##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
docs: update LDAP documentation according to user feedback.
marcink -
r2656:f7a8197c default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,112 b''
1 .. _config-ldap-groups-ref:
2
3 LDAP/AD With User Groups Sync
4 -----------------------------
5
6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 AD (active Directory) authentication.
8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9
10 * For LDAP/AD with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
15 In addition group membership is read from LDAP and following operations are done:
16
17 - automatic addition of user to |RCM| user group
18 - automatic removal of user from any other |RCM| user groups not specified in LDAP.
19 The removal is done *only* on groups that are marked to be synced from ldap.
20 This setting can be changed in advanced settings on user groups
21 - automatic creation of user groups if they aren't yet existing in |RCM|
22 - marking user as super-admins if he is a member of any admin group defined in plugin settings
23
24 This plugin is available only in EE Edition.
25
26 .. important::
27
28 The email used with your |RCE| super-admin account needs to match the email
29 address attached to your admin profile in LDAP. This is because
30 within |RCE| the user email needs to be unique, and multiple users
31 cannot share an email account.
32
33 Likewise, if as an admin you also have a user account, the email address
34 attached to the user account needs to be different.
35
36
37 LDAP Configuration Steps
38 ^^^^^^^^^^^^^^^^^^^^^^^^
39
40 To configure |LDAP|, use the following steps:
41
42 1. From the |RCM| interface, select
43 :menuselection:`Admin --> Authentication`
44 2. Enable the ldap+ groups plugin and select :guilabel:`Save`
45 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
46 4. Add the required LDAP information and :guilabel:`Save`, for more details,
47 see :ref:`config-ldap-groups-examples`
48
49 For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:
50
51 .. _config-ldap-groups-examples:
52
53 Example LDAP configuration
54 ^^^^^^^^^^^^^^^^^^^^^^^^^^
55 .. code-block:: bash
56
57 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
58 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
59 3600
60 # Host, comma seperated format is optionally possible to specify more than 1 server
61 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
62 # Default LDAP Port, use 689 for LDAPS
63 389
64 # Account, used for SimpleBind if LDAP server requires an authentication
65 e.g admin@server.com
66 # Password used for simple bind
67 ldap-user-password
68 # LDAP connection security
69 LDAPS
70 # Certificate checks level
71 DEMAND
72 # Base DN
73 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
74 # User Search Base
75 ou=groups,ou=users
76 # LDAP search filter to narrow the results
77 (objectClass=person)
78 # LDAP search scope
79 SUBTREE
80 # Login attribute
81 sAMAccountName
82 # First Name Attribute to read
83 givenName
84 # Last Name Attribute to read
85 sn
86 # Email Attribute to read email address from
87 mail
88 # group extraction method
89 rfc2307bis
90 # Group search base
91 ou=RC-Groups
92 # Group Name Attribute, field to read the group name from
93 sAMAAccountName
94 # User Member of Attribute, field in which groups are stored
95 memberOf
96 # LDAP Group Search Filter, allows narrowing the results
97
98 # Admin Groups. Comma separated list of groups. If user is member of
99 # any of those he will be marked as super-admin in RhodeCode
100 admins, management
101
102
103 Below is example setup that can be used with Active Directory and ldap groups.
104
105 .. image:: ../images/ldap-groups-example.png
106 :alt: LDAP/AD setup example
107 :scale: 50 %
108
109 .. toctree::
110
111 ldap-active-directory
112 ldap-authentication No newline at end of file
Show file before | Show file after | Hide comments
1 NO CONTENT: new file 100644, binary diff hidden
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/crowd-auth.rst to docs/auth/auth-crowd.rst
Show file before | Show file after | Hide comments
@@ -1,90 +1,89 b''
1 1 .. _config-ldap-ref:
2 2
3 LDAP
4 ----
3 LDAP/AD
4 -------
5 5
6 6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 7 AD (active Directory) authentication.
8 8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9 9
10 * For LDAPv3 use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
11 * For LDAPv3 with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
10 * For LDAP or Active Directory use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
12 15
13 16
14 17 .. important::
15 18
16 19 The email used with your |RCE| super-admin account needs to match the email
17 20 address attached to your admin profile in LDAP. This is because
18 21 within |RCE| the user email needs to be unique, and multiple users
19 22 cannot share an email account.
