Skip to content

Authentication

Jump to bottom
Simon Bartlett edited this page Feb 16, 2015 · 25 revisions

We support three methods of authentication

  • Local
  • Kerberos
  • LDAP

To configure which authentication are used, modify the auth.providers property.

The following activates only local authentication.

auth:
  providers: [local]

This activates both Kerberos and local authentication:

auth:
  providers: [kerberos, local]

The order in which providers are listed matters; as a user tries to authenticate, they will be authenticated against each provider in the order they're listed.

Authentication providers

Local authentication

This is the default method of authentication specified in settings.yml.sample. It was chosen as a default to help teams get up and running as quickly as possible. You probably shouldn't use it unless it follows your security policies. Find out more about it in the following paragraphs.

Users can authenticate using web forms. Users must first self-register in order to use a Lets Chat server. The default authentication settings assume that the server is accessible only by trusted users.

Strongly consider using Kerberos or LDAP to authenticate users.

The default local authentication settings are as follows:

auth:
  local:
    enableRegistration: true
    passwordRegex: ^.{8,64}$

Important Security Notes

  • You can turn off self-registration with the setting auth.local.enableRegistration: false.
  • User passwords are securely stored in the database using best practices.
  • User passwords must match passwordRegex in order to be accepted by the system. Change this value so that it follows your team's password policy. The default value is designed for easy registration within trusted environments. It is probably too simple for your team's security policies.
  • All authenticated users have access to the REST-like API

Kerberos authentication

See here

LDAP authentication

See here

Login throttling

Minimize password-guessing attacks by throttling login. After auth.throttling.threshold failed login attempts for a user, no more attempts can be made until a period of time elapses. This is period of time grows with the number of failed attempts until a maximum of 24 hours is reached.

auth:
  throttling:
    enable: true
    threshold: 3
Clone this wiki locally