Add LDAP authentication configuration to Tube Archivist service
This commit is contained in:
Nikholas Pcenicni
@@ -23,3 +23,34 @@ TA_YOUTUBE_PATH=/mnt/media/youtube
|
|||||||
|
|
||||||
# Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
|
# Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
|
||||||
ES_JAVA_OPTS=-Xms1g -Xmx1g
|
ES_JAVA_OPTS=-Xms1g -Xmx1g
|
||||||
|
|
||||||
|
# LDAP authentication
|
||||||
|
# Modes: single | local | ldap | forwardauth | ldap_local
|
||||||
|
# ldap_local lets LDAP users sign in but keeps the local TA_USERNAME admin so
|
||||||
|
# you can promote LDAP users to staff/superuser. Switch to `ldap` once ready.
|
||||||
|
TA_LOGIN_AUTH_MODE=ldap_local
|
||||||
|
|
||||||
|
# Authentik LDAP outpost (komodo/auth/Authentik). Replace host with the
|
||||||
|
# Authentik LDAP outpost address reachable from the tubearchivist container
|
||||||
|
# (e.g. the Docker host's LAN IP or hostname). Use ldaps://...:6636 for TLS.
|
||||||
|
TA_LDAP_SERVER_URI=ldap://authentik-ldap.lan:3389
|
||||||
|
# Set to any non-empty value to skip certificate verification on LDAPS
|
||||||
|
TA_LDAP_DISABLE_CERT_CHECK=
|
||||||
|
|
||||||
|
# Service account configured in Authentik for the LDAP outpost search bind
|
||||||
|
TA_LDAP_BIND_DN=cn=ldap-bind,ou=users,dc=ldap,dc=goauthentik,dc=io
|
||||||
|
TA_LDAP_BIND_PASSWORD=your_secure_ldap_bind_password
|
||||||
|
|
||||||
|
# Search base and filter for users in the directory
|
||||||
|
TA_LDAP_USER_BASE=ou=users,dc=ldap,dc=goauthentik,dc=io
|
||||||
|
TA_LDAP_USER_FILTER=(objectClass=user)
|
||||||
|
|
||||||
|
# LDAP attribute mapping (Authentik LDAP outpost defaults to cn for username)
|
||||||
|
TA_LDAP_USER_ATTR_MAP_USERNAME=cn
|
||||||
|
TA_LDAP_USER_ATTR_MAP_PERSONALNAME=givenName
|
||||||
|
TA_LDAP_USER_ATTR_MAP_SURNAME=sn
|
||||||
|
TA_LDAP_USER_ATTR_MAP_EMAIL=mail
|
||||||
|
|
||||||
|
# Comma-separated lists of LDAP usernames auto-promoted on first login
|
||||||
|
TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=
|
||||||
|
TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=
|
||||||
|
|||||||
@@ -17,6 +17,20 @@ services:
|
|||||||
- TA_PASSWORD=${TA_PASSWORD}
|
- TA_PASSWORD=${TA_PASSWORD}
|
||||||
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
|
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
|
||||||
- TZ=${TZ:-UTC}
|
- TZ=${TZ:-UTC}
|
||||||
|
# LDAP authentication (Authentik LDAP outpost by default)
|
||||||
|
- TA_LOGIN_AUTH_MODE=${TA_LOGIN_AUTH_MODE:-ldap_local}
|
||||||
|
- TA_LDAP_SERVER_URI=${TA_LDAP_SERVER_URI}
|
||||||
|
- TA_LDAP_DISABLE_CERT_CHECK=${TA_LDAP_DISABLE_CERT_CHECK}
|
||||||
|
- TA_LDAP_BIND_DN=${TA_LDAP_BIND_DN}
|
||||||
|
- TA_LDAP_BIND_PASSWORD=${TA_LDAP_BIND_PASSWORD}
|
||||||
|
- TA_LDAP_USER_BASE=${TA_LDAP_USER_BASE}
|
||||||
|
- TA_LDAP_USER_FILTER=${TA_LDAP_USER_FILTER:-(objectClass=user)}
|
||||||
|
- TA_LDAP_USER_ATTR_MAP_USERNAME=${TA_LDAP_USER_ATTR_MAP_USERNAME:-cn}
|
||||||
|
- TA_LDAP_USER_ATTR_MAP_PERSONALNAME=${TA_LDAP_USER_ATTR_MAP_PERSONALNAME:-givenName}
|
||||||
|
- TA_LDAP_USER_ATTR_MAP_SURNAME=${TA_LDAP_USER_ATTR_MAP_SURNAME:-sn}
|
||||||
|
- TA_LDAP_USER_ATTR_MAP_EMAIL=${TA_LDAP_USER_ATTR_MAP_EMAIL:-mail}
|
||||||
|
- TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=${TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER}
|
||||||
|
- TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=${TA_LDAP_PROMOTE_USERNAMES_TO_STAFF}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "curl", "-f", "http://localhost:8000/api/health/"]
|
test: ["CMD", "curl", "-f", "http://localhost:8000/api/health/"]
|
||||||
|
|||||||
Reference in New Issue
Block a user