Setting Up User Authentication

Flix provides three ways to authenticate users: LDAP (Lightweight Directory Access Protocol), OAuth and Creating Users in the Management Console.

Note:  The first time the Flix Server is run, it automatically creates an admin user with the username and password both set to admin, which you can use to log in to Flix for the first time. It is recommended that you change the default password after the first log in. In case the admin user login details are lost, you can reset the admin account username and password to back to admin using the -reset-admin flag.

LDAP (Lightweight Directory Access Protocol)

LDAP/AD (Active Directory) Authentication allows Flix users to log in using their LDAP/AD credentials. The first time a user logs in, Flix obtains the group names they belong to in LDAP/AD and associate those groups with the user in Flix. This allows Flix administrators to add permissions in Flix based on which groups a user belongs to in LDAP/AD.

Article:  For more information on setting up LDAP and for troubleshooting tips, please refer to Knowledge Base article Q100563.

Flix reads all configuration options, including LDAP authentication, from a config.yml file, stored in the same directory as the Flix Server install by default. See Installing Flix Server for more information. For guidance on formatting, please refer to the example at the end of this section.

The following config.yml attributes are available:

use_ldap (optional) - This turns on or off the LDAP authentication method for this server. Values: true or false.

base - The base dn is the point from where a server searches for users in your LDAP/AD. You must supply at least the Domain Component (DC).

host - The hostname or IP address of your LDAP/AD server.

port (optional) - The port number to be used when connecting to the LDAP/AD server.

use_ssl (optional) -This indicates whether or not to use SSL/TLS when connecting to your LDAP/AD server. Values: true or false.

bind_user (optional) - This is an account that binds to the LDAP server and performs user and group searches. It can be a read-only account. Make sure the bind user you want to use has permissions to search through the desired paths. The value of this setting can be in one of the following formats: 

username
cn=username,dc=domain,dc=com
username@domain

bind_pass (optional) - The password for the name provided in bind_user. If you don't use bind_user, or if it does not require a password, you don't need to set this.

self_auth (optional) - If this is set, bind_user and bind_pass are ignored. Instead, Flix attempts to use the username and password from the user logging in to bind.

User Search

dn (optional) - DN from where to start the search from. If this value is not set the 'base' will be used.

filter (optional) - Filter to apply when searching the directory. Specify the objectClass for your users. The default value is: '(objectClass=organizationalPerson)'

user_attr - The attribute to use for the username matching for the authentication. On most AD servers, the default setting is - 'sAMAccountName'.

name_attr (optional) - The attribute used to return the user's full name. On most AD servers, the default setting is - 'displayName'.

email_attr- Defines a custom attribute for the user email address to be retrieved from, other than the default 'mail' attribute. This might be useful in cases when the mail field is used for personal email addresses and the cn field for company email addresses.

Note:  It is not currently possible to specify which users/groups should be notified upon Editorial publishes. However, the email_attr option does make it possible to retrieve a different mail attribute for users, which can remain blank in LDAP for those who don’t wish to receive notifications for Editorial publishes.

Group Search

dn (optional) - DN from where to start the search from. If this value is not set the 'base' will be used.

filter (optional) - Filter to apply when searching the directory. The default value is empty.

user_attr - The name of the attribute from the user search which can be found in a group attribute such as 'member'. Common values are 'distingishedName', 'uid', 'sAMAccountName'.

group_attr - The group attribute that has the same value as the user attribute set above. On most AD servers the default setting is 'member'.

name_attr (optional) - The name of the group. On most AD servers the default setting is either 'name', 'cn' or even 'description'.

group_prefix (optional) - Only groups that start with this string will be added to Flix when a user logs in.

group_suffix (optional) - Only groups that end with this string will be added to Flix when a user logs in.

