LDAP authentication service

Contents

• LDAP authentication service

  • Installing/updating

  • Setup

  • EAPI methods

    • auth.user

LDAP basic authentication service

Installing/updating

LDAP authentication service is not included into EVA ICS distribution. To install/update it, either edit “eva/config/python-venv” registry key, specify the desired version in “extra” section (e.g. eva4-aaa-ldap>=0.0.1) and rebuild the Python virtual environment (/opt/eva4/sbin/venvmgr build). Or execute:

/opt/eva4/sbin/venvmgr add eva4-aaa-ldap
# or
/opt/eva4/sbin/venvmgr add eva4-aaa-ldap==N # where N = version number

The latest eva-shell version number can be obtained from https://pypi.org/project/eva4-aaa-ldap/

Setup

Use the template EVA_DIR/share/svc-tpl/svc-tpl-aaa-ldap.yml:

# LDAP Authentication Service
#
# Requires https://pypi.org/project/eva4-svc-aaa-ldap/ Python module installed
command: venv/bin/eva4-svc-aaa-ldap
bus:
  path: var/bus.ipc
config:
  # ACL service
  acl_svc: eva.aaa.acl
  # LDAP group prefix (users msut be in groups e.g. eva_GROUP,ou=users,dc=domain,dc=com)
  #group_prefix: eva_
  # LDAP base path
  path: ou=users,dc=domain,dc=com
  # LDAP service user credentials
  service_user: service
  service_password: secret
  # LDAP server URL (for TLS use ldaps://)
  url: ldap://host:389
  # CA certificates file for TLS connection
  #tls_ca: /path/to/ca.crt
  # LDAP provider, required for additional checking, e.g. OIDC token validation
  # to ensure user is enabled
  # 
  # Supported providers:
  #
  # msad - Microsoft Active Directory
  # authentik - Authentik LDAP provider
  #
  #provider: msad
user: nobody

Create the service using eva-shell:

eva svc create eva.aaa.ldap /opt/eva4/share/svc-tpl/svc-tpl-aaa-ldap.yml

or using the bus CLI client:

cd /opt/eva4
cat DEPLOY.yml | ./bin/yml2mp | \
    ./sbin/bus ./var/bus.ipc rpc call eva.core svc.deploy -

(see eva.core::svc.deploy for more info)

EAPI methods

See EAPI commons for the common information about the bus, types, errors and RPC calls.

auth.user

Description	Authenticates a client using a local user account
Parameters	required
Returns	The method returns errors if auth is not successful

Parameters

Name	Type	Description	Required
login	String	Account login	yes
password	String	Account password (plain text)	yes
timeout	f64	Max operation timeout	no
xopts	map<String/Any>	Extra options map (e.g. otp=code for two-factor auth)	no
externally_verified	bool	DANGEROUS: Skip password verification, assume it is already done by an external agent	no