From be8ba7369a5b372f6bd9b05aeaeb6233b283c63a Mon Sep 17 00:00:00 2001 From: melaniekung Date: Wed, 6 Mar 2024 13:51:32 -0800 Subject: [PATCH] Update LDAP docs with TLS encryption --- admin-manual/customization/authentication.rst | 16 +++++++++++++++- admin-manual/customization/config-files.rst | 4 ++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/admin-manual/customization/authentication.rst b/admin-manual/customization/authentication.rst index 479d2762..1162db67 100644 --- a/admin-manual/customization/authentication.rst +++ b/admin-manual/customization/authentication.rst @@ -146,8 +146,22 @@ Protocol (IP) network" (Wikipedia). When this is enabled, users attempting to log in will use the credentials associated with their LDAP account, instead of local account credentials, when :ref:`logging in ` to AtoM. -.. IMPORTANT:: +LDAP authentication in AtoM, by default, uses StartTLS for encryption. StartTLS +starts an unencrypted plaintext connection to the LDAP server, on port 389, then +upgrades the connection to begin Transport Layer Security (TLS) encryption. The +use of StartTLS is on by default, but can be disabled via settings in the +:ref:`app.yml `. + +.. WARNING:: + + While StartTLS encryption on the LDAP server can be disabled, we strongly + discourage doing so in a production environment. + +Enabling LDAP authentication in AtoM requires manually editing a few AtoM +configuration files. For more general information on how to do this, see +:ref:`Manage AtoM configuration files `. +.. IMPORTANT:: To enable LDAP authentication in AtoM, manually installing the ``php-ldap`` extension is required. diff --git a/admin-manual/customization/config-files.rst b/admin-manual/customization/config-files.rst index 66189591..f41b16e7 100644 --- a/admin-manual/customization/config-files.rst +++ b/admin-manual/customization/config-files.rst @@ -184,6 +184,10 @@ such as: additional details. * ``directives``: The CSP `directives` setting contains the CSP policy that will be sent in the CSP header. See :ref:`csp-configuration` for additional details. +* ``enable_tls_encryption``: Controls StartTLS encryption for LDAP authentication. + It defaults to true, even if this variable is not defined in the file, enabling + StartTLS, but can be set to false to disable StartTLS encryption. See + :ref:`ldap-enabling` for additional details. .. image:: images/app-yml-settings.* :align: center