LDAP/AD Server Authentication
You can use a Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users.
LDAP/AD Server Configuration
Basic Configuration
-
LDAP_URLandLDAP_USER_SEARCH_BASEare required. -
LDAP_SEARCH_FILTERis optional; if not specified, themailattribute is used by default. If specified, use the literal{{ username }}to use the given username for the search.
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_URL | string | LDAP server URL. | LDAP_URL=ldap://localhost:389 |
| LDAP_BIND_DN | string | Bind DN | LDAP_BIND_DN=cn=root |
| LDAP_BIND_CREDENTIALS | string | Password for bindDN | LDAP_BIND_CREDENTIALS=password |
| LDAP_USER_SEARCH_BASE | string | LDAP user search base | LDAP_USER_SEARCH_BASE=o=users,o=example.com |
| LDAP_SEARCH_FILTER | string | LDAP search filter | LDAP_SEARCH_FILTER=mail={{ username }} |
Field Mappings
You can specify a mapping between the attributes of RumiTalk users and those of LDAP users. Use these settings if the default mappings do not work properly.
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_ID | string | Specify a unique user ID. By default, uid or sAMAccountName, mail is used. | LDAP_ID=uid |
| LDAP_USERNAME | string | By default, it uses givenName or mail. | LDAP_USERNAME=givenName |
| LDAP_EMAIL | string | By default, it uses mail. | LDAP_EMAIL=userPrincipalName |
| LDAP_FULL_NAME | string | By default, it uses a combination of givenName and surname. | LDAP_FULL_NAME=givenName,surname |
Username or Email
By default, RumiTalk uses an email address and password for
authentication. This may sometimes cause problem with LDAP and
you may want to use a username instead. Set the
LDAP_SEARCH_FILTER
to filter for the username instead (e.g.
LDAP_SEARCH_FILTER=uid={{ username }}
and configure RumiTalk to request login via username:
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_LOGIN_USES_USERNAME | string | Use username instead of email. | LDAP_LOGIN_USES_USERNAME=true |
Active Directory over SSL
To connect via SSL (ldaps://), such as a company using Windows
AD, specify the path to the internal CA certificate.
LDAP_TLS_REJECT_UNAUTHORIZED
is optional;if not specified RumiTalk will reject TLS/SSL
connections if the LDAP server’s certificate cannot be
verified. set
LDAP_TLS_REJECT_UNAUTHORIZED
to false (not recommended for production environments) to
allow Librechat to accept TLS/SSL connections even if the LDAP
server’s certificate cannot be verified,
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_CA_CERT_PATH | string | CA certificate path. | LDAP_CA_CERT_PATH=/path/to/root_ca_cert.crt |
| LDAP_TLS_REJECT_UNAUTHORIZED | string | Disable TLS verification | LDAP_TLS_REJECT_UNAUTHORIZED=true |
LDAP StartTLS
Enabling LDAP StartTLS allows RumiTalk to upgrade an insecure connection to a secure TLS connection. This is useful if you want to secure the connection without switching to ldaps://.
| Key | Type | Description | Example |
|---|---|---|---|
| LDAP_STARTTLS | string | Enable LDAP StartTLS for upgrading the connection to TLS. Set to true to enable this feature. | LDAP_STARTTLS=true |