tubearchivist/docs
1
0
Fork 0
mirror of https://github.com/tubearchivist/docs.git synced 2025-08-04 15:08:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

LDAP automatic user privilege promotion (#66)

Browse Source 
* LDAP automatic lazy user privilege promotion: TA_LDAP_PROMOTE_USERNAMES_*

* clarification of default value in fwd auth

---------

Co-authored-by: Simon <simobilleter@gmail.com>
This commit is contained in:
joshrivers 2025-07-31 07:59:53 -07:00 committed by GitHub
parent f9776a2c4a
commit 29bc7e8967
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mkdocs/docs/configuration/forward-auth.md
View File

@ -14,7 +14,7 @@ Note that this automatically creates new users in the database if they do not al
| :-------------------- | :-------- | :-------- | :------------ |
| `TA_LOGIN_AUTH_MODE` | `single` | `forwardauth` | Selects authentication backends. See potential values below. Overrides `TA_LDAP`/`TA_ENABLE_AUTH_PROXY`. |
| `TA_ENABLE_AUTH_PROXY` | `null` | `true` | *deprecated* (see below) Set to anything besides empty string to use forward proxy authentication. |
| `TA_AUTH_PROXY_USERNAME_HEADER`| `null` | `HTTP_REMOTE_USER` | The name of the request header that the auth proxy passes to the proxied application (**Tube Archivist** in this case), so that the application can identify the user. The format of this variable's value can vary depending on the specific header and version of Tube Archivist used.[^1] Check the documentation of your auth proxy for how to configure the forwarding of header.[^2] |
| `TA_AUTH_PROXY_USERNAME_HEADER`| `HTTP_REMOTE_USER` | `X-MYPROXY-USER` | The name of the request header that the auth proxy passes to the proxied application (**Tube Archivist** in this case), so that the application can identify the user. The format of this variable's value can vary depending on the specific header and version of Tube Archivist used.[^1] Check the documentation of your auth proxy for how to configure the forwarding of header.[^2] |
| `TA_AUTH_PROXY_LOGOUT_URL` | `null` | | The URL that **Tube Archivist** should redirect to after a logout. By default, the logout redirects to the login URL, which means the user will be automatically authenticated again. Instead, you might want to configure the logout URL of the auth proxy here. |
[^1]:

8
mkdocs/docs/configuration/ldap.md
View File

@ -14,6 +14,8 @@ You can enable and configure LDAP with the following environment variables:
| `TA_LDAP_USER_ATTR_MAP_EMAIL` | `mail` |`mail` | Bind attribute used to match LDAP user's EMail address |
| `TA_LDAP_USER_BASE` | `null` | `ou=users,dc=your-server` | Search base for user filter. |
| `TA_LDAP_USER_FILTER` | `null` | `(objectClass=user)` | Filter for valid users. Login usernames are matched using the attribute specified in `TA_LDAP_USER_ATTR_MAP_USERNAME` and should not be specified in this filter. |
| `TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER` | `null` | `alice,bob` | Comma separated list of users (matched based on TA_LDAP_USER_ATTR_MAP_USERNAME) which will automatically be promoted to superuser when they login. Users given superuser access will also be given staff permissions. |
| `TA_LDAP_PROMOTE_USERNAMES_TO_STAFF` | `null` | `lisa,tom` | Comma separated list of users (matched based on TA_LDAP_USER_ATTR_MAP_USERNAME) which will automatically be promoted to staff when they login. |
## Auth Login Modes
@ -37,7 +39,11 @@ For installations which require secure enforcement of LDAP-only credentials, use
LDAP modes automatically create new users in the database if they do not already exist.
If those accounts are successfully authenticated using this method, they will not have administrative rights to the Dashboard (including ability to add downloads). To fix this, the preferred method is to switch to `ldap_local` and add privileges as described in the next section.
If those accounts are successfully authenticated using this method, they will not have administrative rights to the Dashboard (including ability to add downloads). There are two options for providing LDAP users permissions for downloading videos or performing user administration:
- Use `ldap_local` mode and add privileges as described in the next section.
- Use `TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER` and `TA_LDAP_PROMOTE_USERNAMES_TO_STAFF` to configure TA to promote known usernames to have additional privileges when they first login.
The `TA_LDAP_PROMOTE_USERNAMES_*` settings are based on the username matched in the `TA_LDAP_USER_ATTR_MAP_USERNAME` setting. Some configurations may allow a user to login with multiple alternative "usernames" based on LDAP attributes, but only the matched username will be promoted.
### LDAP + Local Considerations