LDAP (Install-Time Configuration)

⚠Not yet available

LDAP-backed authentication is on the roadmap as Phase 4 of the RBAC rollout. As of v0.0.x, Honeyframe authenticates against its own users table (hubstudio.users) only. There is no LDAP install option, no LDAP-related environment variable, and no LDAP fields in the install config.

This page documents what install-time configuration will look like when the feature ships, so deployments that plan to migrate from local users to LDAP can prepare directory state in advance.

What's planned

When Phase 4 ships, the install script will accept LDAP parameters in install.conf:

LDAP_ENABLED=true
LDAP_URL=ldaps://ldap.your-domain.com:636
LDAP_BIND_DN=cn=honeyframe,ou=service-accounts,dc=your-domain,dc=com
LDAP_BIND_PASSWORD=<redacted>
LDAP_USER_SEARCH_BASE=ou=users,dc=your-domain,dc=com
LDAP_USER_SEARCH_FILTER=(uid={username})
LDAP_GROUP_SEARCH_BASE=ou=groups,dc=your-domain,dc=com
LDAP_GROUP_SEARCH_FILTER=(member={user_dn})
LDAP_GROUP_NAME_ATTR=cn
LDAP_USE_STARTTLS=false
LDAP_CA_BUNDLE=/etc/ssl/certs/your-ldap-ca.crt

The runtime sync of LDAP groups → Honeyframe groups (hubstudio.groups) is documented in Security → LDAP Configuration. Install-time config only sets the connection parameters.

Preparing your directory

You can do the directory-side prep work today so the install is a one-step config flip when Phase 4 ships:

1. Create a service account with read access to the user and group OUs you intend to expose to Honeyframe. Avoid sharing this account with other applications — rotation is easier when each consumer has its own.
2. Decide on a group naming convention that maps cleanly to Honeyframe groups. Honeyframe groups are flat — there is no nesting — so plan one LDAP group per Honeyframe group.
3. Allocate a UID attribute the platform will treat as the canonical username. The default planned filter is (uid={username}); if your directory uses sAMAccountName or mail, plan to override LDAP_USER_SEARCH_FILTER.
4. Provision a CA bundle if your LDAP server uses an internal CA. The platform will not bypass certificate verification by default.

Until LDAP ships

For now, manage users directly in the platform:

• Superadmins are created by the install script and via the users API.
• Group membership is administered through the Groups Management page (Platform UI) or the /api/groups endpoint.
• For SSO, use the Google Identity integration documented under Authentication in the Developer property — it's the only third-party identity provider currently wired.

Migration path (when Phase 4 ships)

The plan is for LDAP to augment the local user table, not replace it. On first LDAP login, Honeyframe will:

1. Look up the user in hubstudio.users by username.
2. If absent, create a row with auth_source='ldap' and link to the directory user via external_id.
3. Sync group memberships by mapping LDAP groups to hubstudio.groups rows.

Existing local users will keep working. Mixing local and LDAP users in the same organization is supported.