diff --git a/mkdocs/docs/configuration/forward-auth.md b/mkdocs/docs/configuration/forward-auth.md index 936de89..d167dc7 100644 --- a/mkdocs/docs/configuration/forward-auth.md +++ b/mkdocs/docs/configuration/forward-auth.md @@ -14,7 +14,7 @@ Note that this automatically creates new users in the database if they do not al | :-------------------- | :-------- | :-------- | :------------ | | `TA_LOGIN_AUTH_MODE` | `single` | `forwardauth` | Selects authentication backends. See potential values below. Overrides `TA_LDAP`/`TA_ENABLE_AUTH_PROXY`. | | `TA_ENABLE_AUTH_PROXY` | `null` | `true` | *deprecated* (see below) Set to anything besides empty string to use forward proxy authentication. | -| `TA_AUTH_PROXY_USERNAME_HEADER`| `null` | `HTTP_REMOTE_USER` | The name of the request header that the auth proxy passes to the proxied application (**Tube Archivist** in this case), so that the application can identify the user. The format of this variable's value can vary depending on the specific header and version of Tube Archivist used.[^1] Check the documentation of your auth proxy for how to configure the forwarding of header.[^2] | +| `TA_AUTH_PROXY_USERNAME_HEADER`| `HTTP_REMOTE_USER` | `X-MYPROXY-USER` | The name of the request header that the auth proxy passes to the proxied application (**Tube Archivist** in this case), so that the application can identify the user. The format of this variable's value can vary depending on the specific header and version of Tube Archivist used.[^1] Check the documentation of your auth proxy for how to configure the forwarding of header.[^2] | | `TA_AUTH_PROXY_LOGOUT_URL` | `null` | | The URL that **Tube Archivist** should redirect to after a logout. By default, the logout redirects to the login URL, which means the user will be automatically authenticated again. Instead, you might want to configure the logout URL of the auth proxy here. | [^1]: @@ -24,18 +24,18 @@ Note that this automatically creates new users in the database if they do not al [^2]: For Authentik behind NPM Proxy Manager: - + 1. Set the 'TA_AUTH_PROXY_USERNAME_HEADER' TO: - `TA_AUTH_PROXY_USERNAME_HEADER=X_AUTHENTIK_USERNAME` (without the HTTP_ prefix, unless using an older version of Tube Archivist, see above) - 2. In NPM Proxy Manager in the advance tab of your Proxy host modify the default sections of the setup script that was pulled from your proxy provider that starts with: '# This section should be uncommented when the "Send HTTP Basic authentication" option is + 2. In NPM Proxy Manager in the advance tab of your Proxy host modify the default sections of the setup script that was pulled from your proxy provider that starts with: '# This section should be uncommented when the "Send HTTP Basic authentication" option is enabled in the proxy provider' with the following: THIS: # auth_request_set $authentik_auth $upstream_http_authorization; # proxy_set_header Authorization $authentik_auth; - - BECOMES THIS: + + BECOMES THIS: # auth_request_set $authentik_username $upstream_http_x_authentik_username; # proxy_set_header X-Authentik-Username $authentik_username; diff --git a/mkdocs/docs/configuration/ldap.md b/mkdocs/docs/configuration/ldap.md index 2120158..7507ea5 100644 --- a/mkdocs/docs/configuration/ldap.md +++ b/mkdocs/docs/configuration/ldap.md @@ -14,6 +14,8 @@ You can enable and configure LDAP with the following environment variables: | `TA_LDAP_USER_ATTR_MAP_EMAIL` | `mail` |`mail` | Bind attribute used to match LDAP user's EMail address | | `TA_LDAP_USER_BASE` | `null` | `ou=users,dc=your-server` | Search base for user filter. | | `TA_LDAP_USER_FILTER` | `null` | `(objectClass=user)` | Filter for valid users. Login usernames are matched using the attribute specified in `TA_LDAP_USER_ATTR_MAP_USERNAME` and should not be specified in this filter. | +| `TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER` | `null` | `alice,bob` | Comma separated list of users (matched based on TA_LDAP_USER_ATTR_MAP_USERNAME) which will automatically be promoted to superuser when they login. Users given superuser access will also be given staff permissions. | +| `TA_LDAP_PROMOTE_USERNAMES_TO_STAFF` | `null` | `lisa,tom` | Comma separated list of users (matched based on TA_LDAP_USER_ATTR_MAP_USERNAME) which will automatically be promoted to staff when they login. | ## Auth Login Modes @@ -37,7 +39,11 @@ For installations which require secure enforcement of LDAP-only credentials, use LDAP modes automatically create new users in the database if they do not already exist. -If those accounts are successfully authenticated using this method, they will not have administrative rights to the Dashboard (including ability to add downloads). To fix this, the preferred method is to switch to `ldap_local` and add privileges as described in the next section. +If those accounts are successfully authenticated using this method, they will not have administrative rights to the Dashboard (including ability to add downloads). There are two options for providing LDAP users permissions for downloading videos or performing user administration: +- Use `ldap_local` mode and add privileges as described in the next section. +- Use `TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER` and `TA_LDAP_PROMOTE_USERNAMES_TO_STAFF` to configure TA to promote known usernames to have additional privileges when they first login. + +The `TA_LDAP_PROMOTE_USERNAMES_*` settings are based on the username matched in the `TA_LDAP_USER_ATTR_MAP_USERNAME` setting. Some configurations may allow a user to login with multiple alternative "usernames" based on LDAP attributes, but only the matched username will be promoted. ### LDAP + Local Considerations