20 23
21 24 Likewise, if as an admin you also have a user account, the email address
22 25 attached to the user account needs to be different.
23 26
27
24 28 LDAP Configuration Steps
25 29 ^^^^^^^^^^^^^^^^^^^^^^^^
26 30
27 31 To configure |LDAP|, use the following steps:
28 32
29 33 1. From the |RCM| interface, select
30 34 :menuselection:`Admin --> Authentication`
31 2. Enable the required plugin and select :guilabel:`Save`
35 2. Enable the ldap plugin and select :guilabel:`Save`
32 36 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
33 37 4. Add the required LDAP information and :guilabel:`Save`, for more details,
34 38 see :ref:`config-ldap-examples`
35 39
36 40 For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:
37 41
38 42 .. _config-ldap-examples:
39 43
40 44 Example LDAP configuration
41 45 ^^^^^^^^^^^^^^^^^^^^^^^^^^
42 46 .. code-block:: bash
43 47
44 # Auth Cache TTL
48 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
49 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
45 50 3600
46 # Host
51 # Host, comma seperated format is optionally possible to specify more than 1 server
47 52 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
48 # Port
53 # Default LDAP Port, use 689 for LDAPS
49 54 389
50 # Account
51 cn=admin,dc=rhodecode,dc=com
52 # Password
55 # Account, used for SimpleBind if LDAP server requires an authentication
56 e.g admin@server.com
57 # Password used for simple bind
53 58 ldap-user-password
54 59 # LDAP connection security
55 60 LDAPS
56 61 # Certificate checks level
57 62 DEMAND
58 63 # Base DN
59 64 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
60 # User Search Base
61 ou=groups,ou=users
62 # LDAP search filter
65 # LDAP search filter to narrow the results
63 66 (objectClass=person)
64 67 # LDAP search scope
65 68 SUBTREE
66 69 # Login attribute
67 rmagillacuddy
68 # First Name Attribute
69 Rufus
70 # Last Name Attribute
71 Magillacuddy
72 # Email Attribute
73 LDAP-Registered@email.ac
74 # User Member of Attribute
75 Organizational Role
76 # Group search base
77 cn=users,ou=groups,dc=rhodecode,dc=com
78 # LDAP Group Search Filter
79 (objectclass=posixGroup)
80 # Group Name Attribute
81 users
82 # Group Member Of Attribute
83 cn
84 # Admin Groups
85 admin,devops,qa
70 sAMAccountName
71 # First Name Attribute to read
72 givenName
73 # Last Name Attribute to read
74 sn
75 # Email Attribute to read email address from
76 mail
77
78
79 Below is example setup that can be used with Active Directory/LDAP server.
80
81 .. image:: ../images/ldap-example.png
82 :alt: LDAP/AD setup example
83 :scale: 50 %
84
86 85
87 86 .. toctree::
88 87
89 88 ldap-active-directory
90 89 ldap-authentication
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/pam-auth.rst to docs/auth/auth-pam.rst
Show file before | Show file after | Hide comments
1 NO CONTENT: file renamed from docs/auth/token-auth.rst to docs/auth/auth-token.rst
Show file before | Show file after | Hide comments
@@ -1,37 +1,32 b''
1 1 .. _authentication-ref:
2 2
3 3 Authentication Options
4 4 ======================
5 5
6 |RCE| provides a built in authentication plugin
7 ``rhodecode.lib.auth_rhodecode``. This is enabled by default and accessed
8 through the administrative interface. Additionally,
9 |RCE| provides a Pluggable Authentication System (PAS). This gives the
6 |RCE| provides a built in authentication against its own database. This is
7 implemented using ``rhodecode.lib.auth_rhodecode`` plugin. This plugin is
8 enabled by default.
9 Additionally, |RCE| provides a Pluggable Authentication System. This gives the
10 10 administrator greater control over how users authenticate with the system.
11 11
12 12 .. important::
13 13
14 14 You can disable the built in |RCM| authentication plugin
15 15 ``rhodecode.lib.auth_rhodecode`` and force all authentication to go
16 through your authentication plugin. However, if you do this,
17 and your external authentication tools fails, you will be unable to
18 access |RCM|.
16 through your authentication plugin of choice e.g LDAP only.
17 However, if you do this, and your external authentication tools fails,
18 you will be unable to access |RCM|.
