Skip to content

LDAP authentication

ArchivesSpace can manage its own user directory, but can also be configured to authenticate against one or more LDAP directories by specifying them in the application’s configuration file. When a user attempts to log in, each authentication source is tried until one matches.

Here is a minimal example of an LDAP configuration:

AppConfig[:authentication_sources] = [{
:model => 'LDAPAuth',
:hostname => 'ldap.example.com',
:port => 389,
:base_dn => 'ou=people,dc=example,dc=com',
:username_attribute => 'uid',
:attribute_map => {:cn => :name},
}]

With this configuration, ArchivesSpace performs authentication by connecting to ldap://ldap.example.com:389/, binding anonymously, searching the ou=people,dc=example,dc=com tree for uid = <username>.

If the user is found, ArchivesSpace authenticates them by binding using the password specified. Finally, the :attribute_map entry specifies how LDAP attributes should be mapped to ArchivesSpace user attributes (mapping LDAP’s cn to ArchivesSpace’s name in the above example).

Many LDAP directories don’t support anonymous binding. To integrate with such a directory, you will need to specify the username and password of a user with permission to connect to the directory and search for other users. Modifying the previous example for this case looks like this:

AppConfig[:authentication_sources] = [{
:model => 'LDAPAuth',
:hostname => 'ldap.example.com',
:port => 389,
:base_dn => 'ou=people,dc=example,dc=com',
:username_attribute => 'uid',
:attribute_map => {:cn => :name},
:bind_dn => 'uid=archivesspace_auth,ou=system,dc=example,dc=com',
:bind_password => 'secretsquirrel',
}]

Finally, some LDAP directories enforce the use of SSL encryption. To configure ArchivesSpace to connect via LDAPS, change the port as appropriate and specify the encryption option:

AppConfig[:authentication_sources] = [{
:model => 'LDAPAuth',
:hostname => 'ldap.example.com',
:port => 636,
:base_dn => 'ou=people,dc=example,dc=com',
:username_attribute => 'uid',
:attribute_map => {:cn => :name},
:bind_dn => 'uid=archivesspace_auth,ou=system,dc=example,dc=com',
:bind_password => 'secretsquirrel',
:encryption => :simple_tls,
}]