rhodecode-enterprise-ce Files · docs/auth/ldap-authentication.rst

auth: Fix password_changed function, fixes ....

auth: Fix password_changed function, fixes . Never repot a changed password for default or anonymous users. If anonymous access is disabled we don't get the default user here so we also have to check if it is the anonymous user. In both cases (default user and anonymous user) we can skip the password change check and return False.

marcink - - Load All Authors

File last commit:

r1:854a839a default


                r482:930b0a4d

default

Download file

             ldap-authentication.rst
        
                    106 lines
            
             | 4.2 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / auth / ldap-authentication.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      .. _ldap-gloss-ref:

      |LDAP| Glossary

      ---------------

      This topic aims to give you a concise overview of the different settings and

      requirements that enabling |LDAP| on |RCE| requires.

      Required settings

      ^^^^^^^^^^^^^^^^^

      The following LDAP attributes are required when enabling |LDAP| on |RCE|.

      * **Hostname** or **IP Address**: Use a comma separated list for failover

        support.

      * **First Name**

      * **Surname**

      * **Email**

      * **Port**: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted

        LDAP (LDAPS).

      * **Base DN (Distinguished Name)**: The Distinguished Name (DN)

        is how searches for users will be performed, and these searches can be

        controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of

        relative distinguished names (RDN) connected by commas. For example,

      .. code-block:: vim

          DN: cn='Monty Python',ou='people',dc='example',dc='com'

      * **Connection security level**: The following are the valid types:

        * *No encryption*: This connection type uses a plain non-encrypted connection.

        * *LDAPS connection*: This connection type uses end-to-end SSL. To enable

          an LDAPS connection you must set the following requirements:

            * You must specify port `636`

            * Certificate checks are required.

            * To enable ``START_TLS`` on LDAP connection, set the path to the SSL

              certificate in the default LDAP configuration file. The default

              `ldap.conf` file is located in `/etc/openldap/ldap.conf`.

      .. code-block:: vim

         TLS_CACERT	/etc/ssl/certs/ca.crt

      * The LDAP username or account used to connect to |RCE|. This will be added

        to the LDAP filter for locating the user object.

      * For example, if an LDAP filter is specified as `LDAPFILTER`,

        the login attribute is specified as `uid`, and the user connects as

        `jsmith`, then the LDAP Filter will be like the following example.

      .. code-block:: vim

         (&(LDAPFILTER)(uid=jsmith))

      * The LDAP search scope must be set. This limits how far LDAP will search for

        a matching object.

        * ``BASE`` Only allows searching of the Base DN.

        * ``ONELEVEL`` Searches all entries under the Base DN,

          but not the Base DN itself.

        * ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.

      .. note::

         When using ``SUBTREE`` LDAP filtering it is useful to limit object location.

      Optional settings

      ^^^^^^^^^^^^^^^^^

      The following are optional when enabling LDAP on |RCM|

      * An LDAP account is only required if the LDAP server does not allow

        anonymous browsing of records.

      * An LDAP password is only required if the LDAP server does not allow

        anonymous browsing of records

      * Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This

        is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter

        is useful for limiting which LDAP objects are identified as representing

        Users for authentication. The filter is augmented by Login Attribute

        below. This can commonly be left blank.

      * Certificate Checks are only required if you need to use LDAPS.

        You can use the following levels of LDAP service with RhodeCode Enterprise:

         * **NEVER** : A serve certificate will never be requested or checked.

         * **ALLOW** : A server certificate is requested. Failure to provide a

           certificate or providing a bad certificate will not terminate the session.

         * **TRY** : A server certificate is requested. Failure to provide a

           certificate does not halt the session; providing a bad certificate

           halts the session.

         * **DEMAND** : A server certificate is requested and must be provided

           and authenticated for the session to proceed.

         * **HARD** : The same as DEMAND.

      .. note::

         Only **DEMAND** or **HARD** offer full SSL security while the other

         options are vulnerable to man-in-the-middle attacks.

         |RCE| uses ``OPENLDAP`` libraries. This allows **DEMAND** or

         **HARD** LDAPS connections to use self-signed certificates or

         certificates that do not have traceable certificates of authority.

