##// END OF EJS Templates
authentication: introduce login restriction option for builtin rhodecode plugin.
authentication: introduce login restriction option for builtin rhodecode plugin.

File last commit:

r3290:ac4e4e5a default
r3387:8a62bda2 default
Show More
auth-ldap-groups.rst
159 lines | 6.5 KiB | text/x-rst | RstLexer
/ docs / auth / auth-ldap-groups.rst
docs: update LDAP documentation according to user feedback.
r2656 .. _config-ldap-groups-ref:
LDAP/AD With User Groups Sync
-----------------------------
docs: added SAML documentation....
r3290 **This plugin is available only in EE Edition.**
|RCE| supports LDAP (Lightweight Directory Access Protocol) or
docs: update LDAP documentation according to user feedback.
r2656 AD (active Directory) authentication.
docs: added SAML documentation....
r3290 All LDAP versions are currently supported.
docs: update LDAP documentation according to user feedback.
r2656
RhodeCode reads all data defined from plugin and creates corresponding
accounts on local database after receiving data from LDAP. This is done on
every user log-in including operations like pushing/pulling/checkout.
In addition group membership is read from LDAP and following operations are done:
docs: added SAML documentation....
r3290 - automatic addition of user to |RCE| user group
- automatic removal of user from any other |RCE| user groups not specified in LDAP.
docs: update LDAP documentation according to user feedback.
r2656 The removal is done *only* on groups that are marked to be synced from ldap.
This setting can be changed in advanced settings on user groups
docs: added SAML documentation....
r3290 - automatic creation of user groups if they aren't yet existing in |RCE|
docs: update LDAP documentation according to user feedback.
r2656 - marking user as super-admins if he is a member of any admin group defined in plugin settings
.. important::
The email used with your |RCE| super-admin account needs to match the email
address attached to your admin profile in LDAP. This is because
within |RCE| the user email needs to be unique, and multiple users
cannot share an email account.
Likewise, if as an admin you also have a user account, the email address
attached to the user account needs to be different.
LDAP Configuration Steps
^^^^^^^^^^^^^^^^^^^^^^^^
To configure |LDAP|, use the following steps:
docs: added SAML documentation....
r3290 1. From the |RCE| interface, select
docs: update LDAP documentation according to user feedback.
r2656 :menuselection:`Admin --> Authentication`
docs: added SAML documentation....
r3290 2. Activate the `LDAP + User Groups` plugin and select :guilabel:`Save`
3. Go to newly available menu option called `LDAP + User Groups` on the left side.
4. Check the `enabled` check box in the plugin configuration section,
and fill in the required LDAP information and :guilabel:`Save`, for more details,
docs: update LDAP documentation according to user feedback.
r2656 see :ref:`config-ldap-groups-examples`
For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:
.. _config-ldap-groups-examples:
Example LDAP configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^
docs: added SAML documentation....
r3290
Below is example setup that can be used with Active Directory and LDAP server with groups sync::
*option*: `enabled` => `True`
# Enable or disable this authentication plugin.
*option*: `cache_ttl` => `360`
# Amount of seconds to cache the authentication and permissions check response call for this plugin.
# Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
*option*: `host` => `192.168.245.143,192.168.1.240`
# Host[s] of the LDAP Server
# (e.g., 192.168.2.154, or ldap-server.domain.com.
# Multiple servers can be specified using commas
*option*: `port` => `389`
# Custom port that the LDAP server is listening on. Default value is: 389, use 689 for LDAPS(SSL)
*option*: `timeout` => `300`
# Timeout for LDAP connection
*option*: `dn_user` => `Administrator@rhodecode.com`
# Optional user DN/account to connect to LDAP if authentication is required.
# e.g., cn=admin,dc=mydomain,dc=com, or uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com
*option*: `dn_pass` => `SomeSecret`
# Password to authenticate for given user DN.
*option*: `tls_kind` => `PLAIN`
# TLS Type
*option*: `tls_reqcert` => `NEVER`
# Require Cert over TLS?. Self-signed and custom certificates can be used when
# `RhodeCode Certificate` found in admin > settings > system info page is extended.
*option*: `tls_cert_file` => ``
# This specifies the PEM-format file path containing certificates for use in TLS connection.
# If not specified `TLS Cert dir` will be used
*option*: `tls_cert_dir` => `/etc/openldap/cacerts`
# This specifies the path of a directory that contains individual CA certificates in separate files.
*option*: `base_dn` => `dc=rhodecode,dc=com`
# Base DN to search. Dynamic bind is supported. Add `$login` marker in it to be replaced with current user credentials
# (e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)
*option*: `user_search_base` => `ou=RC-Users`
# User search base will extend the Base DN
# (e.g., ou=Users will result in ou=Users,dc=mydomain,dc=com root DN)
docs: update LDAP documentation according to user feedback.
r2656
docs: added SAML documentation....
r3290 *option*: `user_search_filter` => ``
# Filter to narrow results
# (e.g., (&(objectCategory=Person)(objectClass=user)), or
# (memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))
*option*: `search_scope` => `SUBTREE`
# How deep to search LDAP. If unsure set to SUBTREE
*option*: `attr_login` => `sAMAccountName`
# LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)
*option*: `attr_email` => `mail`
# LDAP Attribute to map to email address (e.g., mail).
# Emails are a crucial part of RhodeCode.
# If possible add a valid email attribute to ldap users.
*option*: `attr_firstname` => `givenName`
# LDAP Attribute to map to first name (e.g., givenName)
*option*: `attr_lastname` => `sn`
# LDAP Attribute to map to last name (e.g., sn)
*option*: `group_extraction_type` => `rfc2307bis`
# With rfc2307, group members are listed by name in the memberUid attribute
# With rfc2307bis (Microsoft AD compatible) group members are listed by DN and stored in the member attribute
docs: update LDAP documentation according to user feedback.
r2656
docs: added SAML documentation....
r3290 *option*: `group_search_base` => `ou=RC-Groups`
# Group search base will extend the Base DN (e.g. ou=Groups will result in ou=Groups,dc=mydomain,dc=com)
docs: update LDAP documentation according to user feedback.
r2656
docs: added SAML documentation....
r3290 *option*: `group_name_attr` => `sAMAccountName`
# LDAP Attribute to map to group name (e.g., cn, or sAMAccountName)
*option*: `user_member_of` => `memberOf`
# Users Attribute used to fetch the group membership.
# Use if users have stored group membership inside their attributes
# (e.g., memberOf, or userMemberOf)
docs: update LDAP documentation according to user feedback.
r2656
docs: added SAML documentation....
r3290 *option*: `group_search_filter` => ``
# Filter to narrow results (e.g., (&(objectCategory=Group)(objectClass=group)), etc)
*option*: `group_member_of` => `memberOf`
# LDAP Attribute used to resolve the parent group (e.g., memberOf)
docs: update LDAP documentation according to user feedback.
r2656
docs: added SAML documentation....
r3290 *option*: `admin_groups` => `Admins,Management`
# A comma separated list of group names that identify users as RhodeCode Administrators (e.g., admins)
*option*: `admin_groups_sync` => `full`
# Way to sync Admin groups.
# Full means admin flag is set to on or off according to membership in administrator group defined above.
# On-only means the flag is only set to on, and not turned off once user is no longer a member
docs: update LDAP documentation according to user feedback.
r2656
.. toctree::
ldap-active-directory
ldap-authentication