Skip to content

LDAP Authentication

LAVA server can be configured to authenticate users via Lightweight Directory Access Protocol (LDAP). LAVA uses the django-auth-ldap backend for LDAP authentication.

Configuration

LDAP authentication is enabled by setting AUTH_LDAP_SERVER_URI. All the following settings can be placed in /etc/lava-server/settings.d/01-ldap.yaml.

AUTH_LDAP_SERVER_URI: "ldap://ldap.example.com"
AUTH_LDAP_BIND_DN: ""
AUTH_LDAP_BIND_PASSWORD: ""
AUTH_LDAP_USER_SEARCH: "LDAPSearch('ou=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(uid=%(users)')"
AUTH_LDAP_USER_ATTR_MAP:
  first_name: "givenName"
  last_name : "sn"
  email: "mail"

Use the following parameter to configure a custom LDAP login page message:

LOGIN_MESSAGE_LDAP: "If your email is first.second@example.org then use first.second as your username"

Restart lava-server-gunicorn and apache2 after any changes.

User management

To create a superuser, first log in once through the web UI with the target LDAP username, then promote it to superuser:

sudo lava-server manage authorize_superuser --username <username>

Alternatively, create and promote an LDAP user in a single step using addldapuser:

sudo lava-server manage addldapuser --username <username> --superuser

An existing local Django user account can be converted to an LDAP user account without losing data, provided the LDAP username does not already exist in the LAVA instance:

sudo lava-server manage mergeldapuser --lava-user <lava_user> --ldap-user <ldap_user>