19 19
20 20 |RCM| comes with the following user authentication management plugins:
21 21
22 .. only:: latex
23
24 * :ref:`config-ldap-ref`
25 * :ref:`config-pam-ref`
26 * :ref:`config-crowd-ref`
27 * :ref:`config-token-ref`
28 22
29 23 .. toctree::
30 24
31 ldap-config-steps
32 crowd-auth
33 pam-auth
34 token-auth
25 auth-ldap
26 auth-ldap-groups
27 auth-crowd
28 auth-pam
29 auth-token
35 30 ssh-connection
36 31
37 32
Show file before | Show file after | Hide comments
@@ -1,317 +1,316 b''
1 1 # -*- coding: utf-8 -*-
2 2 #
3 3 # RhodeCode Enterprise documentation build configuration file, created by
4 4 # sphinx-quickstart on Tue Nov 4 11:48:37 2014.
5 5 #
6 6 # This file is execfile()d with the current directory set to its
7 7 # containing dir.
8 8 #
9 9 # Note that not all possible configuration values are present in this
10 10 # autogenerated file.
11 11 #
12 12 # All configuration values have a default; values that are commented out
13 13 # serve to show the default.
14 14
15 15 import sys
16 16 import os
17 17 import datetime
18 18 import sphinx_rtd_theme
19 19
20 20 # If extensions (or modules to document with autodoc) are in another directory,
21 21 # add these directories to sys.path here. If the directory is relative to the
22 22 # documentation root, use os.path.abspath to make it absolute, like shown here.
23 23 sys.path.insert(0, os.path.abspath('.'))
24 24 import common
25 25
26 26 # -- General configuration ------------------------------------------------
27 27
28 28 # If your documentation needs a minimal Sphinx version, state it here.
29 29 #needs_sphinx = '1.0'
30 30
31 31 # Add any Sphinx extension module names here, as strings. They can be
32 32 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
33 33 # ones.
34 34 extensions = [
35 35 'sphinx.ext.intersphinx',
36 36 'sphinx.ext.todo',
37 37 'sphinx.ext.imgmath'
38 38 ]
39 39
40 40 intersphinx_mapping = {
41 41 'enterprise': ('https://docs.rhodecode.com/RhodeCode-Enterprise/', None),
42 42 'control': ('https://docs.rhodecode.com/RhodeCode-Control/', None),
43 43 }
44 44
45 45 if tags.has('dev'):
46 46 intersphinx_mapping.update({
47 47 'enterprise': ('https://ci.rhodecode.com/documentation/Momentum/', None),
48 48 'control': ('https://ci.rhodecode.com/documentation/Control/', None),
49 49 })
50 50
51 51
52 52 # Add any paths that contain templates here, relative to this directory.
53 53 templates_path = ['_templates']
54 54
55 55 # The suffix of source filenames.
56 56 source_suffix = '.rst'
57 57
58 58 # The encoding of source files.
59 59 #source_encoding = 'utf-8-sig'
60 60
61 61 # The master toctree document.
62 62 master_doc = 'index'
63 63
64 64 # The version info for the project you're documenting, acts as replacement for
65 65 # |version| and |release|, also used in various other places throughout the
66 66 # built documents.
67 67
68 68 # TODO: johbo: Move into common package for documentation utilities
69 69 def _get_version():
70 70 with open('../rhodecode/VERSION') as f:
71 71 return f.read().strip()
72 72
73 73 # The full version, including alpha/beta/rc tags.
74 74 release = _get_version()
75 75 # The short X.Y version.
76 76 version = '.'.join(release.split('.', 2)[:2]) # First two parts of release
77 77
78 78 # General information about the project.
79 79 project = u'RhodeCode Enterprise %s ' % _get_version()
80 80 copyright = u'2010-{now.year}, RhodeCode GmbH'.format(
81 81 now=datetime.datetime.today())
82 82
83 83
84 84 # The language for content autogenerated by Sphinx. Refer to documentation
85 85 # for a list of supported languages.
86 86 #language = None
87 87
88 88 rst_epilog = common.rst_epilog + """
89 89 .. |async| replace:: asynchronous
90 90 """
91 91
92 92 # There are two options for replacing |today|: either, you set today to some
93 93 # non-false value, then it is used:
94 94 #today = ''
95 95 # Else, today_fmt is used as the format for a strftime call.
