|
|
@@
-1,107
+1,113
b''
|
|
|
1
|
1
|
.. _ldap-gloss-ref:
|
|
|
2
|
2
|
|
|
|
3
|
3
|
|LDAP| Glossary
|
|
|
4
|
4
|
---------------
|
|
|
5
|
5
|
|
|
|
6
|
6
|
This topic aims to give you a concise overview of the different settings and
|
|
|
7
|
7
|
requirements that enabling |LDAP| on |RCE| requires.
|
|
|
8
|
8
|
|
|
|
9
|
9
|
Required settings
|
|
|
10
|
10
|
^^^^^^^^^^^^^^^^^
|
|
|
11
|
11
|
|
|
|
12
|
12
|
The following LDAP attributes are required when enabling |LDAP| on |RCE|.
|
|
|
13
|
13
|
|
|
|
14
|
14
|
* **Hostname** or **IP Address**: Use a comma separated list for failover
|
|
|
15
|
15
|
support.
|
|
|
16
|
16
|
* **First Name**
|
|
|
17
|
17
|
* **Surname**
|
|
|
18
|
18
|
* **Email**
|
|
|
19
|
19
|
* **Port**: Port `389` for unencrypted LDAP or port `636` for SSL-encrypted
|
|
|
20
|
20
|
LDAP (LDAPS).
|
|
|
21
|
21
|
* **Base DN (Distinguished Name)**: The Distinguished Name (DN)
|
|
|
22
|
22
|
is how searches for users will be performed, and these searches can be
|
|
|
23
|
23
|
controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of
|
|
|
24
|
24
|
relative distinguished names (RDN) connected by commas. For example,
|
|
|
25
|
25
|
|
|
|
26
|
26
|
.. code-block:: vim
|
|
|
27
|
27
|
|
|
|
28
|
28
|
DN: cn='Monty Python',ou='people',dc='example',dc='com'
|
|
|
29
|
29
|
|
|
|
30
|
30
|
* **Connection security level**: The following are the valid types:
|
|
|
31
|
31
|
|
|
|
32
|
32
|
* *No encryption*: This connection type uses a plain non-encrypted connection.
|
|
|
33
|
33
|
* *LDAPS connection*: This connection type uses end-to-end SSL. To enable
|
|
|
34
|
34
|
an LDAPS connection you must set the following requirements:
|
|
|
35
|
35
|
|
|
|
36
|
36
|
* You must specify port `636`
|
|
|
37
|
37
|
* Certificate checks are required.
|
|
|
38
|
38
|
* To enable ``START_TLS`` on LDAP connection, set the path to the SSL
|
|
|
39
|
39
|
certificate in the default LDAP configuration file. The default
|
|
|
40
|
40
|
`ldap.conf` file is located in `/etc/openldap/ldap.conf`.
|
|
|
41
|
41
|
|
|
|
42
|
42
|
.. code-block:: vim
|
|
|
43
|
43
|
|
|
|
44
|
44
|
TLS_CACERT /etc/ssl/certs/ca.crt
|
|
|
45
|
45
|
|
|
|
46
|
46
|
* The LDAP username or account used to connect to |RCE|. This will be added
|
|
|
47
|
47
|
to the LDAP filter for locating the user object.
|
|
|
48
|
48
|
* For example, if an LDAP filter is specified as `LDAPFILTER`,
|
|
|
49
|
49
|
the login attribute is specified as `uid`, and the user connects as
|
|
|
50
|
50
|
`jsmith`, then the LDAP Filter will be like the following example.
|
|
|
51
|
51
|
|
|
|
52
|
52
|
.. code-block:: vim
|
|
|
53
|
53
|
|
|
|
54
|
54
|
(&(LDAPFILTER)(uid=jsmith))
|
|
|
55
|
55
|
|
|
|
56
|
56
|
* The LDAP search scope must be set. This limits how far LDAP will search for
|
|
|
57
|
57
|
a matching object.
|
|
|
58
|
58
|
|
|
|
59
|
59
|
* ``BASE`` Only allows searching of the Base DN.
