auth-ldap-groups.rst
159 lines
| 6.5 KiB
| text/x-rst
|
RstLexer
r2656 | .. _config-ldap-groups-ref: | ||
LDAP/AD With User Groups Sync | |||
----------------------------- | |||
r3290 | **This plugin is available only in EE Edition.** | ||
|RCE| supports LDAP (Lightweight Directory Access Protocol) or | |||
r2656 | AD (active Directory) authentication. | ||
r3290 | All LDAP versions are currently supported. | ||
r2656 | |||
RhodeCode reads all data defined from plugin and creates corresponding | |||
accounts on local database after receiving data from LDAP. This is done on | |||
every user log-in including operations like pushing/pulling/checkout. | |||
In addition group membership is read from LDAP and following operations are done: | |||
r3290 | - automatic addition of user to |RCE| user group | ||
- automatic removal of user from any other |RCE| user groups not specified in LDAP. | |||
r2656 | The removal is done *only* on groups that are marked to be synced from ldap. | ||
This setting can be changed in advanced settings on user groups | |||
r3290 | - automatic creation of user groups if they aren't yet existing in |RCE| | ||
r2656 | - marking user as super-admins if he is a member of any admin group defined in plugin settings | ||
.. important:: | |||
The email used with your |RCE| super-admin account needs to match the email | |||
address attached to your admin profile in LDAP. This is because | |||
within |RCE| the user email needs to be unique, and multiple users | |||
cannot share an email account. | |||
Likewise, if as an admin you also have a user account, the email address | |||
attached to the user account needs to be different. | |||
LDAP Configuration Steps | |||
^^^^^^^^^^^^^^^^^^^^^^^^ | |||
To configure |LDAP|, use the following steps: | |||
r3290 | 1. From the |RCE| interface, select | ||
r2656 | :menuselection:`Admin --> Authentication` | ||
r3290 | 2. Activate the `LDAP + User Groups` plugin and select :guilabel:`Save` | ||
3. Go to newly available menu option called `LDAP + User Groups` on the left side. | |||
4. Check the `enabled` check box in the plugin configuration section, | |||
and fill in the required LDAP information and :guilabel:`Save`, for more details, | |||
r2656 | see :ref:`config-ldap-groups-examples` | ||
For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`: | |||
.. _config-ldap-groups-examples: | |||
Example LDAP configuration | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
r3290 | |||
Below is example setup that can be used with Active Directory and LDAP server with groups sync:: | |||
*option*: `enabled` => `True` | |||
# Enable or disable this authentication plugin. | |||
*option*: `cache_ttl` => `360` | |||
# Amount of seconds to cache the authentication and permissions check response call for this plugin. | |||
# Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |||
*option*: `host` => `192.168.245.143,192.168.1.240` | |||
# Host[s] of the LDAP Server | |||
# (e.g., 192.168.2.154, or ldap-server.domain.com. | |||
# Multiple servers can be specified using commas | |||
*option*: `port` => `389` | |||
# Custom port that the LDAP server is listening on. Default value is: 389, use 689 for LDAPS(SSL) | |||
*option*: `timeout` => `300` | |||
# Timeout for LDAP connection | |||
*option*: `dn_user` => `Administrator@rhodecode.com` | |||
# Optional user DN/account to connect to LDAP if authentication is required. | |||
# e.g., cn=admin,dc=mydomain,dc=com, or uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com | |||
*option*: `dn_pass` => `SomeSecret` | |||
# Password to authenticate for given user DN. | |||
*option*: `tls_kind` => `PLAIN` | |||
# TLS Type | |||
*option*: `tls_reqcert` => `NEVER` | |||
# Require Cert over TLS?. Self-signed and custom certificates can be used when | |||
# `RhodeCode Certificate` found in admin > settings > system info page is extended. | |||
*option*: `tls_cert_file` => `` | |||
# This specifies the PEM-format file path containing certificates for use in TLS connection. | |||
# If not specified `TLS Cert dir` will be used | |||
*option*: `tls_cert_dir` => `/etc/openldap/cacerts` | |||
# This specifies the path of a directory that contains individual CA certificates in separate files. | |||
*option*: `base_dn` => `dc=rhodecode,dc=com` | |||
# Base DN to search. Dynamic bind is supported. Add `$login` marker in it to be replaced with current user credentials | |||
# (e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com) | |||
*option*: `user_search_base` => `ou=RC-Users` | |||
# User search base will extend the Base DN | |||
# (e.g., ou=Users will result in ou=Users,dc=mydomain,dc=com root DN) | |||
r2656 | |||
r3290 | *option*: `user_search_filter` => `` | ||
# Filter to narrow results | |||
# (e.g., (&(objectCategory=Person)(objectClass=user)), or | |||
# (memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com))) | |||
*option*: `search_scope` => `SUBTREE` | |||
# How deep to search LDAP. If unsure set to SUBTREE | |||
*option*: `attr_login` => `sAMAccountName` | |||
# LDAP Attribute to map to user name (e.g., uid, or sAMAccountName) | |||
*option*: `attr_email` => `mail` | |||
# LDAP Attribute to map to email address (e.g., mail). | |||
# Emails are a crucial part of RhodeCode. | |||
# If possible add a valid email attribute to ldap users. | |||
*option*: `attr_firstname` => `givenName` | |||
# LDAP Attribute to map to first name (e.g., givenName) | |||
*option*: `attr_lastname` => `sn` | |||
# LDAP Attribute to map to last name (e.g., sn) | |||
*option*: `group_extraction_type` => `rfc2307bis` | |||
# With rfc2307, group members are listed by name in the memberUid attribute | |||
# With rfc2307bis (Microsoft AD compatible) group members are listed by DN and stored in the member attribute | |||
r2656 | |||
r3290 | *option*: `group_search_base` => `ou=RC-Groups` | ||
# Group search base will extend the Base DN (e.g. ou=Groups will result in ou=Groups,dc=mydomain,dc=com) | |||
r2656 | |||
r3290 | *option*: `group_name_attr` => `sAMAccountName` | ||
# LDAP Attribute to map to group name (e.g., cn, or sAMAccountName) | |||
*option*: `user_member_of` => `memberOf` | |||
# Users Attribute used to fetch the group membership. | |||
# Use if users have stored group membership inside their attributes | |||
# (e.g., memberOf, or userMemberOf) | |||
r2656 | |||
r3290 | *option*: `group_search_filter` => `` | ||
# Filter to narrow results (e.g., (&(objectCategory=Group)(objectClass=group)), etc) | |||
*option*: `group_member_of` => `memberOf` | |||
# LDAP Attribute used to resolve the parent group (e.g., memberOf) | |||
r2656 | |||
r3290 | *option*: `admin_groups` => `Admins,Management` | ||
# A comma separated list of group names that identify users as RhodeCode Administrators (e.g., admins) | |||
*option*: `admin_groups_sync` => `full` | |||
# Way to sync Admin groups. | |||
# Full means admin flag is set to on or off according to membership in administrator group defined above. | |||
# On-only means the flag is only set to on, and not turned off once user is no longer a member | |||
r2656 | |||
.. toctree:: | |||
ldap-active-directory | |||
ldap-authentication |