96 96 #today_fmt = '%B %d, %Y'
97 97
98 98 # List of patterns, relative to source directory, that match files and
99 99 # directories to ignore when looking for source files.
100 100 exclude_patterns = [
101 101 # Special directories
102 102 '_build',
103 103 'result',
104 104
105 105 # Other RST files
106 106 'admin/rhodecode-backup.rst',
107 'auth/ldap-configuration-example.rst',
108 107 'issue-trackers/redmine.rst',
109 108 'known-issues/error-msg-guide.rst',
110 109 'tutorials/docs-build.rst',
111 110 'integrations/example-ext.py',
112 111 'collaboration/supported-workflows.rst',
113 112 ]
114 113
115 114
116 115 # The reST default role (used for this markup: `text`) to use for all
117 116 # documents.
118 117 #default_role = None
119 118
120 119 # If true, '()' will be appended to :func: etc. cross-reference text.
121 120 #add_function_parentheses = True
122 121
123 122 # If true, the current module name will be prepended to all description
124 123 # unit titles (such as .. function::).
125 124 #add_module_names = True
126 125
127 126 # If true, sectionauthor and moduleauthor directives will be shown in the
128 127 # output. They are ignored by default.
129 128 #show_authors = False
130 129
131 130 # The name of the Pygments (syntax highlighting) style to use.
132 131 pygments_style = 'sphinx'
133 132
134 133 # A list of ignored prefixes for module index sorting.
135 134 #modindex_common_prefix = []
136 135
137 136 # If true, keep warnings as "system message" paragraphs in the built documents.
138 137 keep_warnings = tags.has("dev")
139 138
140 139
141 140 # -- Options for HTML output ----------------------------------------------
142 141
143 142 # The theme to use for HTML and HTML Help pages. See the documentation for
144 143 # a list of builtin themes.
145 144 #html_theme = 'rctheme'
146 145 html_theme = 'sphinx_rtd_theme'
147 146
148 147 # Theme options are theme-specific and customize the look and feel of a theme
149 148 # further. For a list of options available for each theme, see the
150 149 # documentation.
151 150 #html_theme_options = {}
152 151 html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
153 152
154 153 # Add any paths that contain custom themes here, relative to this directory.
155 154 #html_theme_path = []
156 155
157 156 # The name for this set of Sphinx documents. If None, it defaults to
158 157 # "<project> v<release> documentation".
159 158 #html_title = None
160 159
161 160 # A shorter title for the navigation bar. Default is the same as html_title.
162 161 #html_short_title = None
163 162
164 163 # The name of an image file (relative to this directory) to place at the top
165 164 # of the sidebar.
166 165 #html_logo = None
167 166 html_sidebars = {
168 167 '**': ['globaltoc.html'],
169 168 }
170 169
171 170 # The name of an image file (within the static path) to use as favicon of the
172 171 # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
173 172 # pixels large.
174 173 html_favicon = 'images/favicon.ico'
175 174
176 175 # Add any paths that contain custom static files (such as style sheets) here,
177 176 # relative to this directory. They are copied after the builtin static files,
178 177 # so a file named "default.css" will overwrite the builtin "default.css".
179 178 html_static_path = ['static/css/add.css']
180 179
181 180 # Add any extra paths that contain custom files (such as robots.txt or
182 181 # .htaccess) here, relative to this directory. These files are copied
183 182 # directly to the root of the documentation.
184 183 #html_extra_path = []
185 184
186 185 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
187 186 # using the given strftime format.
188 187 #html_last_updated_fmt = '%b %d, %Y'
189 188
190 189 # If true, SmartyPants will be used to convert quotes and dashes to
191 190 # typographically correct entities.
192 191 #html_use_smartypants = True
193 192
194 193 # Custom sidebar templates, maps document names to template names.
195 194 #html_sidebars = {}
196 195
197 196 # Additional templates that should be rendered to pages, maps page names to
198 197 # template names.
199 198 #html_additional_pages = {}
200 199
201 200 # If false, no module index is generated.
202 201 #html_domain_indices = True
203 202
204 203 # If false, no index is generated.
205 204 #html_use_index = True
206 205
207 206 # If true, the index is split into individual pages for each letter.
