LDAP improvements:

- Better logging - Better error messages - Add unit tests - Clean up the setup tool for LDAP
2015-05-11 21:23:18 -04:00 · 2015-05-11 21:23:18 -04:00 · efab02ae47
commit efab02ae47
parent 3e1abba284
5 changed files with 173 additions and 28 deletions
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@ -310,12 +310,12 @@
          </p>
        </div>

-        <div class="alert alert-warning" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+        <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
          It is <strong>highly recommended</strong> to require encrypted client passwords. LDAP passwords used in the Docker client will be stored in <strong>plaintext</strong>!
          <a href="javascript:void(0)" ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
        </div>

-        <div class="alert alert-success" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+        <div class="co-alert co-alert-success" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
          Note: The "Require Encrypted Client Passwords" feature is currently enabled which will
          prevent LDAP passwords from being saved as plaintext by the Docker client.
        </div>
@ -343,29 +343,76 @@
              </div>
            </td>
          </tr>
-          <tr>
-            <td>Administrator DN:</td>
-            <td><span class="config-string-field" binding="config.LDAP_ADMIN_DN"></span></td>
-          </tr>
          <tr>
            <td>Base DN:</td>
-            <td><span class="config-list-field" item-title="DN" binding="config.LDAP_BASE_DN"></span></td>
+            <td>
+              <span class="config-list-field" item-title="DN" binding="config.LDAP_BASE_DN"></span>
+              <div class="help-text">
+              A list of Distinguished Name pieces which forms the base path for
+              looking up all LDAP records.
+              </div>
+              <div class="help-text">
+                Example: [dc=my,dc=domain,dc=com]
+              </div>
+            </td>
          </tr>
          <tr>
-            <td>Administrator Password:</td>
-            <td><span class="config-string-field" binding="config.LDAP_ADMIN_PASSWD"></span></td>
+            <td>User Relative DN:</td>
+            <td>
+              <span class="config-list-field" item-title="RDN" binding="config.LDAP_USER_RDN"></span>
+              <div class="help-text">
+              A list of Distinguished Name pieces which forms the base path for
+              looking up all user LDAP records, relative to the Base DN defined above.
+              </div>
+              <div class="help-text">
+                Example: [ou=employees]
+              </div>
+            </td>
          </tr>
          <tr>
-            <td>E-mail Attribute:</td>
-            <td><span class="config-string-field" binding="config.LDAP_EMAIL_ATTR"></span></td>
+            <td>Administrator DN:</td>
+            <td><span class="config-string-field" binding="config.LDAP_ADMIN_DN"></span>
+              <div class="help-text">
+              The Distinguished Name for the Administrator account. This account must be able to login and view the records for all user accounts.
+              </div>
+              <div class="help-text">
+                Example: uid=admin,ou=employees,dc=my,dc=domain,dc=com
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td>Administrator DN Password:</td>
+            <td>
+              <div class="co-alert co-alert-warning">
+                Note: This will be stored in
+                <strong>plaintext</strong> inside the config.yaml, so setting up a dedicated account or using
+                <a href="http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html" target="_blank">a password hash</a> is <strong>highly</strong> recommended.
+              </div>
+              <span class="config-string-field" binding="config.LDAP_ADMIN_PASSWD"></span>
+              <div class="help-text">
+               The password for the Administrator DN.
+              </div>
+            </td>
          </tr>
          <tr>
            <td>UID Attribute:</td>
-            <td><span class="config-string-field" binding="config.LDAP_UID_ATTR"></span></td>
+            <td>
+              <span class="config-string-field" binding="config.LDAP_UID_ATTR" default-value="uid"></span>
+              <div class="help-text">
+               The name of the property field in your LDAP user records that stores your
+               users' username. Typically "uid".
+              </div>
+            </td>
          </tr>
          <tr>
-            <td>User RDN:</td>
-            <td><span class="config-list-field" item-title="RDN" binding="config.LDAP_USER_RDN"></span></td>
+            <td>Mail Attribute:</td>
+            <td>
+              <span class="config-string-field" binding="config.LDAP_EMAIL_ATTR" default-value="mail"></span>
+              <div class="help-text">
+               The name of the property field in your LDAP user records that stores your
+               users' e-mail address(es). Typically "mail".
+              </div>
+            </td>
          </tr>
        </table>
      </div>