Enabling LDAP Authentication

To enable LDAP authentication for pgAdmin, you must configure the LDAP settings in the config_local.py or config_system.py file (see the config.py documentation) on the system where pgAdmin is installed in Server mode. You can copy these settings from config.py file and modify the values for the following parameters:

There are 3 ways to configure LDAP:

  • Bind as pgAdmin user

  • Anonymous bind

  • Dedicated user bind

Parameter

Description

AUTHENTICATION_SOURCES

The default value for this parameter is internal. To enable LDAP authentication, you must include ldap in the list of values for this parameter. you can modify the value as follows:

  • [‘ldap’]: pgAdmin will use only LDAP authentication.

  • [‘ldap’, ‘internal’]: pgAdmin will first try to authenticate the user through LDAP. If that authentication fails, then internal user entries of pgAdmin will be used for authentication.

  • [‘internal’, ‘ldap’]: pgAdmin will first try to authenticate the user through internal user entries. If that authentication fails, then LDAP authentication will be used.

LDAP_AUTO_CREATE_USER

Specifies if you want to automatically create a pgAdmin user corresponding to the LDAP user credentials. Please note that LDAP password is not stored in the pgAdmin database.

LDAP_CONNECTION_TIMEOUT

Specifies the connection timeout (in seconds) for LDAP authentication.

LDAP_SERVER_URI

An LDAP URI is a combination of connection protocol (ldap or ldaps), IP address/hostname and port of the directory server that you want to connect to. For example, ‘ldap://172.16.209.35:389’ is a valid LDAP_SERVER_URI where ldap is the connection protocol, 172.16.209.35 is the IP address and 389 is the port. Port 636 is used for the ldaps communication protocol.

LDAP_USERNAME_ATTRIBUTE

Specifies the LDAP attribute that contains the usernames. For LDAP authentication, you need to enter the value of that particular attribute as username. For example, if you set the value of LDAP_USERNAME_ATTRIBUTE as ‘cn’ and you have defined ‘cn=admin’ in your LDAP server entries, you should be able to authenticate by entering ‘admin’ in the Email Address / Username field and its corresponding password in the Password field.

LDAP_SEARCH_BASE_DN

Specifies the distinguished name (DN) for the top-most user directory that you want to search. You can use this parameter for limiting the search request to a specific group of users. For example, if you want to search only within the Organizational Unit named sales, you can define the value for LDAP_SEARCH_BASE_DN parameter as following: LDAP_SEARCH_BASE_DN = ‘ou=sales,dc=example,dc=com’

This is an optional parameter only while binding as pgAdmin user. If you do not specify any value for LDAP_SEARCH_BASE_DN, then the value for LDAP_BASE_DN will be considered for the same.

LDAP_SEARCH_FILTER

Defines the criteria to retrieve matching entries in an LDAP search request. For example, LDAP_SEARCH_FILTER = ‘(objectclass=HR)’ setting searches only for users having HR as their objectClass attribute.

LDAP_SEARCH_SCOPE

Indicates the set of entries at or below the Base DN that maybe considered as potential matches for a search request. You can specify the scope of a search as either a base, level, or subtree search. A base search limits the search to the base object. A level search is restricted to the immediate children of a base object, but excludes the base object itself. A subtree search includes all child objects as well as the base object.

LDAP_DN_CASE_SENSITIVE

Indicates whether the DN (Distinguished Names) are case sensitive or not. Possible values are True or False. By default is set to False.

LDAP_USE_STARTTLS

Specifies if you want to use Transport Layer Security (TLS) for secure communication between LDAP clients and LDAP servers. If you specify the connection protocol in LDAP_SERVER_URI as ldaps, this parameter is ignored.

LDAP_CA_CERT_FILE

Specifies the path to the trusted CA certificate file. This parameter is applicable only if you are using ldaps as connection protocol or you have set LDAP_USE_STARTTLS parameter to True.

LDAP_CERT_FILE

Specifies the path to the server certificate file. This parameter is applicable only if you are using ldaps as connection protocol or you have set LDAP_USE_STARTTLS parameter to True.

LDAP_KEY_FILE

Specifies the path to the server private key file. This parameter is applicable only if you are using ldaps as connection protocol or you have set LDAP_USE_STARTTLS parameter to True.

LDAP_IGNORE_MALFORMED_SCHEMA

Some flaky LDAP servers returns malformed schema. If this parameter set to True, no exception will be raised and schema is thrown away but authentication will be done. This parameter should remain False, as recommended.

Bind as pgAdmin user

LDAP_BASE_DN

Specifies the base DN from where a server will start the search for users. For example, an LDAP search for any user will be performed by the server starting at the base DN (dc=example,dc=com). When the base DN matches, the full DN (cn=admin,dc=example,dc=com) is used to bind with the supplied password.

Anonymous bind

LDAP_ANONYMOUS_BIND

Set this parameter to True for anonymous binding. After the connection is made, the pgadmin login user will be further authenticated by the username and password provided at the login screen.

Dedicated user bind

LDAP_BIND_USER

The account of the user to log in for simple bind. Set this parameter to allow the connection to bind using a dedicated user. After the connection is made, the pgadmin login user will be further authenticated by the username and password provided at the login screen. at the login screen.

LDAP_BIND_PASSWORD

Password for simple bind. Specify the value if you have set the LDAP_BIND_USER parameter.