Example of a LDAP subsection in a Flix config file:

Note:  This example is for illustration purposes. The entry preceding the ':' is a key that Flix reads, which needs to be named as in the example, but the entry following the ':' follows the exact naming of the attribute name in your AD.

ldap:
  use_ldap: true
  base: dc=flix,dc=ad
  host: 10.10.10.10
  port: 385
  use_ssl: false
  self_auth: false
  bind_user: CN=Flix,OU=Flix-Users,DC=flix,DC=ad
  bind_pass: PASSWORD
  user_search:
    dn: OU=Flix-Users,DC=flix,DC=ad
    filter: (objectClass=organizationalPerson)
    user_attr: sAMAccountName
    name_attr: displayName
    email_attr: description
  group_search:
    dn: OU=Groups,DC=flix,DC=ad
    filter: (objectClass=group)
    user_attr: distinguishedName
    name_attr: name
    group_attr: member
    group_prefix: flix-
    group_suffix: -flix

OAuth

The OAuth configuration allows users to log in to Flix using their credentials provided by an OAuth service. Using the example below, configure your Flix server config file to use OAuth. Once the configuration is enabled, restart your Flix Server, and users should now be able to log in using the Sign In with Google button.

use_oauth - This determines whether to use OAuth authentication or not.

username - This determines whether artists are authenticated by 'username' or 'email' address and is used to create their Flix username. Setting the username parameter to email forces Flix to create unique usernames.

Note:  If the username parameter is blank, misspelled, or omitted, authentication defaults to 'username'.

domain - This specifies the domain name for your OAuth provided credentials.

providers - This specifies the OAuth provider.

Example of OAuth:

oauth:
  use_oauth: true
  username: email			
  domain: my_domain.com
  providers:
    - Google

Warning:  Please be certain not to have LDAP and OAuth both enabled.

OAuth doesn't currently obtain the user groups from Google like it does for LDAP, so group management for project access needs to be done using Flix's built-in Group Management.

Warning:  OAuth is not supported when using HTTPS. Due to the design of OAuth, it requires making a HTTP callback to the Flix Server. With HTTPS enabled, this callback would also need to be via HTTPS, however without external access to your certificate authority, this request would fail. Currently this limitation prevents OAuth and HTTPS from being used at the same time.

Note:  Currently the only OAuth provider supported is Google.

Creating Users in the Management Console

Creating a User Account

As an administrator using the Flix User Management system you can create user accounts and assign them to specific groups. Only admin users can create or edit users and groups.

To create a user account:

1.   Navigate to File > Management Console.
2.   In the User Management tab, in the Create user section, fill in the User name, Email address, Password, Confirm password and Groups fields.

Note:  To create a group, see Creating, Editing and Deleting a User Group.

3.   Select whether you want to give the user an Admin status.

The toggle turns green to indicate the admin permissions.

4.   Click Create.

The new user account is added to the User Management table.

Editing and Deleting User Accounts

To make modifications to existing user accounts:

1.   Navigate to File > Management Console.
2.   In the User Management tab, select the user account in the table.

The selected user account is highlighted in yellow. To deselect a group click it again.

3.   To edit a user's details, enter changes directly into the Edit user section.

The Edit button turns green to show that it has become active.

Note:  Only Admin users can edit user details or make accounts Admin accounts.

4.   Click the Edit button to confirm the changes.

The user account is updated with your edits.

To delete a user account:

1.   Navigate to File > Management Console.
2.   In the User Management tab, select the user account in the table.

The selected user account is highlighted in yellow.

3.   In the Edit user section, click the Trash button.

The user account is deleted.

Creating, Editing and Deleting a User Group

You can use groups to allow users to access certain shows.

1.   Navigate to File > Management Console.
2.   In the Group Management tab, in the Create Group section, fill in the Group Title field and click Create.

To edit a user group:

1.   Select the group in the table.

The selected group is highlighted in yellow. To deselect a group click it again.

2.   Edit its Title in the Edit Group section.
3.   Click Edit.

The group is updated.

To delete a user group, select the group in the table and click the Trash button.