rhodecode-enterprise-ce Files · docs/auth/ldap-authentication.rst

users: add sorting by last activity to the new users grid.

marcink - - Load All Authors

File last commit:

r1:854a839a default


                r1547:ed2ccabe

default

Download file

             ldap-authentication.rst
        
                    106 lines
            
             | 4.2 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / auth / ldap-authentication.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      .. _ldap-gloss-ref:

      |LDAP| Glossary

      ---------------

      This topic aims to give you a concise overview of the different settings and

      requirements that enabling |LDAP| on |RCE| requires.

      Required settings

      ^^^^^^^^^^^^^^^^^

      The following LDAP attributes are required when enabling |LDAP| on |RCE|.

      * **Hostname** or **IP Address**: Use a comma separated list for failover

        support.

      * **First Name**

      * **Surname**

      * **Email**

      * **Port**: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted

        LDAP (LDAPS).

      * **Base DN (Distinguished Name)**: The Distinguished Name (DN)

        is how searches for users will be performed, and these searches can be

        controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of

        relative distinguished names (RDN) connected by commas. For example,

      .. code-block:: vim

          DN: cn='Monty Python',ou='people',dc='example',dc='com'

      * **Connection security level**: The following are the valid types:

        * *No encryption*: This connection type uses a plain non-encrypted connection.

        * *LDAPS connection*: This connection type uses end-to-end SSL. To enable

          an LDAPS connection you must set the following requirements:

            * You must specify port `636`

            * Certificate checks are required.

            * To enable ``START_TLS`` on LDAP connection, set the path to the SSL

              certificate in the default LDAP configuration file. The default

              `ldap.conf` file is located in `/etc/openldap/ldap.conf`.

      .. code-block:: vim

         TLS_CACERT	/etc/ssl/certs/ca.crt

      * The LDAP username or account used to connect to |RCE|. This will be added

        to the LDAP filter for locating the user object.

      * For example, if an LDAP filter is specified as `LDAPFILTER`,

        the login attribute is specified as `uid`, and the user connects as

        `jsmith`, then the LDAP Filter will be like the following example.

      .. code-block:: vim

         (&(LDAPFILTER)(uid=jsmith))

      * The LDAP search scope must be set. This limits how far LDAP will search for

        a matching object.

        * ``BASE`` Only allows searching of the Base DN.

        * ``ONELEVEL`` Searches all entries under the Base DN,

          but not the Base DN itself.

        * ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.

      .. note::

         When using ``SUBTREE`` LDAP filtering it is useful to limit object location.

      Optional settings

      ^^^^^^^^^^^^^^^^^

      The following are optional when enabling LDAP on |RCM|

      * An LDAP account is only required if the LDAP server does not allow

        anonymous browsing of records.

      * An LDAP password is only required if the LDAP server does not allow

        anonymous browsing of records

      * Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This

        is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter

        is useful for limiting which LDAP objects are identified as representing

        Users for authentication. The filter is augmented by Login Attribute

        below. This can commonly be left blank.

      * Certificate Checks are only required if you need to use LDAPS.

        You can use the following levels of LDAP service with RhodeCode Enterprise:

         * **NEVER** : A serve certificate will never be requested or checked.

         * **ALLOW** : A server certificate is requested. Failure to provide a

           certificate or providing a bad certificate will not terminate the session.

         * **TRY** : A server certificate is requested. Failure to provide a

           certificate does not halt the session; providing a bad certificate

           halts the session.

         * **DEMAND** : A server certificate is requested and must be provided

           and authenticated for the session to proceed.

         * **HARD** : The same as DEMAND.

      .. note::

         Only **DEMAND** or **HARD** offer full SSL security while the other

         options are vulnerable to man-in-the-middle attacks.

         |RCE| uses ``OPENLDAP`` libraries. This allows **DEMAND** or

         **HARD** LDAPS connections to use self-signed certificates or

         certificates that do not have traceable certificates of authority.

