auth-ldap.rst
117 lines
| 4.3 KiB
| text/x-rst
|
RstLexer
r2656 | .. _config-ldap-ref: | |||
LDAP/AD | ||||
------- | ||||
r3290 | |RCE| supports LDAP (Lightweight Directory Access Protocol) or | |||
r2656 | AD (active Directory) authentication. | |||
r3290 | All LDAP versions are currently supported. | |||
r2656 | ||||
RhodeCode reads all data defined from plugin and creates corresponding | ||||
accounts on local database after receiving data from LDAP. This is done on | ||||
every user log-in including operations like pushing/pulling/checkout. | ||||
.. important:: | ||||
The email used with your |RCE| super-admin account needs to match the email | ||||
address attached to your admin profile in LDAP. This is because | ||||
within |RCE| the user email needs to be unique, and multiple users | ||||
cannot share an email account. | ||||
Likewise, if as an admin you also have a user account, the email address | ||||
attached to the user account needs to be different. | ||||
LDAP Configuration Steps | ||||
^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
To configure |LDAP|, use the following steps: | ||||
r3290 | 1. From the |RCE| interface, select | |||
r2656 | :menuselection:`Admin --> Authentication` | |||
r3290 | 2. Activate the `LDAP` plugin and select :guilabel:`Save` | |||
3. Go to newly available menu option called `LDAP` on the left side. | ||||
4. Check the `enabled` check box in the plugin configuration section, | ||||
and fill in the required LDAP information and :guilabel:`Save`, for more details, | ||||
r2656 | see :ref:`config-ldap-examples` | |||
For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`: | ||||
.. _config-ldap-examples: | ||||
Example LDAP configuration | ||||
^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
r3290 | ||||
Below is example setup that can be used with Active Directory/LDAP server:: | ||||
*option*: `enabled` => `True` | ||||
# Enable or disable this authentication plugin. | ||||
*option*: `cache_ttl` => `360` | ||||
# Amount of seconds to cache the authentication and permissions check response call for this plugin. | ||||
# Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | ||||
*option*: `host` => `192.168.245.143,192.168.1.240` | ||||
# Host[s] of the LDAP Server | ||||
# (e.g., 192.168.2.154, or ldap-server.domain.com. | ||||
# Multiple servers can be specified using commas | ||||
*option*: `port` => `389` | ||||
# Custom port that the LDAP server is listening on. Default value is: 389, use 689 for LDAPS(SSL) | ||||
*option*: `timeout` => `300` | ||||
# Timeout for LDAP connection | ||||
*option*: `dn_user` => `Administrator@rhodecode.com` | ||||
# Optional user DN/account to connect to LDAP if authentication is required. | ||||
# e.g., cn=admin,dc=mydomain,dc=com, or uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com | ||||
*option*: `dn_pass` => `SomeSecret` | ||||
# Password to authenticate for given user DN. | ||||
*option*: `tls_kind` => `PLAIN` | ||||
# TLS Type | ||||
r2656 | ||||
r3290 | *option*: `tls_reqcert` => `NEVER` | |||
# Require Cert over TLS?. Self-signed and custom certificates can be used when | ||||
# `RhodeCode Certificate` found in admin > settings > system info page is extended. | ||||
*option*: `tls_cert_file` => `` | ||||
# This specifies the PEM-format file path containing certificates for use in TLS connection. | ||||
# If not specified `TLS Cert dir` will be used | ||||
*option*: `tls_cert_dir` => `/etc/openldap/cacerts` | ||||
# This specifies the path of a directory that contains individual CA certificates in separate files. | ||||
*option*: `base_dn` => `cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com` | ||||
# Base DN to search. Dynamic bind is supported. Add `$login` marker in it to be replaced with current user credentials | ||||
# (e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com) | ||||
r2656 | ||||
r3290 | *option*: `filter` => `(objectClass=person)` | |||
# Filter to narrow results | ||||
# (e.g., (&(objectCategory=Person)(objectClass=user)), or | ||||
# (memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com))) | ||||
r2656 | ||||
r3290 | *option*: `search_scope` => `SUBTREE` | |||
# How deep to search LDAP. If unsure set to SUBTREE | ||||
*option*: `attr_login` => `sAMAccountName` | ||||
# LDAP Attribute to map to user name (e.g., uid, or sAMAccountName) | ||||
r2656 | ||||
r3290 | *option*: `attr_email` => `mail` | |||
# LDAP Attribute to map to email address (e.g., mail). | ||||
# Emails are a crucial part of RhodeCode. | ||||
# If possible add a valid email attribute to ldap users. | ||||
*option*: `attr_firstname` => `givenName` | ||||
# LDAP Attribute to map to first name (e.g., givenName) | ||||
*option*: `attr_lastname` => `sn` | ||||
# LDAP Attribute to map to last name (e.g., sn) | ||||
r2656 | ||||
.. toctree:: | ||||
ldap-active-directory | ||||
ldap-authentication | ||||