##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
docs: update LDAP documentation according to user feedback.
marcink -
r2656:f7a8197c default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,112 b''
1 .. _config-ldap-groups-ref:
2
3 LDAP/AD With User Groups Sync
4 -----------------------------
5
6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 AD (active Directory) authentication.
8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9
10 * For LDAP/AD with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
15 In addition group membership is read from LDAP and following operations are done:
16
17 - automatic addition of user to |RCM| user group
18 - automatic removal of user from any other |RCM| user groups not specified in LDAP.
19 The removal is done *only* on groups that are marked to be synced from ldap.
20 This setting can be changed in advanced settings on user groups
21 - automatic creation of user groups if they aren't yet existing in |RCM|
22 - marking user as super-admins if he is a member of any admin group defined in plugin settings
23
24 This plugin is available only in EE Edition.
25
26 .. important::
27
28 The email used with your |RCE| super-admin account needs to match the email
29 address attached to your admin profile in LDAP. This is because
30 within |RCE| the user email needs to be unique, and multiple users
31 cannot share an email account.
32
33 Likewise, if as an admin you also have a user account, the email address
34 attached to the user account needs to be different.
35
36
37 LDAP Configuration Steps
38 ^^^^^^^^^^^^^^^^^^^^^^^^
39
40 To configure |LDAP|, use the following steps:
41
42 1. From the |RCM| interface, select
43 :menuselection:`Admin --> Authentication`
44 2. Enable the ldap+ groups plugin and select :guilabel:`Save`
45 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
46 4. Add the required LDAP information and :guilabel:`Save`, for more details,
47 see :ref:`config-ldap-groups-examples`
48
49 For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:
50
51 .. _config-ldap-groups-examples:
52
53 Example LDAP configuration
54 ^^^^^^^^^^^^^^^^^^^^^^^^^^
55 .. code-block:: bash
56
57 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
58 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
59 3600
60 # Host, comma seperated format is optionally possible to specify more than 1 server
61 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
62 # Default LDAP Port, use 689 for LDAPS
63 389
64 # Account, used for SimpleBind if LDAP server requires an authentication
65 e.g admin@server.com
66 # Password used for simple bind
67 ldap-user-password
68 # LDAP connection security
69 LDAPS
70 # Certificate checks level
71 DEMAND
72 # Base DN
73 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
74 # User Search Base
75 ou=groups,ou=users
76 # LDAP search filter to narrow the results
77 (objectClass=person)
78 # LDAP search scope
79 SUBTREE
80 # Login attribute
81 sAMAccountName
82 # First Name Attribute to read
83 givenName
84 # Last Name Attribute to read
85 sn
86 # Email Attribute to read email address from
87 mail
88 # group extraction method
89 rfc2307bis
90 # Group search base
91 ou=RC-Groups
92 # Group Name Attribute, field to read the group name from
93 sAMAAccountName
94 # User Member of Attribute, field in which groups are stored
95 memberOf
96 # LDAP Group Search Filter, allows narrowing the results
97
98 # Admin Groups. Comma separated list of groups. If user is member of
99 # any of those he will be marked as super-admin in RhodeCode
100 admins, management
101
102
103 Below is example setup that can be used with Active Directory and ldap groups.
104
105 .. image:: ../images/ldap-groups-example.png
106 :alt: LDAP/AD setup example
107 :scale: 50 %
108
109 .. toctree::
110
111 ldap-active-directory
112 ldap-authentication No newline at end of file
Show file before | Show file after | Hide comments
1 NO CONTENT: new file 100644, binary diff hidden
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/crowd-auth.rst to docs/auth/auth-crowd.rst
Show file before | Show file after | Hide comments
@@ -1,14 +1,17 b''
1 1 .. _config-ldap-ref:
2 2
3 LDAP
4 ----
3 LDAP/AD
4 -------
5 5
6 6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 7 AD (active Directory) authentication.
8 8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9 9
10 * For LDAPv3 use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
11 * For LDAPv3 with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
10 * For LDAP or Active Directory use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
12 15
13 16
14 17 .. important::
@@ -21,6 +24,7 b' All LDAP versions are supported, with th'
21 24 Likewise, if as an admin you also have a user account, the email address
22 25 attached to the user account needs to be different.