         To enable this functionality install the SSL certificates in the

         following directory: `/etc/openldap/cacerts`

      .. _RFC 2254: http://www.rfc-base.org/rfc-2254.html

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	.. _ldap-gloss-ref:

		\|LDAP\| Glossary
		---------------

		This topic aims to give you a concise overview of the different settings and
		requirements that enabling \|LDAP\| on \|RCE\| requires.

		Required settings
		^^^^^^^^^^^^^^^^^

		The following LDAP attributes are required when enabling \|LDAP\| on \|RCE\|.

		* Hostname or IP Address: Use a comma separated list for failover
		support.
		* First Name
		* Surname
		* Email
		* Port: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted
		LDAP (LDAPS).
		* Base DN (Distinguished Name): The Distinguished Name (DN)
		is how searches for users will be performed, and these searches can be
		controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of
		relative distinguished names (RDN) connected by commas. For example,

		.. code-block:: vim

		DN: cn='Monty Python',ou='people',dc='example',dc='com'

		* Connection security level: The following are the valid types:

		* No encryption: This connection type uses a plain non-encrypted connection.
		* LDAPS connection: This connection type uses end-to-end SSL. To enable
		an LDAPS connection you must set the following requirements:

		* You must specify port `636`
		* Certificate checks are required.
		* To enable ``START_TLS`` on LDAP connection, set the path to the SSL
		certificate in the default LDAP configuration file. The default
		`ldap.conf` file is located in `/etc/openldap/ldap.conf`.

		.. code-block:: vim

		TLS_CACERT /etc/ssl/certs/ca.crt

		* The LDAP username or account used to connect to \|RCE\|. This will be added
		to the LDAP filter for locating the user object.
		* For example, if an LDAP filter is specified as `LDAPFILTER`,
		the login attribute is specified as `uid`, and the user connects as
		`jsmith`, then the LDAP Filter will be like the following example.

		.. code-block:: vim

		(&(LDAPFILTER)(uid=jsmith))

		* The LDAP search scope must be set. This limits how far LDAP will search for
		a matching object.

		* ``BASE`` Only allows searching of the Base DN.
		* ``ONELEVEL`` Searches all entries under the Base DN,
		but not the Base DN itself.
		* ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.

		.. note::

		When using ``SUBTREE`` LDAP filtering it is useful to limit object location.

		Optional settings
		^^^^^^^^^^^^^^^^^

		The following are optional when enabling LDAP on \|RCM\|

		* An LDAP account is only required if the LDAP server does not allow
		anonymous browsing of records.
		* An LDAP password is only required if the LDAP server does not allow
		anonymous browsing of records
		* Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This
		is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter
		is useful for limiting which LDAP objects are identified as representing
		Users for authentication. The filter is augmented by Login Attribute
		below. This can commonly be left blank.
		* Certificate Checks are only required if you need to use LDAPS.
		You can use the following levels of LDAP service with RhodeCode Enterprise:

		* NEVER : A serve certificate will never be requested or checked.
		* ALLOW : A server certificate is requested. Failure to provide a
		certificate or providing a bad certificate will not terminate the session.
		* TRY : A server certificate is requested. Failure to provide a
		certificate does not halt the session; providing a bad certificate
		halts the session.
		* DEMAND : A server certificate is requested and must be provided
		and authenticated for the session to proceed.
		* HARD : The same as DEMAND.

		.. note::

		Only DEMAND or HARD offer full SSL security while the other
		options are vulnerable to man-in-the-middle attacks.

		\|RCE\| uses ``OPENLDAP`` libraries. This allows DEMAND or
		HARD LDAPS connections to use self-signed certificates or
		certificates that do not have traceable certificates of authority.
		To enable this functionality install the SSL certificates in the
		following directory: `/etc/openldap/cacerts`


		.. _RFC 2254: http://www.rfc-base.org/rfc-2254.html