|
|
|
60
|
60
|
* ``ONELEVEL`` Searches all entries under the Base DN,
|
|
|
61
|
61
|
but not the Base DN itself.
|
|
|
62
|
62
|
* ``SUBTREE`` Searches all entries below the Base DN, but not Base DN itself.
|
|
|
63
|
63
|
|
|
|
64
|
64
|
.. note::
|
|
|
65
|
65
|
|
|
|
66
|
66
|
When using ``SUBTREE`` LDAP filtering it is useful to limit object location.
|
|
|
67
|
67
|
|
|
|
68
|
68
|
Optional settings
|
|
|
69
|
69
|
^^^^^^^^^^^^^^^^^
|
|
|
70
|
70
|
|
|
|
71
|
71
|
The following are optional when enabling LDAP on |RCM|
|
|
|
72
|
72
|
|
|
|
73
|
73
|
* An LDAP account is only required if the LDAP server does not allow
|
|
|
74
|
74
|
anonymous browsing of records.
|
|
|
75
|
75
|
* An LDAP password is only required if the LDAP server does not allow
|
|
|
76
|
76
|
anonymous browsing of records
|
|
|
77
|
77
|
* Using an LDAP filter is optional. An LDAP filter defined by `RFC 2254`_. This
|
|
|
78
|
78
|
is more useful that the LDAP Search Scope if set to `SUBTREE`. The filter
|
|
|
79
|
79
|
is useful for limiting which LDAP objects are identified as representing
|
|
|
80
|
80
|
Users for authentication. The filter is augmented by Login Attribute
|
|
|
81
|
81
|
below. This can commonly be left blank.
|
|
|
82
|
82
|
* Certificate Checks are only required if you need to use LDAPS.
|
|
|
83
|
83
|
You can use the following levels of LDAP service with RhodeCode Enterprise:
|
|
|
84
|
84
|
|
|
|
85
|
85
|
* **NEVER** : A serve certificate will never be requested or checked.
|
|
|
86
|
86
|
* **ALLOW** : A server certificate is requested. Failure to provide a
|
|
|
87
|
87
|
certificate or providing a bad certificate will not terminate the session.
|
|
|
88
|
88
|
* **TRY** : A server certificate is requested. Failure to provide a
|
|
|
89
|
89
|
certificate does not halt the session; providing a bad certificate
|
|
|
90
|
90
|
halts the session.
|
|
|
91
|
91
|
* **DEMAND** : A server certificate is requested and must be provided
|
|
|
92
|
92
|
and authenticated for the session to proceed.
|
|
|
93
|
93
|
* **HARD** : The same as DEMAND.
|
|
|
94
|
94
|
|
|
|
95
|
95
|
.. note::
|
|
|
96
|
96
|
|
|
|
97
|
97
|
Only **DEMAND** or **HARD** offer full SSL security while the other
|
|
|
98
|
98
|
options are vulnerable to man-in-the-middle attacks.
|
|
|
99
|
99
|
|
|
|
100
|
100
|
|RCE| uses ``OPENLDAP`` libraries. This allows **DEMAND** or
|
|
|
101
|
101
|
**HARD** LDAPS connections to use self-signed certificates or
|
|
|
102
|
102
|
certificates that do not have traceable certificates of authority.
|
|
|
103
|
103
|
To enable this functionality install the SSL certificates in the
|
|
|
104
|
104
|
following directory: `/etc/openldap/cacerts`
|
|
|
105
|
105
|
|
|
|
106
|
106
|
|
|
|
|
107
|
Below is example setup that can be used with Active Directory and ldap groups.
|
|
|
|
108
|
|
|
|
|
109
|
.. image:: ../images/ldap-groups-example.png
|
|
|
|
110
|
:alt: LDAP/AD setup example
|
|
|
|
111
|
:scale: 50 %
|
|
|
|
112
|
|
|
|
107
|
113
|
.. _RFC 2254: http://www.rfc-base.org/rfc-2254.html
No newline at end of file
|
