sintonia/docs/admin-manual/custom-authentication.md

---
title: Custom authentication
sidebar_position: 40
---

:::warning

Since LibreTime v3.0.0-alpha.13, this documentation is out of date, as it relies on the Apache2 web server and the default web server installed by LibreTime is now NGINX.

:::

## Setup FreeIPA authentication

You can configure LibreTime to delegate all authentication to a FreeIPA server.

This allows you users to use their existing FreeIPA credentials. For this to
work you need to configure Apache to use `mod_authnz_pam` and `mod_intercept_form_submit`.

### Apache configuration

After installing the needed modules you can set up Apache to intercept form logins and
check them against pam.

```apacheconf
<Location /login>
    InterceptFormPAMService http-libretime
    InterceptFormLogin username
    InterceptFormPassword password
    InterceptFormLoginSkip admin
    InterceptFormPasswordRedact on
    InterceptFormLoginRealms INT.RABE.CH
    Require pam-account http-libretime
</Location>

<Location />
    <RequireAny>
       <RequireAny>
           Require pam-account http-libretime
           Require all granted
       </RequireAny>
       <RequireAll>
           Require expr %{REQUEST_URI} =~  /(index.php|login|favicon.ico|js|css|locale)/
           Require all granted
       </RequireAll>
    </RequireAny>
</Location>
```

### PAM configuration

The above configuration expects a PAM configuration for the `http-libretime` service.

To configure this you need to create the file `/etc/pam.d/http-libretime` with the following contents.

```
auth    required   pam_sss.so
account required   pam_sss.so
```

### LDAP configuration

LibreTime needs direct access to LDAP so it can fetch additional information. It does so with
a [system account](https://www.freeipa.org/page/HowTo/LDAP#System_Accounts) that you need to
set up beforehand.

You can configure everything pertaining to how LibreTime accesses LDAP in
`/etc/libretime/config.yml`. The default file has the following values you need to change.

```yml
#
# ----------------------------------------------------------------------
#                          L D A P
# ----------------------------------------------------------------------
#
# hostname:       Hostname of LDAP server
#
# binddn:         Complete DN of user used to bind to LDAP
#
# password:       Password for binddn user
#
# account_domain: Domain part of username
#
# basedn:         base search DN
#
# filter_field:   Name of the uid field for searching
#                 Usually uid, may be cn
#
# groupmap_*:     Map LibreTime user types to LDAP groups
#                 Lets LibreTime assign user types based on the
#                 group a given user is in.
#
ldap:
  hostname: ldap.example.org
  binddn: "uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org"
  password: hackme
  account_domain: INT.EXAMPLE.ORG
  basedn: "cn=users,cn=accounts,dc=int,dc=example,dc=org"
  filter_field: uid
  groupmap_guest: "cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
  groupmap_host: "cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
  groupmap_program_manager: "cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
  groupmap_admin: "cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
  groupmap_superadmin: "cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
```

### Enable FreeIPA authentication

After everything is set up properly you can enable FreeIPA auth in `config.yml`:

```yml
general:
  auth: LibreTime_Auth_Adaptor_FreeIpa
```

You should now be able to use your FreeIPA credentials to log in to LibreTime.
Working on Features page 2020-05-26 00:15:56 +02:00			`---`
docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`title: Custom authentication`
			`sidebar_position: 40`
Working on Features page 2020-05-26 00:15:56 +02:00			`---`
First round of @paddatrapper changes 2020-05-15 18:51:40 +02:00
docs: add out of date warning to custom auth setup 2022-08-03 10:51:48 +02:00			`:::warning`

			`Since LibreTime v3.0.0-alpha.13, this documentation is out of date, as it relies on the Apache2 web server and the default web server installed by LibreTime is now NGINX.`

			`:::`

docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`## Setup FreeIPA authentication`

FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00			`You can configure LibreTime to delegate all authentication to a FreeIPA server.`

			`This allows you users to use their existing FreeIPA credentials. For this to`
			work you need to configure Apache to use `mod_authnz_pam` and `mod_intercept_form_submit`.

docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`### Apache configuration`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
			`After installing the needed modules you can set up Apache to intercept form logins and`
			`check them against pam.`

docs: fix prose linting errors - Properly enclose code between triple backticks - Put paths and url between backticks - Remove links <> enclosing - Libretime styled name is LibreTime - Put urls and paths betwen backticks - Use sentence like capitalization for headings - Put tools name between backticks - Update links 2022-02-10 12:15:23 +01:00			```apacheconf
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00			`<Location /login>`
			`InterceptFormPAMService http-libretime`
			`InterceptFormLogin username`
			`InterceptFormPassword password`
			`InterceptFormLoginSkip admin`
			`InterceptFormPasswordRedact on`
			`InterceptFormLoginRealms INT.RABE.CH`
			`Require pam-account http-libretime`
			`</Location>`

