For the time being Faraday doesn't support a hybrid installation using both LDAP and local users. Enabling LDAP disables local users and vice versa. However, local users are not deleted, only banned from login. Disabling LDAP unlocks the login for local users. For this reason, after enabling LDAP the permissions for local users over Workspaces are erased, which makes these Workspaces publicly available immediately after restarting the server.
To configure Faraday with LDAP/AD edit
/home/faraday/.faraday/config/server.ini and complete the following fields inside the
* enabled (turn off or on the support with AD/LDAP)
* server (IP Address of the server, Domain Controler or LDAP Server)
* domain_dn (Domain path for AD)
* domain default domain. Set to false if you don't need it.
* admin_group (name of the group for AD that corresponds to the Admin role)
* pentester_group (name of the group for AD that corresponds to the Pentester role)
* client_group (name of the group for AD that corresponds to the Client role)
* use_ldaps (set up the ldaps function)
* use_start_tls ( set up the starttls function)
* port (ldap port)
* disconnect_timeout (maximum wait time for a session of the domain user)
* use_local_roles (Use Faraday roles stored in PostgreSQL database)
* default_local_role (The default role for authenticated users, only works when use_local_roles is True)
WARNING: If use_local_roles is set to true, any user on the AD will be allowed to use Faraday.
The following example shows a basic AD configuration:
enabled = true
server = 127.0.0.1
domain_dn = DC=example,DC=com
domain = example.com
admin_group = fadmin
pentester_group = fpentester
client_group = fclient
use_ldaps = false
use_start_tls = false
port = 389
disconnect_timeout = 2.0
use_local_roles = false
default_local_role = none
After doing the modifications, save the file and restart Faraday Server.
Assuming that our domain name is: example.com and our groups are defined as: fadmin, fclient and fpentester, our LDAP configuration should look like this:
Now, assuming that the user admin_user is a member of group fadmin, the user's properties should look like this:
Migrating to LDAP
- Logout of both the Web UI and GTK and then stop Faraday Server.
- Enable LDAP in the Faraday Server configuration file.
- Start Faraday Server.
- Login as a Faraday administrator with the LDAP credentials in the Web UI.
- Change owner and permissions for all existing workspaces.