From 6338723b88aba2d01618ec81b44673ab17ff3ba8 Mon Sep 17 00:00:00 2001 From: melaniekung Date: Wed, 6 Mar 2024 13:51:32 -0800 Subject: [PATCH] Update LDAP docs with TLS encryption --- admin-manual/customization/authentication.rst | 12 +++++++++++- admin-manual/customization/config-files.rst | 4 ++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/admin-manual/customization/authentication.rst b/admin-manual/customization/authentication.rst index 479d2762..f3af72e2 100644 --- a/admin-manual/customization/authentication.rst +++ b/admin-manual/customization/authentication.rst @@ -146,8 +146,18 @@ Protocol (IP) network" (Wikipedia). When this is enabled, users attempting to log in will use the credentials associated with their LDAP account, instead of local account credentials, when :ref:`logging in ` to AtoM. -.. IMPORTANT:: +LDAP authentication in AtoM, by default, uses StartTLS for encryption. StartTLS +starts an unencrypted plaintext connection to the LDAP server, on port 389, then +upgrades the connection to begin Transport Layer Security (TLS) encryption. The +use of StartTLS is on by default, but can be disabled via settings in the +:ref:`app.yml `. + +.. WARNING:: + While StartTLS encryption on the LDAP server can be disabled, we strongly + discourage doing so in a production environment. + +.. IMPORTANT:: To enable LDAP authentication in AtoM, manually installing the ``php-ldap`` extension is required. diff --git a/admin-manual/customization/config-files.rst b/admin-manual/customization/config-files.rst index 66189591..f41b16e7 100644 --- a/admin-manual/customization/config-files.rst +++ b/admin-manual/customization/config-files.rst @@ -184,6 +184,10 @@ such as: additional details. * ``directives``: The CSP `directives` setting contains the CSP policy that will be sent in the CSP header. See :ref:`csp-configuration` for additional details. +* ``enable_tls_encryption``: Controls StartTLS encryption for LDAP authentication. + It defaults to true, even if this variable is not defined in the file, enabling + StartTLS, but can be set to false to disable StartTLS encryption. See + :ref:`ldap-enabling` for additional details. .. image:: images/app-yml-settings.* :align: center