			`<Location />`
			`<RequireAny>`
			`<RequireAny>`
			`Require pam-account http-libretime`
			`Require all granted`
			`</RequireAny>`
			`<RequireAll>`
			`Require expr %{REQUEST_URI} =~ /(index.php\|login\|favicon.ico\|js\|css\|locale)/`
			`Require all granted`
			`</RequireAll>`
			`</RequireAny>`
			`</Location>`
			```

docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`### PAM configuration`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
			The above configuration expects a PAM configuration for the `http-libretime` service.

docs: fix typo (#3027) Minor typo that was being picked up by pre-commit 2024-06-05 17:54:12 +02:00			To configure this you need to create the file `/etc/pam.d/http-libretime` with the following contents.
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
			```
			`auth required pam_sss.so`
			`account required pam_sss.so`
			```

docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`### LDAP configuration`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
			`LibreTime needs direct access to LDAP so it can fetch additional information. It does so with`
			`a [system account](https://www.freeipa.org/page/HowTo/LDAP#System_Accounts) that you need to`
			`set up beforehand.`

Format code using prettier 2021-05-27 16:20:34 +02:00			`You can configure everything pertaining to how LibreTime accesses LDAP in`
feat: change config dir path to /etc/libretime BREAKING: The configuration directory changed from `/etc/airtime` to `/etc/libretime`. Please rename your configuration directory accordingly. 2022-06-06 17:10:44 +02:00			`/etc/libretime/config.yml`. The default file has the following values you need to change.
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
feat: change config file format to yaml - docs: add link to yaml.org BREAKING: The `ini` configuration file format changed to `yml`. Please rewrite your configuration file using the yaml format. 2022-06-06 17:04:26 +02:00			```yml
Format code using prettier 2021-05-27 16:20:34 +02:00			`#`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00			`# ----------------------------------------------------------------------`
			`# L D A P`
			`# ----------------------------------------------------------------------`
			`#`
			`# hostname: Hostname of LDAP server`
			`#`
			`# binddn: Complete DN of user used to bind to LDAP`
			`#`
			`# password: Password for binddn user`
			`#`
			`# account_domain: Domain part of username`
			`#`
			`# basedn: base search DN`
			`#`
			`# filter_field: Name of the uid field for searching`
			`# Usually uid, may be cn`
			`#`
			`# groupmap_*: Map LibreTime user types to LDAP groups`
			`# Lets LibreTime assign user types based on the`
			`# group a given user is in.`
			`#`
feat: change config file format to yaml - docs: add link to yaml.org BREAKING: The `ini` configuration file format changed to `yml`. Please rewrite your configuration file using the yaml format. 2022-06-06 17:04:26 +02:00			`ldap:`
			`hostname: ldap.example.org`
			`binddn: "uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org"`
			`password: hackme`
			`account_domain: INT.EXAMPLE.ORG`
			`basedn: "cn=users,cn=accounts,dc=int,dc=example,dc=org"`
			`filter_field: uid`
			`groupmap_guest: "cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org"`
			`groupmap_host: "cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org"`
			`groupmap_program_manager: "cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org"`
			`groupmap_admin: "cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org"`
			`groupmap_superadmin: "cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org"`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00			```

docs: update structure and create links between pages (#1611) * docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording 2022-02-21 08:16:54 +01:00			`### Enable FreeIPA authentication`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
feat: change config filename to config.yml BREAKING: The configuration file name changed from `airtime.conf` to `config.yml`. Please rename your configuration file accordingly. 2022-06-06 17:09:25 +02:00			After everything is set up properly you can enable FreeIPA auth in `config.yml`:
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00
feat: change config file format to yaml - docs: add link to yaml.org BREAKING: The `ini` configuration file format changed to `yml`. Please rewrite your configuration file using the yaml format. 2022-06-06 17:04:26 +02:00			```yml
			`general:`
			`auth: LibreTime_Auth_Adaptor_FreeIpa`
FreeIPA Auth Adaptor for LibreTime Allow delegating user authentication to FreeIPA rather than having it be checked against the database. 2017-03-18 19:15:20 +01:00			```

			`You should now be able to use your FreeIPA credentials to log in to LibreTime.`