diff --git a/docs/configuration.md b/docs/configuration.md index 7b0cc86..06df2fc 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -285,6 +285,46 @@ force_logins: False # one user has been created, overriding the "trusted_clients" configuration. # If no users have been created then trusted client checks will apply. # The default is False. +default_source: moonraker +# The default source used to authenticate user logins. Can be "ldap" or +# "moonraker" The default is "moonraker". +``` + +### `[ldap]` + +The `ldap` module may be used by `[authorization]` to perform user +authentication though an ldap server. + +```ini +# moonraker.conf + +[ldap] +ldap_host: ldap.local +# The host address of the LDAP server. This parameter must be provided +ldap_port: +# The LDAP server's port. The default is 389 for standard connections +# and 636 for SSL/TLS connections. +ldap_secure: True +# Enables LDAP over SSL/TLS. The default is False. +base_dn: DC=ldap,DC=local +# The base distinguished name used to search for users on the server. +# This option accepts Jinja2 Templates, see the [secrets] section for details. +# This parameter must be provided. +bind_dn: {secrets.ldap_credentials.bind_dn} +# The distinguished name for bind authentication. For example: +# CN=moonraker,OU=Users,DC=ldap,DC=local +# This option accepts Jinja2 Templates, see the [secrets] section for +# details. By default the ldap client will attempt to bind anonymously. +bind_password: {secrets.ldap_credentials.bind_password} +# The password for bind authentication. This option accepts Jinja2 Templates, +# see the [secrets] section for details. This parameter must be provided +# if a "bind_dn" is specified, otherwise it must be omitted. +group_dn: CN=moonraker,OU=Groups,DC=ldap,DC=local +# A group distinguished name in which the user must be a member of to pass +# authentication. This option accepts Jinja2 Templates, see the [secrets] +# section for details. The default is no group requirement. +is_active_directory: True +# Enables support for Microsoft Active Directory. The default is False. ``` ### `[octoprint_compat]` diff --git a/docs/web_api.md b/docs/web_api.md index 9086b97..5246b47 100644 --- a/docs/web_api.md +++ b/docs/web_api.md @@ -1900,11 +1900,18 @@ Content-Type: application/json { "username": "my_user", - "password": "my_password" + "password": "my_password", + "source": "moonraker" } ``` JSON-RPC request: Not Available +Arguments: +- `username`: The user login name. This argument is required. +- `password`: The user password. This arugment is required. +- `source`: The authentication source. Can be `moonraker` or `ldap`. The + default is `moonraker`. + Returns: An object the logged in username, auth token, refresh token, and action summary: ```json @@ -1912,7 +1919,8 @@ and action summary: "username": "my_user", "token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4NzY4MDAuNDgxNjU1LCAiZXhwIjogMTYxODg4MDQwMC40ODE2NTUsICJ1c2VybmFtZSI6ICJteV91c2VyIiwgInRva2VuX3R5cGUiOiAiYXV0aCJ9.QdieeEskrU0FrH7rXKuPDSZxscM54kV_vH60uJqdU9g", "refresh_token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4NzY4MDAuNDgxNzUxNCwgImV4cCI6IDE2MjY2NTI4MDAuNDgxNzUxNCwgInVzZXJuYW1lIjogIm15X3VzZXIiLCAidG9rZW5fdHlwZSI6ICJyZWZyZXNoIn0.btJF0LJfymInhGJQ2xvPwkp2dFUqwgcw4OA_wE-EcCM", - "action": "user_logged_in" + "action": "user_logged_in", + "source": "moonraker" } ``` - The `token` field is a JSON Web Token used to authorize the user. It should @@ -1924,7 +1932,7 @@ and action summary: !!! Note This endpoint may be accessed by unauthorized clients. A 401 would - only be returned if the username and/or password is invalid. + only be returned if the authentication failed. #### Logout Current User HTTP Request: @@ -1949,11 +1957,12 @@ GET /access/user ``` JSON-RPC request: Not Available -Returns: An object containing the currently logged in user name and +Returns: An object containing the currently logged in user name, the source and the date on which the user was created (in unix time). ```json { "username": "my_user", + "source": "moonraker", "created_on": 1618876783.8896716 } ``` @@ -1972,13 +1981,15 @@ Content-Type: application/json JSON-RPC request: Not Available Returns: An object containing the created user name, an auth token, -a refresh token, and an action summary. Creating a user also effectively -logs the user in. +a refresh token, the source, and an action summary. Creating a user also +effectively logs the user in. + ```json { "username": "my_user", "token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4NzY3ODMuODkxNjE5LCAiZXhwIjogMTYxODg4MDM4My44OTE2MTksICJ1c2VybmFtZSI6ICJteV91c2VyIiwgInRva2VuX3R5cGUiOiAiYXV0aCJ9.oH0IShTL7mdlVs4kcx3BIs_-1j0Oe-qXezJKjo-9Xgo", "refresh_token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4NzY3ODMuODkxNzAyNCwgImV4cCI6IDE2MjY2NTI3ODMuODkxNzAyNCwgInVzZXJuYW1lIjogIm15X3VzZXIiLCAidG9rZW5fdHlwZSI6ICJyZWZyZXNoIn0.a6ZeRjk8RQQJDDH0JV-qGY_d_HIgfI3XpsqUlUaFT7c", + "source": "moonraker", "action": "user_created" } ``` @@ -2028,10 +2039,12 @@ Returns: A list of created users on the system "users": [ { "username": "testuser", + "source": "moonraker", "created_on": 1618771331.1685035 }, { "username": "testuser2", + "source": "ldap", "created_on": 1620943153.0191233 } ] @@ -2076,11 +2089,12 @@ Content-Type: application/json JSON-RPC request: Not Available -Returns: The username, new auth token, and action summary. +Returns: The username, new auth token, the source and action summary. ```json { "username": "my_user", "token": "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpc3MiOiAiTW9vbnJha2VyIiwgImlhdCI6IDE2MTg4NzgyNDMuNTE2Nzc5MiwgImV4cCI6IDE2MTg4ODE4NDMuNTE2Nzc5MiwgInVzZXJuYW1lIjogInRlc3R1c2VyIiwgInRva2VuX3R5cGUiOiAiYXV0aCJ9.Ia_X_pf20RR4RAEXcxalZIOzOBOs2OwearWHfRnTSGU", + "source": "moonraker", "action": "user_jwt_refresh" } ```