23 26
27
24 28 LDAP Configuration Steps
25 29 ^^^^^^^^^^^^^^^^^^^^^^^^
26 30
@@ -28,7 +32,7 b' To configure |LDAP|, use the following s'
28 32
29 33 1. From the |RCM| interface, select
30 34 :menuselection:`Admin --> Authentication`
31 2. Enable the required plugin and select :guilabel:`Save`
35 2. Enable the ldap plugin and select :guilabel:`Save`
32 36 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
33 37 4. Add the required LDAP information and :guilabel:`Save`, for more details,
34 38 see :ref:`config-ldap-examples`
@@ -41,15 +45,16 b' Example LDAP configuration'
41 45 ^^^^^^^^^^^^^^^^^^^^^^^^^^
42 46 .. code-block:: bash
43 47
44 # Auth Cache TTL
48 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
49 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
45 50 3600
46 # Host
51 # Host, comma seperated format is optionally possible to specify more than 1 server
47 52 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
48 # Port
53 # Default LDAP Port, use 689 for LDAPS
49 54 389
50 # Account
51 cn=admin,dc=rhodecode,dc=com
52 # Password
55 # Account, used for SimpleBind if LDAP server requires an authentication
56 e.g admin@server.com
57 # Password used for simple bind
53 58 ldap-user-password
54 59 # LDAP connection security
55 60 LDAPS
@@ -57,32 +62,26 b' Example LDAP configuration'
57 62 DEMAND
58 63 # Base DN
59 64 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
60 # User Search Base
61 ou=groups,ou=users
62 # LDAP search filter
65 # LDAP search filter to narrow the results
63 66 (objectClass=person)
64 67 # LDAP search scope
65 68 SUBTREE
66 69 # Login attribute
67 rmagillacuddy
68 # First Name Attribute
69 Rufus
70 # Last Name Attribute
71 Magillacuddy
72 # Email Attribute
73 LDAP-Registered@email.ac
74 # User Member of Attribute
75 Organizational Role
76 # Group search base
77 cn=users,ou=groups,dc=rhodecode,dc=com
78 # LDAP Group Search Filter
79 (objectclass=posixGroup)
80 # Group Name Attribute
81 users
82 # Group Member Of Attribute
83 cn
84 # Admin Groups
85 admin,devops,qa
70 sAMAccountName
71 # First Name Attribute to read
72 givenName
73 # Last Name Attribute to read
74 sn
75 # Email Attribute to read email address from
76 mail
77
78
79 Below is example setup that can be used with Active Directory/LDAP server.
80
81 .. image:: ../images/ldap-example.png
82 :alt: LDAP/AD setup example
83 :scale: 50 %
84
86 85
87 86 .. toctree::
88 87
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/pam-auth.rst to docs/auth/auth-pam.rst
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/token-auth.rst to docs/auth/auth-token.rst
Show file before | Show file after | Hide comments
@@ -3,35 +3,30 b''
3 3 Authentication Options
4 4 ======================
5 5
6 |RCE| provides a built in authentication plugin
7 ``rhodecode.lib.auth_rhodecode``. This is enabled by default and accessed
8 through the administrative interface. Additionally,
9 |RCE| provides a Pluggable Authentication System (PAS). This gives the
6 |RCE| provides a built in authentication against its own database. This is
7 implemented using ``rhodecode.lib.auth_rhodecode`` plugin. This plugin is
8 enabled by default.
9 Additionally, |RCE| provides a Pluggable Authentication System. This gives the
10 10 administrator greater control over how users authenticate with the system.
11 11
12 12 .. important::
13 13
14 14 You can disable the built in |RCM| authentication plugin
15 15 ``rhodecode.lib.auth_rhodecode`` and force all authentication to go
16 through your authentication plugin. However, if you do this,
17 and your external authentication tools fails, you will be unable to
18 access |RCM|.
16 through your authentication plugin of choice e.g LDAP only.
17 However, if you do this, and your external authentication tools fails,
18 you will be unable to access |RCM|.
19 19
20 20 |RCM| comes with the following user authentication management plugins:
21 21
22 .. only:: latex
23
24 * :ref:`config-ldap-ref`
25 * :ref:`config-pam-ref`
26 * :ref:`config-crowd-ref`
27 * :ref:`config-token-ref`
28 22
29 23 .. toctree::
30 24
31 ldap-config-steps
32 crowd-auth
33 pam-auth
34 token-auth
25 auth-ldap
26 auth-ldap-groups
27 auth-crowd
28 auth-pam
29 auth-token
35 30 ssh-connection
36 31
37 32
Show file before | Show file after | Hide comments
@@ -104,7 +104,6 b' exclude_patterns = ['
104 104
105 105 # Other RST files
106 106 'admin/rhodecode-backup.rst',
107 'auth/ldap-configuration-example.rst',
108 107 'issue-trackers/redmine.rst',
109 108 'known-issues/error-msg-guide.rst',
110 109 'tutorials/docs-build.rst',
Show file before | Show file after | Hide comments
1 NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now