         To enable this functionality install the SSL certificates in the

         following directory: `/etc/openldap/cacerts`

      .. _RFC 2254: http://www.rfc-base.org/rfc-2254.html

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	.. _ldap-gloss-ref:

		\|LDAP\| Glossary
		---------------

		This topic aims to give you a concise overview of the different settings and
		requirements that enabling \|LDAP\| on \|RCE\| requires.

		Required settings
		^^^^^^^^^^^^^^^^^

		The following LDAP attributes are required when enabling \|LDAP\| on \|RCE\|.

		* Hostname or IP Address: Use a comma separated list for failover
		support.
		* First Name
		* Surname
		* Email
		* Port: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted
		LDAP (LDAPS).
		* Base DN (Distinguished Name): The Distinguished Name (DN)
		is how searches for users will be performed, and these searches can be
		controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of
		relative distinguished names (RDN) connected by commas. For example,

		.. code-block:: vim

		DN: cn='Monty Python',ou='people',dc='example',dc='com'

		* Connection security level: The following are the valid types:

		* No encryption: This connection type uses a plain non-encrypted connection.
		* LDAPS connection: This connection type uses end-to-end SSL. To enable
		an LDAPS connection you must set the following requirements:

		* You must specify port `636`
		* Certificate checks are required.
		* To enable ``START_TLS`` on LDAP connection, set the path to the SSL
		certificate in the default LDAP configuration file. The default
		`ldap.conf` file is located in `/etc/openldap/ldap.conf`.

		.. code-block:: vim

		TLS_CACERT /etc/ssl/certs/ca.crt

		* The LDAP username or account used to connect to \|RCE\|. This will be added
		to the LDAP filter for locating the user object.
		* For example, if an LDAP filter is specified as `LDAPFILTER`,
		the login attribute is specified as `uid`, and the user connects as
		`jsmith`, then the LDAP Filter will be like the following example.

		.. code-block:: vim

		(&(LDAPFILTER)(uid=jsmith))

		* The LDAP search scope must be set. This limits how far LDAP will search for
		a matching object.

		* ``BASE`` Only allows searching of the Base DN.
		* ``ONELEVEL`` Searches all entries under the Base DN,
		but not the Base DN itself.
		* ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.

		.. note::

		When using ``SUBTREE`` LDAP filtering it is useful to limit object location.

		Optional settings
		^^^^^^^^^^^^^^^^^

		The following are optional when enabling LDAP on \|RCM\|

		* An LDAP account is only required if the LDAP server does not allow
		anonymous browsing of records.
		* An LDAP password is only required if the LDAP server does not allow
		anonymous browsing of records
		* Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This
		is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter
		is useful for limiting which LDAP objects are identified as representing
		Users for authentication. The filter is augmented by Login Attribute
		below. This can commonly be left blank.
		* Certificate Checks are only required if you need to use LDAPS.
		You can use the following levels of LDAP service with RhodeCode Enterprise:

		* NEVER : A serve certificate will never be requested or checked.
		* ALLOW : A server certificate is requested. Failure to provide a
		certificate or providing a bad certificate will not terminate the session.
		* TRY : A server certificate is requested. Failure to provide a
		certificate does not halt the session; providing a bad certificate
		halts the session.
		* DEMAND : A server certificate is requested and must be provided
		and authenticated for the session to proceed.
		* HARD : The same as DEMAND.

		.. note::

		Only DEMAND or HARD offer full SSL security while the other
		options are vulnerable to man-in-the-middle attacks.

		\|RCE\| uses ``OPENLDAP`` libraries. This allows DEMAND or
		HARD LDAPS connections to use self-signed certificates or
		certificates that do not have traceable certificates of authority.
		To enable this functionality install the SSL certificates in the
		following directory: `/etc/openldap/cacerts`


		.. _RFC 2254: http://www.rfc-base.org/rfc-2254.html