You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by du...@apache.org on 2021/09/08 12:42:12 UTC
[brooklyn-docs] branch master updated: new domain_name_regex config
key doc
This is an automated email from the ASF dual-hosted git repository.
duncangrant pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-docs.git
The following commit(s) were added to refs/heads/master by this push:
new a2318ff new domain_name_regex config key doc
new 25eb333 Merge pull request #340 from jcabrerizo/feature/ladp/userName-regex
a2318ff is described below
commit a2318ff7ab6bf2a58bbaa8cb502a1285d7f0a77c
Author: Juan Cabrerizo <ju...@cloudsoft.io>
AuthorDate: Wed Sep 8 10:13:53 2021 +0100
new domain_name_regex config key doc
---
guide/ops/configuration/brooklyn_cfg.md | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/guide/ops/configuration/brooklyn_cfg.md b/guide/ops/configuration/brooklyn_cfg.md
index dd97a71..ad9ea50 100644
--- a/guide/ops/configuration/brooklyn_cfg.md
+++ b/guide/ops/configuration/brooklyn_cfg.md
@@ -135,8 +135,13 @@ will cause Brooklyn to call to an LDAP server to authenticate users;
The other things you need to set in `brooklyn.cfg` are:
* `brooklyn.webconsole.security.ldap.url` - ldap connection url
-* `brooklyn.webconsole.security.ldap.user_name_regex` *optional* none by default- regex pattern for usernames. If it's
- configured, non-matching usernames will be rejected without checking the credentials in the LDAP server
+* `brooklyn.webconsole.security.ldap.domain_name_regex` *optional* empty by default- regex pattern for the user domain.
+ If it's configured, non-matching login attempts will be rejected without checking the credentials in the LDAP server.
+ If `user_name_regex` is not set, any user in the domain will be tried to authenticate.
+* `brooklyn.webconsole.security.ldap.user_name_regex` *optional* empty by default- regex pattern for usernames. If it's
+ configured, non-matching usernames will be rejected without checking the credentials in the LDAP server.
+ If `domain_name_regex` is set, only the username matching both, domain and username patterns will be sent to LDAP to
+ authenticate. If `domain_name_regex` is not set, only the username needs to match.
* `brooklyn.webconsole.security.ldap.realm` - ldap dc parameter (domain)
* `brooklyn.webconsole.security.ldap.allowed_realms_regex` - allows multiple realms (domains) that match regex - username must
be of form domain\user
@@ -154,8 +159,9 @@ The other things you need to set in `brooklyn.cfg` are:
brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
brooklyn.webconsole.security.ldap.url=ldap://localhost:10389/????X-BIND-USER=uid=admin%2cou=system,X-BIND-PASSWORD=secret,X-COUNT-LIMIT=1000
brooklyn.webconsole.security.ldap.realm=example.com
-# username regext pattern for <DOMAIN>\<USERNAME>
-brooklyn.webconsole.security.ldap.user_name_regex=.*\\.*
+# username regex patterns for DOMAIN\<USERNAME>. `user_name_regex` can be omited
+brooklyn.webconsole.security.ldap.domain_name_regex=DOMAIN
+brooklyn.webconsole.security.ldap.user_name_regex=.*
~~~
After you setup the brooklyn connection to your LDAP server, you can authenticate in brooklyn using your cn (e.g. John Smith) and your password.