
3.2 KiB

Configure LDAP

{abbr}LDAP (Lightweight Directory Access Protocol) is a protocol for providing directory services. It acts as a central authority for user login information. Funkwhale supports LDAP through the Django LDAP authentication module.

LDAP users can't change their password in the app.


LDAP support requires extra dependencies. We include these in our requirements files to make it easier to set up. If you aren't using LDAP, you can safely remove these.

- `libldap2-dev`
- `libsasl2-dev`

- `python-ldap`
- `python-django-auth-ldap`

Environment variables

You can configure LDAP authentication using environment variables in your .env file.

Basic features

value: True
type: Boolean

Set this to `True` to enable LDAP support
type: URI
value: ldap://

The LDAP {abbr}`URI (Uniform Resource Identifier)` of your authentication server.
type: String
value: cn=admin,dc=domain,dc=com

LDAP user {abbr}`DN (Distinguised Name)` to bind on so you can perform searches.
type: String
value: bindpassword

LDAP user password for bind {abbr}`DN (Distinguised Name)`.
type: String
value: (|(cn={0})(mail={0}))

The LDAP user filter, using `{0}` as the username placeholder. Uses standard [LDAP search syntax](
type: Boolean
value: False

Set to `True` to enable LDAP StartTLS support.
type: String
value: dc=domain,dc=com

The LDAP search root {abbr}`DN (Distinguised Name)`. Supports several entries in a comma-delimited list.
type: String
value: first_name:givenName, last_name:sn, username:cn, email:mail

A mapping of Django user attributes to LDAP values.
type: Boolean
value: False

Controls whether to use direct binding.

Group features

LDAP provides extra features for working with groups. Group configuration is an advanced feature. Most users don't need to configure these settings.

[Django's LDAP documentation]( for groups.
type: String
value: ou=groups,dc=domain,dc=com

The LDAP group search root {abbr}`DN (Distinguised Name)`. This needs to be set to `True` to enable group features.
type: String
value: objectClass=groupOfNames

The LDAP group filter.
type: String
value: cn=enabled,ou=groups,dc=domain,dc=com

The group that users need to be a member of to authenticate.
type: String
value: cn=disabled,ou=groups,dc=domain,dc=com

A group whose members can't authenticate.