modify the value as follows:
|
LDAP_AUTO_CREATE_USER | Specifies if you want to automatically create a pgAdmin user corresponding to the LDAP user credentials. Please note that LDAP password is not stored in the pgAdmin database. |
LDAP_CONNECTION_TIMEOUT | Specifies the connection timeout (in seconds) for LDAP authentication. |
LDAP_SERVER_URI | An LDAP URI is a combination of connection protocol (ldap or ldaps), IP address/hostname and port of the directory server that you want to connect to. For example, ‘ ldap://172.16.209.35:389 ’ is a valid LDAP_SERVER_URI where ldap is the connection protocol, 172.16.209.35 is the IP address and 389 is the port. Port 636 is used for the ldaps communication protocol. |
LDAP_USERNAME_ATTRIBUTE | Specifies the LDAP attribute that contains the usernames. For LDAP authentication, you need to enter the value of that particular attribute as username. For example, if you set the value of LDAP_USERNAME_ATTRIBUTE as ‘cn’ and you have defined ‘cn=admin’ in your LDAP server entries, you should be able to authenticate by entering ‘admin’ in the Email Address / Username field and its corresponding password in the Password field. |
LDAP_SEARCH_BASE_DN |
Specifies the distinguished name (DN) for the top-most user directory that you want to search. You can use this parameter for limiting the search request to a specific group of users. For example, if you want to search only within the Organizational Unit named sales, you can define the value for LDAP_SEARCH_BASE_DN parameter as following: LDAP_SEARCH_BASE_DN = ‘ou=sales,dc=example,dc=com’ This is an optional parameter only while binding as pgAdmin user. If you do not specify any value for LDAP_SEARCH_BASE_DN, then the value for LDAP_BASE_DN will be considered for the same. |
LDAP_SEARCH_FILTER | Defines the criteria to retrieve matching entries in an LDAP search request. For example, LDAP_SEARCH_FILTER = ‘(objectclass=HR)’ setting searches only for users having HR as their objectClass attribute. |
LDAP_SEARCH_SCOPE | Indicates the set of entries at or below the Base DN that maybe considered as potential matches for a search request. You can specify the scope of a search as either a base , level , or subtree search. A base search limits the search to the base object. A level search is restricted to the immediate children of a base object, but excludes the base object itself. A subtree search includes all child objects as well as the base object. |
LDAP_USE_STARTTLS | Specifies if you want to use Transport Layer Security (TLS) for secure communication between LDAP clients and LDAP servers. If you specify the connection protocol in LDAP_SERVER_URI as ldaps , this parameter is ignored. |
LDAP_CA_CERT_FILE | Specifies the path to the trusted CA certificate file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True . |
LDAP_CERT_FILE | Specifies the path to the server certificate file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True . |
LDAP_KEY_FILE | Specifies the path to the server private key file. This parameter is applicable only if you are using ldaps as connection protocol and you have set LDAP_USE_STARTTLS parameter to True . |
Bind as pgAdmin user | |
LDAP_BASE_DN | Specifies the base DN from where a server will start the search for users. For example, an LDAP search for any user will be performed by the server starting at the base DN (dc=example,dc=com). When the base DN matches, the full DN (cn=admin,dc=example,dc=com) is used to bind with the supplied password. |
Anonymous bind | |
LDAP_ANONYMOUS_BIND | Set this parameter to True for anonymous binding. After the connection is made, the pgadmin login user will be further authenticated by the username and password provided at the login screen. |
Dedicated user bind | |
LDAP_BIND_USER | The account of the user to log in for simple bind. Set this parameter to allow the connection to bind using a dedicated user. After the connection is made, the pgadmin login user will be further authenticated by the username and password provided at the login screen. at the login screen. |
LDAP_BIND_PASSWORD | Password for simple bind. Specify the value if you have set the LDAP_BIND_USER parameter. |