208 207 #html_split_index = False
209 208
210 209 # If true, links to the reST sources are added to the pages.
211 210 #html_show_sourcelink = True
212 211
213 212 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
214 213 #html_show_sphinx = True
215 214
216 215 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
217 216 #html_show_copyright = True
218 217
219 218 # If true, an OpenSearch description file will be output, and all pages will
220 219 # contain a <link> tag referring to it. The value of this option must be the
221 220 # base URL from which the finished HTML is served.
222 221 #html_use_opensearch = ''
223 222
224 223 # This is the file name suffix for HTML files (e.g. ".xhtml").
225 224 #html_file_suffix = None
226 225
227 226 # Output file base name for HTML help builder.
228 227 htmlhelp_basename = 'rhodecode-enterprise'
229 228
230 229
231 230 # -- Options for LaTeX output ---------------------------------------------
232 231
233 232 latex_elements = {
234 233 'classoptions': ',oneside',
235 234 'babel': '\\usepackage[english]{babel}',
236 235
237 236 # The paper size ('letterpaper' or 'a4paper').
238 237 #'papersize': 'letterpaper',
239 238
240 239 # The font size ('10pt', '11pt' or '12pt').
241 240 #'pointsize': '10pt',
242 241
243 242 # Additional stuff for the LaTeX preamble.
244 243 #'preamble': '',
245 244 }
246 245
247 246 # Grouping the document tree into LaTeX files. List of tuples
248 247 # (source start file, target name, title,
249 248 # author, documentclass [howto, manual, or own class]).
250 249 latex_documents = [
251 250 ('index', 'RhodeCodeEnterprise.tex', u'RhodeCode Enterprise',
252 251 u'RhodeCode GmbH', 'manual'),
253 252 ]
254 253
255 254 # The name of an image file (relative to this directory) to place at the top of
256 255 # the title page.
257 256 #latex_logo = None
258 257
259 258 # For "manual" documents, if this is true, then toplevel headings are parts,
260 259 # not chapters.
261 260 #latex_use_parts = False
262 261
263 262 # If true, show page references after internal links.
264 263 latex_show_pagerefs = True
265 264
266 265 # If true, show URL addresses after external links.
267 266 latex_show_urls = 'footnote'
268 267
269 268 # Documents to append as an appendix to all manuals.
270 269 #latex_appendices = []
271 270
272 271 # If false, no module index is generated.
273 272 #latex_domain_indices = True
274 273
275 274 # Mode for literal blocks wider than the frame. Can be
276 275 # overflow, shrink or truncate
277 276 pdf_fit_mode = "truncate"
278 277
279 278
280 279 # -- Options for manual page output ---------------------------------------
281 280
282 281 # One entry per manual page. List of tuples
283 282 # (source start file, name, description, authors, manual section).
284 283 man_pages = [
285 284 ('index', 'rhodecodeenterprise', u'RhodeCode Enterprise',
286 285 [u'RhodeCode GmbH'], 1)
287 286 ]
288 287
289 288 # If true, show URL addresses after external links.
290 289 #man_show_urls = False
291 290
292 291
293 292 # -- Options for Texinfo output -------------------------------------------
294 293
295 294 # Grouping the document tree into Texinfo files. List of tuples
296 295 # (source start file, target name, title, author,
297 296 # dir menu entry, description, category)
298 297 texinfo_documents = [
299 298 ('index', 'RhodeCodeEnterprise', u'RhodeCode Enterprise',
300 299 u'RhodeCode Docs Team', 'RhodeCodeEnterprise', 'RhodeCode Docs Project',
301 300 'Miscellaneous'),
302 301 ]
303 302
304 303 # Documents to append as an appendix to all manuals.
305 304 #texinfo_appendices = []
306 305
307 306 # If false, no module index is generated.
308 307 #texinfo_domain_indices = True
309 308
310 309 # How to display URL addresses: 'footnote', 'no', or 'inline'.
311 310 #texinfo_show_urls = 'footnote'
312 311
313 312 # If true, do not generate a @detailmenu in the "Top" node's menu.
314 313 #texinfo_no_detailmenu = False
315 314
316 315 # We want to see todo notes in case of a pre-release build of the documentation
317 316 todo_include_todos = tags.has("dev")
Show file before | Show file after | Hide comments
1 NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now