##// END OF EJS Templates
merged default branch into stable
merged default branch into stable

File last commit:

r3290:ac4e4e5a default
r5342:5c131067 merge stable
Show More
ldap-authentication.rst
106 lines | 4.2 KiB | text/x-rst | RstLexer
/ docs / auth / ldap-authentication.rst
project: added all source files and assets
r1 .. _ldap-gloss-ref:
|LDAP| Glossary
---------------
This topic aims to give you a concise overview of the different settings and
requirements that enabling |LDAP| on |RCE| requires.
Required settings
^^^^^^^^^^^^^^^^^
The following LDAP attributes are required when enabling |LDAP| on |RCE|.
* **Hostname** or **IP Address**: Use a comma separated list for failover
support.
* **First Name**
* **Surname**
* **Email**
* **Port**: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted
LDAP (LDAPS).
* **Base DN (Distinguished Name)**: The Distinguished Name (DN)
is how searches for users will be performed, and these searches can be
controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of
relative distinguished names (RDN) connected by commas. For example,
.. code-block:: vim
DN: cn='Monty Python',ou='people',dc='example',dc='com'
* **Connection security level**: The following are the valid types:
* *No encryption*: This connection type uses a plain non-encrypted connection.
* *LDAPS connection*: This connection type uses end-to-end SSL. To enable
an LDAPS connection you must set the following requirements:
* You must specify port `636`
* Certificate checks are required.
* To enable ``START_TLS`` on LDAP connection, set the path to the SSL
certificate in the default LDAP configuration file. The default
`ldap.conf` file is located in `/etc/openldap/ldap.conf`.
.. code-block:: vim
TLS_CACERT /etc/ssl/certs/ca.crt
* The LDAP username or account used to connect to |RCE|. This will be added
to the LDAP filter for locating the user object.
* For example, if an LDAP filter is specified as `LDAPFILTER`,
docs: added SAML documentation....
r3290 the login/username attribute is specified as `uid`, and the user connects as
project: added all source files and assets
r1 `jsmith`, then the LDAP Filter will be like the following example.
.. code-block:: vim
(&(LDAPFILTER)(uid=jsmith))
* The LDAP search scope must be set. This limits how far LDAP will search for
a matching object.
* ``BASE`` Only allows searching of the Base DN.
* ``ONELEVEL`` Searches all entries under the Base DN,
but not the Base DN itself.
* ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.
.. note::
When using ``SUBTREE`` LDAP filtering it is useful to limit object location.
Optional settings
^^^^^^^^^^^^^^^^^
docs: added SAML documentation....
r3290 The following are optional when enabling LDAP on |RCE|
project: added all source files and assets
r1
* An LDAP account is only required if the LDAP server does not allow
anonymous browsing of records.
* An LDAP password is only required if the LDAP server does not allow
anonymous browsing of records
* Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This
is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter
is useful for limiting which LDAP objects are identified as representing
Users for authentication. The filter is augmented by Login Attribute
below. This can commonly be left blank.
* Certificate Checks are only required if you need to use LDAPS.
You can use the following levels of LDAP service with RhodeCode Enterprise:
* **NEVER** : A serve certificate will never be requested or checked.
* **ALLOW** : A server certificate is requested. Failure to provide a
certificate or providing a bad certificate will not terminate the session.
* **TRY** : A server certificate is requested. Failure to provide a
certificate does not halt the session; providing a bad certificate
halts the session.
* **DEMAND** : A server certificate is requested and must be provided
and authenticated for the session to proceed.
* **HARD** : The same as DEMAND.
.. note::
Only **DEMAND** or **HARD** offer full SSL security while the other
options are vulnerable to man-in-the-middle attacks.
|RCE| uses ``OPENLDAP`` libraries. This allows **DEMAND** or
**HARD** LDAPS connections to use self-signed certificates or
certificates that do not have traceable certificates of authority.
To enable this functionality install the SSL certificates in the
following directory: `/etc/openldap/cacerts`
.. _RFC 2254: http://www.rfc-base.org/rfc-2254.html